15Feb 2019

Web Server Hardening Checklist: Best Practices And Security Guide

One of the most important parts of any web application or website development is its web server. No doubt with that, right? Well, everyone agrees with that. It is found that since Apache web server gets placed on the brim of a network, it is often susceptible to attacks or hacks. When a server has default configurations set up to pull in or out the most critical data, it gives loopholes for hackers to easily hack into the apps or systems.

Some of the most popular web app attacks happen via info leakage, SQL injections, session management attacks, which are the result of code arising from lack of proper programming knowledge and sometimes due to failures to clean up web app infrastructure on a regular basis. Studies prove that even scanned applications are highly vulnerable to attacks.

As discussed misconfiguration and continuing with default configuration can lead to exposure of the most critical information, which no one wants to happen. It is the responsibility of a web admin or the owner of an app or site to constantly monitor and perform security checks regularly to ensure that everything is safe and secure, and no hacker reaches out to their system.

Apache Web Server Security

Here we will take you through some of those essential configurations that will help tighten your Apache web server’s security and prevent attacks:

The below configuration is in httpd.conf for your apache instance.

Ensure that you have a backup of all essential configuration files before modification, which will help in restoration in case anything goes awry.

  1. Start by Disabling Trace HTTP Request

There would be a default ‘TraceEnable’ which permits “Trace”, disallowing any request body to join the request. With ‘TraceEnable off’, you would result in the core server and mod_proxy returning a 405 error to the client (this method is disallowed).

When TraceEnabe is set to ‘on’, it will trigger cross-site tracing issue and this opens the door to hackers to get their hands on the related cookie information.

The best way to address this issue is by disabling the ‘TRACE HTTP’ method within the Apache Configuration. This you can do by adding ‘TraceEnable off’ directive within httpd.conf of your Apache Web Server.

  1. Executing as a Separate User and Group

Executing as a Separate User and Group

It is always recommended against setting ‘User’ or ‘Group’ unless the concerned person has professional experience and expertise at it as it can lead to unforeseen risks. Apache can run with daemon or nobody – which are its default settings.

The best possible solution to this is by running Apache within its own non-root account. You may modify ‘User’ and ‘Group Directive’ within ‘httpd.conf’ of your Apache Web Server.

  1. Disabling Signature

With offsetting, as default, the footer line can be suppressed. With on setting, a line gets added to the server version number and server name of the serving virtual host. No one wants to reveal their Apache version that they are executing, so the best approach to this is by disabling ‘Signature’.

Use the directive, ‘Server Signature Off’ for this.

  1. Disabling Banner

With this directive, you have control of whether your Server response header field would include a description of the generic OS-type of the server when being sent back to the clients along with information about modules that are in-built or compiled.

  1. Restricting Access to a Network or IP

Restricting access to a network or ip

You can take care of this by restricting access to an IP or any specific network. In case if you want your site to be viewed only by a specific IP address or network, you can do so by modifying your site’s directory in httpd.conf.

Follow the steps given below to give your network address within the Allow directive:

<Directory /yourwebsite>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.20.0.0/24
</Directory>

Now, add the IP address in the Allow directive.

<Directory /yourwebsite>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.20.1.56
</Directory>

  1. Disable SSLv2 and SSLv3

You have to disable the SSLv2 and SSLv3 as these versions are most vulnerable or affected by cryptographic concerns.

SSLProtocol -ALL +TLSv1.2

  1. Disabling Directory Listing

In case you do not have index.html within your Website directory, the client can possibly view all files and subdirectories that are listed within the browser (as ls -l output). If you wish to disable directory browsing, you can do so by setting the value of Option directive to either ‘None’ or  -Indexes.

Follow the following steps:

<Directory />
Options None
Order allow,deny
Allow from all
</Directory>

(or)

<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>

alsoRead

PHP Trends

  1. Eliminate all Unnecessary DSO Modules

Eliminate all unnecessary DSO modules

Eliminating all repetitive DSO modules, you can verify your configuration. Once the installation is complete, several DSO modules get activated by default, but now, you have an option to remove those that you don’t need.

  1. Disabling Void and Weaker Ciphers

Let us get rid of all the weak cipher suites and retain only stronger in the lot.

You can do this by using the following directive:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

  1. Staying Updated

Staying updated

Since Apache is an active open source web server, it is important to keep updating it to the latest version. This will help to ensure that your server is safe and secure. With every release, there would be newer fixes and patches being added. Keep it updated to the latest version.

Apache HTTP Server Security Best Practices in Linux

Now, we will take you through some of the best practices to keep the security tightened for Apache HTTP server on Linux platform:

We will take you through a guide tested on Apache 2.4.x version.

Assuming that you have installed Apache on UNIX platform, we will call the Apache installation directory /opt/apache as $Web_Server in these steps.

Keep a backup of the existing configuration file before you start with these steps.

Anyone who would want to learn hardening and security guidelines, or looking to provide app support, middleware admin or system analyst can benefit from the following, given you have an in-depth knowledge of Apache Web Server and UNIX commands

Some additional information:

Get some tool to check HTTP headers to verify the implementation details. There are two methods to ensure this:

Browser in-built developer tools will help you to examine the HTTP headers. This can be found under the Network tab. Or you can use online HTTP response header checker tool.

Removing Server Version Banner

restart Apache

A server’s exposed version invites more trouble than anything else. If you do not want to attract attention to the web server that you are using, this would be the first of things to do.

How do you do this?

Reach the $Web_Server/conf folder. Use the vi editor to modify the httpd.conf. Then, add the following directive and save the httpd.conf.

ServerTokens
ServerSignature

Next, you need to restart Apache.

Restart apache

With the ServerSignature directive, the version information from the page generated by Apache will be eliminated. And with ServerTokens, Header would be modified to production-only.

Disabling Directory Browser Listing

You can easily disable directory listing within a browser such that the visitor need not see the files and folders within the under root or subdirectory.

This is how you test how it’s like within default settings.

$Web_Server/htdocs directory

Here, you create a folder and a few files within that. Next, try accessing Apache using ‘http://localhost/test. This would reveal all the files and folders that you have, but you are not looking for revealing those.

$Web_Server/conf directory

Now, go to httpd.conf using vi editor. Next, search for ‘Directory’ and change Options directive to ‘None’ or ‘-Indexes’.

Directory /opt/apache/htdocs
Options Indexes
</Directory>
Copy

(or)

<Directory /opt/apache/htdocs>
Options None
</Directory>
Copy
Restarting Apache

With multiple Directory directives in your environment, repeat the same steps for all. You would find that a forbidden error would appear instead of listing out the test folder.

Etag – This would allow remote attackers to acquire certain critical information, such as inode number, child process, and multipart MME boundaries. We can prevent this through the following directive:

$Web_Server/conf directory

Implement the directive given below and save the httpd.conf

FileETag None
Copy
Restarting Apache

Run Apache From a Non-Privileged Account

How do you run Apache from a non-privileged account?

As we discussed earlier, a default installation can run as daemon or nobody; it is always ideal to use a unique non-privileged user for Apache. This helps to secure other services running in case of any security breaches.

Let us create a user and group called apache, as given below:

# groupadd apache
# useradd –G apache apache

Now, copy

You can change apache installation directory ownership to a non-privileged user. And you would find a forbidden error that shows up instead of the test folder.

These are some of the most important steps that would help you to tighten your Apache web server’s security. In this emerging era of growing technologies and smartphones and similar devices, it is important to keep the security of your web service in check to prevent anyone from trespassing and attacking your site or app.

So keep your sites and apps safe from attacks with these hacks.

 

Acodez IT Solutions is a website design and web development company in India offering all kinds of web design and development services at affordable prices. We are also one of the leading digital marketing and SEO agency offering inbound marketing solutions that will help take your business to the next level. For further information, please contact us today.

Looking for a good team
for your next project?

Contact us and we'll give you a preliminary free consultation
on the web & mobile strategy that'd suit your needs best.

Contact Us Now!
Jamsheer K

Jamsheer K

Jamsheer K, is the Tech Lead at Acodez. With his rich and hands-on experience in various technologies, his writing normally comes from his research and experience in mobile & web application development niche.

Get a free quote!

Brief us your requirements & let's connect

Leave a Comment

Your email address will not be published. Required fields are marked *