Feb 6, 2014

Here are the 10 steps I did to harden apache2 server on my Ubuntu 13.04 box
Securing apache2 was a task in learning round 1 of InCTF '14.

Step 1 Disable Directory Listing

Directory Listing: If there is no "index" file in a directory of your website and if u give the URL to that directory in the browser it will list out the files in that directory. Directory listing will look like this


To disable directory listing:
Open file /etc/apache2/sites-available/000-default.conf
 
sudo vim /etc/apache2/sites-available/000-default.conf 

Find the line having the path of your website and c
hange the Indexes in Options to -Indexes
    <directory /var/www/php >
    Options -Indexes
    Order allow,deny
    Allow from all
   </directory>

Step 2 Prevent Server Information leakage

Version details of Apache server and Operating system will be shown by default in error pages, directory listing, HTTP request header. This is a security threat as an attacker can figure out which kind of attack he need to use from the version details. See the server and port details beneath the directory listing above.
To disable this information leakage:

Open the file "/etc/apache2/conf-available/security.conf"
sudo vim /etc/apache2/conf-available/security.conf

Set "ServerSignature Off" and "ServerTokens Prod"
ServerSignature Off
ServerTokens Prod

Restart Apache server
sudo service apache2 restart

Step 3 Run Apache as separate User and Group

First find out under which user Apache server is running:

ps -aux | grep --color apache2

The first column shows the user under which Apache process is running, if you had just plainly installed apache2 the user must be 'root' or 'www-data'. 
Wonder wat's this 'www-data' ? 'www-data' account can be used if you want php to be able to edit the contents of that file/folder.

We have to change the user running the Apache to a low privileged one. If the user 'Nobody' is the one that is coming to your mind don't give up to it because there will be many other process running under 'Nobody' user as it's the default daemon process account in linux system. 
If an attacker some how compromise your Apache server he will also get access to all other process. So it's always better to run a process under a separate low privilege account here we will create 'apache2' account.

Create a new group apache2
groupadd apache2

Create a new user apache2
useradd -d /var/www/ -g apache2 -s /bin/nologin apache2
-d-home directory
-g-The group name or number of the user's initial login group
-s-The name of the user's login shell [/bin/nologin = login disabled]

Open /etc/apache2/envvars
sudo vim /etc/apache2/envvars

Change  export APACHE_RUN_USER and export APACHE_RUN_GROUP
export APACHE_RUN_USER=apache2
export APACHE_RUN_GROUP=apache2

Now restart [reboot may be needed] and check the user under which Apache is running.

Step 4 Use mod_security and mod_evasive modules

mod_security is a web application firewall that can do HTTP Traffic Logging to a particular web application,Real-Time Monitoring and Attack Detection,Attack Prevention and Just-in-time Patching etc..For more details check out the mod_security project website here.

mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities. 

mod_security Installation

Install mod_security package
sudo apt-get install libapache2-modsecurity

Enable mod_security module within the apache2 configuration
sudo a2enmod mod-security

Verify it's enabled or not
apachectl -M | grep --color security

You should see a module named security2_module (shared) which indicates that the module was loaded.

mod_evasive Installation
sudo apt-get install libapache2-mod-evasive

Create log file directory for mod_evasive
mkdir /var/log/mod_evasive/
sudo chown apache2:apache2 /var/log/mod_evasive/

Create mod-evasive.conf file and configure ModEvasive
sudo vi /etc/apache2/mods-available/mod-evasive.conf

Add the below to mod-evasive.conf
<ifmodule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  2
   DOSSiteCount  50
   DOSPageInterval 1
   DOSSiteInterval  1
   DOSBlockingPeriod  10
   DOSLogDir   /var/log/mod_evasive
   DOSEmailNotify  EMAIL@DOMAIN.com
   DOSWhitelist   127.0.0.1
</ifmodule>

Check if ModEvasive is enabled and restart Apache.
sudo a2enmod mod-evasive
service apache2 restart
apache2ctl -M | grep --color evasive

Step 5 Turn off Server Side Includes and CGI Execution

If server side includes / CGI execution is not required in your website then disable them because shell code can be executed in the server through poorly designed website.

In the file '/etc/apache2/sites-available/default' change or add 'Options -Includes'
'Options -ExecCGI' to your website section.

Step 6 File permissions

Your website root directory may have files that holds sensitive information so remove write permission from those files, so that data cannot be modifies through the website or using the website in any manner.

Permission bits: Read = 4, Write = 2, Execute = 1
So if you split the octal permission 745 into 3 sections, user, group and world, you have the following permissions.
User = 7 (4+2+1 or RWX)
Group = 4 (4 or R)
Others = 5 (4+1 or RX)
Permission to sensitive file can be modified using the below command
chmod 745 sensitive_file.txt

Step 7 File/Folder Ownership

One should never run any files in apache directory with root permission
To change the ownership to apache2 user and apache2 group use the below command
chown apache2:apache2 -R /var/www/

Step 8 Use Allow and Deny to Restrict access to Directories

We can restrict access to directories with “Allow” and “Deny” options in '/etc/apache2/sites-available/default'. Secure the root directory using the below settings.
<Directory />
   Options None
   Order deny,allow
   Deny from all
</Directory>

Order is one of the below:[more details here]
Allow,Deny
First, all Allow directives are evaluated; at least one must match, or the request is rejected. Next, all Deny directives are evaluated. If any matches, the request is rejected. Last, any requests which do not match an Allow or a Deny directive are denied by default.

Deny,Allow
First, all Deny directives are evaluated; if any match, the request is denied unless it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.

Step 9 Disable unwanted HTTP methods

Disable unwanted potentially risky HTTP1.1 method , usually a website may just need GET, HEAD, POST request methods in web application, which can be configured in respective Directory directive.
<Directory /var/www/php/ >
  <LimitExcept GET POST >
 deny from all
  </LimitExcept>
</Directory>

Restrictions applied to GET will apply to HEAD, and therefore if GET is unrestricted so HEAD will also be unrestricted.
The HEAD method is identical to GET except that the server MUST NOT return
a message-body in the response.

Step 10 Keep Apache Server updated

In Ubuntu you can trigger the system update process from the Software updater, which will have the Apache updates also.

0 comments:

Post a Comment