Apache Web Server Hardening Security Guide. A practical guide to secure and harden Apache Web Server. Have you found an error in a Packt Publishing book Submit your errata through the form or view any previous errata submissions. I have recieved a report that we have a SSL certifacate error that says SSL Certificate verification failed vulnreability The address it gave was for our. What are we doing We are embedding the OWASP ModSecurity Core Rule Set in our Apache web server and eliminating false alarms. Why are we doing thisEntweder Du bist zum ersten Mal auf dieser Seite, dann ist bei Deinem nchsten Besuch reload diese Warnung verschwunden oder Du hast deinen Browser so konfiguriert. This guide is designed to help you get started using email with you InMotion Hosting account. Issuu is a digital publishing platform that makes it simple to publish magazines, catalogs, newspapers, books, and more online. Easily share your publications and get. In 2003, Nick Kew released a new module that complements Apaches modproxy and is essential for reverseproxying. Since then he gets regular questions and requests. WAFSQLModSecurity. Replace sdx to your SD card device. Windows users can install the image with Etcher as explained in this post. Installer. You can install it in any architecture. Apache web server is a very popular web server to host website on the web. In this tutorial, Ill cover some main tips to secure your Apache web server. X2jPGoRc.png' alt='Install Modsecurity On Apache Windows 10' title='Install Modsecurity On Apache Windows 10' />Introduction. The Web Server is a crucial part of web based applications. Apache Web Server is often placed at the edge of the network hence it becomes one of the most vulnerable services to attack. Having default configuration supply much sensitive information which may help hacker to prepare for an attack the web server. The majority of web application attacks are through XSS, Info Leakage, Session Management and PHP Injection attacks which are due to weak programming code and failure to sanitize web application infrastructure. According to the security vendor Cenzic, 9. Below chart from Cenzic shows the vulnerability trend report of 2. This practical guide provides you the necessary skill set to secure Apache Web Server. In this course, we will talk about how to Harden Secure Apache Web Server on Unix platform. Install Modsecurity On Apache Windows 8Following are tested on Apache 2. I dont see any reason it wont work with Apache 2. This assumes you have installed Apache on UNIX platform. If not, you can go through Installation guide. You can also refer very free video about how to Install Apache, My. SQL PHP. We will call Apache installation directory optapache as WebServer throughout this course. You are advised to take a backup of existing configuration file before any modification. Audience. This is designed for Middleware Administrator, Application Support, System Analyst, or anyone working or eager to learn Hardening Security guidelines. Fair knowledge of Apache Web Server UNIX command is mandatory. Information Leakage. In default Apache configuration you would have much sensitive information disclosures, which can be used to prepare for an attack. Its one of the most critical tasks for an administrator to understand and secure them. As per report by Cenzic, 1. Info leakage. We require some tool to examine HTTP Headers for verification. Lets do this by install firebug add on in Firefox. Click on Install Now. Restart Firefox You can see firebug icon at right top bar. We will use this icon to open firebug console to view HTTP Headers information. There are many online tools also available which helps to check in HTTP header information. Remove Server Version Banner. I would say this is one of the first things to consider, as you dont want to expose what web server version you are using. Exposing version means you are helping hacker to speedy the reconnaissance process. The default configuration will expose Apache Version and OS type as shown below. Implementation Go to WebServerconf folder. Modify httpd. conf by using vi editor. Add the following directive and save the httpd. Server. Tokens Prod. Server. Signature Off. Server. Signature will remove the version information from the page generated like 4. Server. Tokens will change Header to production only, i. Apache. Verification Open Firefox Activate firebug by clicking firebug icon at top right side Click on Net tab. Hit the URL in address bar. Expand the GET request and you could see Server directive is just showing Apache, which is much better than exposing version and OS type. Disable directory browser listing. Disable directory listing in a browser so the visitor doesnt see what all file and folders you have under root or subdirectory. Lets test how does it look like in default settings. Go to WebServerhtdocs directory. Create a folder and few files inside that mkdir test. Now, lets try to access Apache by http localhosttest. As you could see it reveals what all filefolders you have which are certainly you dont want to expose. Implementation Go to WebServerconf directory Open httpd. Search for Directory and change Options directive to None or Indexeslt Directory optapachehtdocs. Order allow,deny. Directory orlt Directory optapachehtdocs. Options Indexes. Order allow,deny. Directory Note if you have multiple Directory directives in your environment, you should consider doing the same for all. Verification Now, lets try to access Apache by http localhosttest. As you could see, it displays forbidden error instead showing test folder listing. Etag. It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary, and child process through Etag header. I Want To Download Free Viber For Laptop. To prevent this vulnerability, lets implement it as below. This is required to fix for PCI compliance. Implementation Go to WebServerconf directory. Add the following directive and save the httpd. File. ETag None. Verification Open Firefox and access your application. Check HTTP response headers in firebug, you should not see Etag at all. Authorization. 3. Run Apache from non privileged account. Default apache configuration is to run as nobody or daemon. Its good to use a separate non privileged user for Apache. The idea here is to protect other services running in case of any security hole. Implementation Create a user and group called apachegroupadd apache. G apache apache. Change apache installation directory ownership to newly created non privileged user  chown R apache apache optapache Go to WebServerconf Modify httpd. Search for User Group Directive and change as non privileged account apache. User apache. Group apache Save the httpd. Restart Apache. Verification grep for running http process and ensure its running with apache user ps ef grep http. Note You could see one process is running with root. Thats because Apache is listening on port 8. We will talk about how to change port number later in this course. Protect binary and configuration directory permission. By default, permission for binary and configuration is 7. You can disallow another user to get into conf and bin folder. Implementation Go to WebServer directory. Change permission of bin and conf folder  chmod R 7. Verification 3. 3 System Settings Protection. In a default installation, users can override apache configuration using. Allow. Override to None as shown below. This must be done at the root level. Implementation Go to WebServerconf directory Open httpd. Search for Directory at root levellt Directory. Drivers Ed Quiz Answers. Options Indexes. Allow. Override Nonelt Directory Save the httpd. Restart Apache. 3. HTTP Request Methods. HTTP 1. 1 protocol support many request methods which may not be required and some of them are having potential risk. Typically you may just need GET, HEAD, POST request methods in a web application, which can be configured in the respective Directory directive. Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1. Implementation Go to WebServerconf directory Open httpd. Search for Directory and add followinglt Limit. Except GET POST HEAD deny from alllt Limit. Except 4. Web Application Security. Apache web server misconfiguration or not hardened properly can exploit web application. Its critical to harden your web server configuration. Cookies. 4. 1. 1 Disable Trace HTTP Request. By default Trace method is enabled in Apache web server. Having this enabled can allow Cross Site Tracing attack and potentially giving an option to a hacker to steal cookie information. Lets see how it looks like in default configuration. Do a telnet web server IP with listening port Make a TRACE request as shown belowtelnet localhost 8. Trying 1. 27. 0. 0. Connected to localhost. Escape character is. TRACE HTTP1. 1 Host test. HTTP1. 1 2. 00 OK.