Apache
Clickjacking Attack
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
To prevent Clickjacking attacks, edit the apache2.conf
:
sudo vi /etc/apache2/apache2.conf
If you want to prevent sites other than your current site from framing your pages, add the following line:
<IfModule mod_headers.c> Header always append X-Frame-Options SAMEORIGIN </IfModule>
If you want to prevent all sites (including the one that you're protecting) from framing your site, add the following line instead:
<IfModule mod_headers.c> Header always append X-FRAME-OPTIONS DENY </IfModule>Do not add both lines. Either add the SAMEORIGIN line or the DENY line, not both.
Disable ETAG
It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary and child process through Etag header.
To secure etag, edit the apache2.conf
:
sudo vi /etc/apache2/apache2.conf
Add the following line:
FileETag None
Disable Old Protocol
Old HTTP protocol, like HTTP 1.0 protocol, should be disabled. HTTP 1.0 has security weakness related to session hijacking.
To prevent Clickjacking attacks, edit the apache2.conf
:
sudo vi /etc/apache2/apache2.conf
You can disable it using mod_rewrite by only allowing HTTP 1.1:
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1\.1$
RewriteRule .* - [F]
Disable SSI
Server Side Include (SSI) has a potential risk in increasing load on the server. You should consider disable SSI by adding Includes in Options directive.
SSI attack allows the exploitation of a web application by injecting scripts in HTML pages or executing codes remotely.
To disable SSI, edit the apache2.conf
:
sudo vi /etc/apache2/apache2.conf
Search for Directory and add Includes in Options directive:
<Directory /path/to/htdocs> Options -Indexes -Includes Order allow,deny Allow from all </Directory>
Disable CGI execution
CGI Execution should also be disabled. Similar to SSI, you can disable CGI Execution in the apache2.conf
by adding the -ExecCGI
option.
<Directory /path/to/htdocs> Options -Indexes -Includes -ExecCGI Order allow,deny Allow from all </Directory>
Disable Trace HTTP Request
Trace method is enabled by default Apache. This allows Cross Site Tracing attack and potentially giving an option to hacker to steal cookie information. This should be disabled.
To disable Trace method, edit the apache2.conf
:
sudo vi /etc/apache2/apache2.conf
Add or update the TraceEnable
to Off
:
TraceEnable off
Disable Unnecessary Modules
Confirm Minimal Built-in Modules
By default, Apache installation minimizes the number of modules that are compiled into the core.
To make sure everything is properly installed, run the following command:
apache2 -l
The output should look like this:
core.c mod_log_config.c mod_logio.c prefork.c http_core.c mod_so.c
If you have more modules than the one listed above, verify each module and uninstall them if necessary.
Modules can be disabled by running the a2dismod
command.
sudo a2dismod <module>
Module List
Here's a list of modules you can disable if you don't use them.
| Module | Description |
|---|---|
| userdir | Mapping of requests to user-specific directories. i.e. ~username in URL will get translated to a directory in the server. |
| include | Server Side Includes |
| autoindex | Displays directory listing when no index.html file is present |
| alias | Mapping of requests to different filesystem parts |
| status | Displays server stats |
| negotiation | Content negotiation |
| filter | Smart filtering of request |
| version | Handling version information in config files using IfVersion |
| as-is | as-is filetypes |
| auth_digest | This module provides encrypted authentication sessions. However, this module is rarely used and considered experimental. Alternate methods of encrypted authentication are recommended, such as SSL. If the above functionality is unnecessary, comment out the related module. |
| setenvif | Placing ENV vars on headers |
| authnz_ldap & ldap | This module provides HTTP authentication via an LDAP directory |
| mime_magic | This module provides a second layer of MIME support that in most configurations is likely extraneous |
| dav_module & dav_fs_module | WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. Due to a number of security concerns with WebDAV, its use is not recommended |
| info | This module creates a web page illustrating the configuration of the web server. This is an unnecessary security leak and should be disabled |
| spelling | This module attempts to find a document match by allowing one misspelling in an otherwise failed request. If the above functionality is unnecessary, comment out the related module |
| proxy, proxy_balancer, proxy_ftp, proxy_http & proxy_connect | This module provides proxying support, allowing Apache to forward requests and serve as a gateway for other servers |
| cache, disk_cache, file_cache and mem_cache | This module allows Apache to cache data, optimizing access to frequently accessed content. However, not only is it an experimental module, but it also introduces potential security flaws into the web server such as the possibility of circumventing Allow and Deny directives |
| ext_filter | Response passed through external program prior to client delivery |
| headers | HTTP Response/Request Header Customization |
| usertrack | User activity monitoring via cookies |
| vhost_alias | Dynamically configured mass virtual hosting |
| env | Clearing/setting of ENV vars |
| cgi | This module allows HTML to interact with the CGI web programming language |
| actions | Action triggering on requests |
| suexec | The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web server |
Example, you can run this command:
sudo a2dismod userdir include autoindex status negotiation version auth_digest authnz_ldap ldap dav_module dav_fs_module info spelling proxy proxy_balancer proxy_ftp proxy_http proxy_connect cache disk_cache file_cache mem_cache usertrack vhost_alias cgi suexec
There might be more module installed, you can find out which one installed by running this command:
grep -r LoadModule /etc/apache2/mods-enabled/*
Enable Logging
Apache allows you to log web activity. It is important to enable Apache logging because it provides crucial information that can help you find out about your traffic.
To enable logging, you need to include the mod_log_config module. There are three main logging-related directives available with Apache.
- TransferLog: Creating a log file.
- LogFormat: Specifying a custom format.
- CustomLog: Creating and formatting a log file.
You can also setup web logs per virtual host:
<VirtualHost *:80> DocumentRoot /path/to/www/ ServerName www.domain.com DirectoryIndex index.php ServerAlias domain.com ErrorDocument 404 /404.php ErrorLog /var/log/apache2/domain.com_error_log CustomLog /var/log/apache2/domain.com_access_log combined </VirtualHost>
Harden Configuration
Disable Apache's Symbolic Links
Apache enables follows symlinks. It is recommended to turn it off using the FollowSymLinks Options directive.
<Directory /path/to/www> Options -FollowSymLinks </Directory>
If you still need this feature, you can always enable it in your .htaccess for a specific website.
<Directory /path/to/another_www> Options +FollowSymLinks </Directory>
Limit Request Size
Apache has no limit on the total size of the HTTP request. This means, unlimited data can be sent on any requests to the Apache server. This will allow hackers to send large amount of data and therefore, you will be a victim of Denial of service attacks. To fix this, you can set a limit in the LimitRequestBody
directive.
You can set the value (in bytes) from 0 (which will be unlimited) to 2,147,483,647 (2 GB).
<Directory "/path/to/www/"> LimitRequestBody 512000 </Directory>
Timeout value configuration
This directive allows you to set the amount of time the server will wait for certain events to complete before it fails. The default value is 300 secs. It is recommended to keep this value low on those sites which are subject to DDOS attacks.
You can lower this to 45 seconds in your apache2.conf
:
Timeout 45
Hide Apache Information
The ServerTokens and ServerSignature directives determine the information the web server will display about the configuration. This will restrict information in page headers, showing minimal information. It is recommended to limit the information provided to the world.
To fix this, edit the apache configuration:
sudo vi /etc/apache2/apache2.conf
Add or update the following lines:
ServerTokens Prod ServerSignature Off <IfModule mod_headers.c> Header unset Server Header unset X-Powered-By </IfModule>
If you still want to show some information, here are your options you can use:
| ServerToken | Displays |
|---|---|
| Prod | Apache |
| Major | Apache/2 |
| Minor | Apache/2.2 |
| Min | Apache/2.2.17 |
| OS | Apache/2.2.17 (Unix) |
| Full | Apache/2.2.17 (Unix) PHP/5.3.5 |
HTTP Request Methods
HTTP 1.1 protocol support many request methods which may not be required. Some of them have a potential risk. It is recommended to only enable the GET, HEAD, POST
request methods.
Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT
method in HTTP 1.1 protocol.
To fix this, edit the apache configuration:
sudo vi /etc/apache2/apache2.conf
Look for the Directory
and add following (inside the <Directory>):
<LimitExcept GET POST HEAD> deny from all </LimitExcept>
Example
<Location /> Order allow,deny Allow from all <LimitExcept HEAD POST GET> Deny from all </LimitExcept> </Location>
HTTPOnly Cookie
You can avoid most of the common attacks (like Cross Site Scripting, cookies attacks, cookies injections) by using HttpOnly
and Secure flag
in cookie. Without these, it is very easy to steal cookies information.
To fix this, edit the apache configuration:
sudo vi /etc/apache2/apache2.conf
And add this code:
<IfModule mod_headers.c> Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure </IfModule>
ModSecurity
For complete detail on how to install ModSecurity, please visit:
http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server
Protect Apache
Run Apache as separate User and Group
Apache runs its process with a default user account and group. For many security reasons, it is recommended to run change this and let Apache runs with its own non-privileged account.
For example, let's create the user and group: webuser.
Create Apache User and Group:
sudo groupadd webuser sudo useradd -d /var/www/ -g webuser -s /bin/nologin webuser
Make sure Apache knows this setting by editing the etc/apache2/envvars
.
sudo vi etc/apache2/envvars
Edit the User
and Group
settings:
User webuser Group webuser
Restrict local access
It is safe to restrict the access to the Apache files and folders. You can restrict the access by executing the following command:
sudo chown -R 750 /etc/apache2/bin /etc/apache2/conf sudo chmod 511 /usr/sbin/apache2 sudo chmod 750 /var/log/apache2/ sudo chmod 750 /etc/apache2/conf/ sudo chmod 640 /etc/apache2/conf/* sudo chgrp -R <MyApacheUser> /etc/apache2/conf
Restrict Directories Access
It is important to restrict access to directories using the Allow
and Deny
options. The first thing to do is to secure the /
folder.
Here's how to secure the root directory. Now, open the apache2.conf
file.
sudo vi /etc/apache2/apache2.conf
And add the following lines:
<Directory /> Options None Order deny,allow Deny from all </Directory>
These options means:
- None: This option will not allow users to enable any optional features.
- Order deny, allow: This is the order in which the
Deny
andAllow
directives will be processed. Here it willdeny
first andallow
next. - Deny from all: This will deny request from everybody to the root directory, nobody will be able to access root directory.
Then restart apache:
sudo /etc/init.d/apache2 restart
Disable Directory Listing
Apache list all the content of Document root directory in the absence of directory index file. To fix this, simply add this in your apache2.conf
file.
<Directory /var/www/html>
Options -Indexes
</Directory>
SSL Certificates
You can secure your all the communication by encrypting data using an SSL certificate. With an SSL certificates, Apache sends all this information in encrypted text.
You can purchase SSl certificates from So many SSL providers, or you can create your own.
openssl genrsa -des3 -out mydomain.com.key 1024 openssl req -new -key mydomain.com.key -out example.csr openssl x509 -req -days 365 -in mydomain.com.com.csr -signkey mydomain.com.com.key -out mydomain.com.com.crt
After your certificate has been created and signed, you can add it to the Apache configuration.
You will need to open the /etc/apache2/sites-available/
file that belongs to your site:
sudo vi /etc/apache2/sites-available/mydomain.com.conf
And add the following code (might need some changes):
<VirtualHost 1.1.1.1:443> SSLEngine on SSLCertificateFile /path/to/certs/mydomain.com.crt SSLCertificateKeyFile /path/to/certs/mydomain.com.key SSLCertificateChainFile /path/to/certs/sf_bundle.crt ServerAdmin admin@mydomain.com ServerName mydomain.com DocumentRoot /path/to/mydomain/www/ ErrorLog /var/log/www/mydomain.com-ssl-error_log CustomLog /var/log/www/mydomain.com-ssl-access_log common </VirtualHost>
Now, you can open your site using https.
XSS Protection
Cross Site Scripting (XSS) protection can be avoided in many browsers. You can force apply this protection for web application if it was disabled by the user.
To fix this, edit the apache configuration:
sudo vi /etc/apache2/apache2.conf
And add the following line:
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
Restart Apache:
sudo /etc/init.d/apache2 restart