Jump to content

Recommended Posts

Posted

apache_http_server_logo.jpg

 

In this tutorial we will see the principles on how to secure our Apache Web Server. The Apache HTTP Server has a good record for security but there are some basic things we can do to make Apache a more secure Web server.

 

About Apache HTTP Server.

 

The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server.

 

The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project.

 

(Note: For the Purpose of this tutorial we will use BackBox (Based on Ubuntu) as OS and Apache2. There are no guarantees or absolutes for Apache security things, so proceed at your own risk.)

 

First let’s locate in which directory Apache running by typing the following command:

 

ps -ef | grep apache

 

root      1443     1  0 16:57 ?        00:00:00 /usr/sbin/apache2 -k start
root      2741  2118  0 18:21 pts/0    00:00:00 grep apache
www-data  5569  1443  0 17:06 ?        00:00:00 /usr/sbin/apache2 -k start

 

As we can see typing the above command Apache appears to be running in the following directory

 

/usr/sbin/apache2

 

(Note: Directory may differ from yours. Depends on the installation process if you change the destination folder during that and from the OS that is used.)

 

Next let’s take some important information about Apache like version and which file we will modify (httpd.conf, apache2.conf, etc). We can use a lot of ways to get a couple of information about the web server. So, on terminal we type one of the following ways:

 

curl -I [url=http://www.example.com]www.example.com[/url] 

 

or

 

/usr/sbin/apache2 -V 

 

or

 

apache -V 

 

(Note: With or without directory we take the same information. If we use -v instead of -V we get only the Server Version/built information.Change the directory with yours if differs)

 

Server version: Apache/2.2.16 (Debian)
Server built:   Apr  1 2012 06:40:08
Server's Module Magic Number: 20051115:24
Server loaded:  APR 1.4.2, APR-Util 1.3.9
Compiled using: APR 1.4.2, APR-Util 1.3.9
Architecture:   32-bit
Server MPM:     Prefork
threaded:     no
forked:     yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"

 

As we can see current version of Apache is 2.2.17, if not install/update the latest one. Also the line -D HTTPD_ROOT=”/etc/apache2″ specifies the location of the httpd.conf file and on line -D SERVER_CONFIG_FILE=”apache2.conf” we can verify in which file we ‘ll make the changes.

 

(Note: If the file on line -D SERVER_CONFIG_FILE= differs; you will make the changes to this one)

 

(Note: The httpd.conf file may be empty if your try to open it)

 

Set the right User:Group

 

First we open the apache2.conf file and we make sure that the lines

 

User
Group

 

are set to

 

User apache
Group apache 

 

Hiding and modifying Apache server information

 

Next an important think is to disable a couple of information like (Apache Version, OS configurations, Php configurations) that appears on broken pages

 

badurl.png

 

To hide this information we must add the following options.

 

# ServerSignature Off means that Apache will not display the server version
# on error pages, or in other pages that generates.
ServerSignature Off

# ServerTokens Prod tells apache to only return Apache in the Server header,
# returned on every page request.
ServerTokens Prod 

 

(Note: If you are using Debian or Ubuntu as OS you must do the above changes to the file /etc/apache2/conf.d/security otherwise or in apache2.conf or in httpd.comf file, it depends which OS are you using)

 

Hide PHP Version

 

Next we will modify the php.ini file. On terminal type:

 

nano /etc/php5/apache2/php.ini

 

and find and change the expose_php to off

 

expose_php = Off

 

Protecting System Settings and Server Files

 

Stop users from setting up .htaccess files which can override security features you’ve configured adding the following lines to the server configuration:

 

<Directory />
AllowOverride None
</Directory>

 

Next will disable access to the entire file system except for the directories that are explicitly allowed later.

 

<Directory />
Order Deny,Allow
Deny from all
</Directory>

 

Next will allow access to the specific directories prohibiting default access to the filesystem locations.

 

<Directory "/webdirectory">
Order Deny,Allow
Allow from all
</Directory>

 

<Directory "/var/www/*">

Order Allow,Deny

Allow from all

</Directory>

 

(Note: <Directory /*/public_html> will not match /home/user/public_html, but <Directory /home/*/public_html> will match.)

 

Restricting Access by IP

 

To restrict access by ip add the following lines:

 

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

 

Turn off .htaccess

 

You can do that by adding the following line inside a Directory blog.

 

AllowOverride None

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



  • Posts

    • L2 DEVS - HTML DESIGN (ALL NPC'S)    
    • I only share for free what they are reselling 🙂 You keep crying in all the publications, and if you are looking for h5 or gd wait for 5 or 6 years... cheers.... GENERAL Cached Extended to 8192kb IOBuffer Hair2SlotCache ItemBidAuctioner Clan Hall Current Olympiad Season Rank pages System (Shows Points/Games - Fully Configurable) Automatic Flag Around Raidboss System Offline Shop & Buffers Restore After Restart (Fixed location) Offline Buffer System PvP Auto Announce System Rebuilt with Extra Addons (Fully Configurable, Name, Zones, Rewards) Automatic Announce System Rebuilt with Extra Addons (Fully Configurable) ALT+B Augmentation House Shift+Click Droplist/Spoil List Epic Items Rank RB points Rank ChangeColorName ChangeColorTitle Change Skin (Race) Change Gender Custom Subclass (Acumulative) Achievements Item Delivery System  Augmentations/Enchants Automatic Announce System Auto Learn Skills PvP Reward Pk Reward War Reward Scheme buffer GlobalChatTrade Trade Augment Items Castle Announce Time Castle Standby Time Fix Spiritshots delay SpellbooksDrop Enable/Disable Drop custom Fully configurable, lvl min max allmobs, allrb, individual New cancel effect min,max BlessedarmorEnchantRate BlessedmagicWeaponEnchantRate BlessednormalWeaponEnchantRate MaxSlosChars MaxSlotsDwarfs Enable or disable all commands Fix fast loading npc OlympiadRestoreStatsOnFightStart OlympiadSystemSecondTimeEnabled OlympiadEnterLast10Minute OlympiadThirdClassSummons MinLevelTrade AnnounceSubClassMsg1 AnnounceSubClassMsg2 AnnounceSubClassMsg3 LimitedSubClassRace NoSellItems Change ID SealStones for AA NoPrivateBuyItems NoDropPlayerOnDie DisableSkillEnchantData Show Level Mobs Show npc clan flag DespawnSummonEnBattle SummonPetEnBattle RideSummonPetEnBattle DitanceToTargetMove EnterWorld_Undying EnterWorld_UnHide BlockWhispMessagePlayerToGM UseItemsWithHide CriticalSkillDamageBonusPer=4.0 Disable SSQSystem OnCastle Siege End Use any dyes Buy halls directly in auctioneer without waiting for the auction, configuration to change the item you consume MensajeEnterWorldServer Command .hero enable/disable hero aura Config vip global chat character, chat by systemsg Soulshots: NoSendSystemMessageUse Panel //admin Global vote reward Agathions system Anti Interface, control all patch files by md5 Command .menu configurable, last restart, name, maxusers, privatestores Spawn protection activate deactivate consume items to activate  Activate or deactivate autoloot for vip characters EVENTS Happy Hour Event reworked Configurable by announcements or systemsg Team VS Team Capture The Flag Death Match Last Man Standing Destroy The Base Korean Style Castle Siege Check if the player is inside the tvt event due to disconnection/critical error Top 1/5 killer reward/announce TimeAfk ResetReuseSkills ResetBuffsOnFinish Firework effect Reward win/lost Add Team Location Title custom Red/blue Open Door/Wall System BalanceBishops Show kills in title Invest positions Show Death To Top Delete Non-Subclass Skills     RELOADS Reload Enterworld Html Option Reload Faction System Reload Donate Shop Reload OfflineBuffer Reload Champion NPC Reload CliExt Reload AntiBot Reload Vip System Reload Auction Reload AutoLoot Reload CastleSiegeManager Reload CharacterLock Reload ClanPvPStatus Reload AutoLearn Reload ClanReputationRank Reload ClanSystem Reload CreatureAction Reload Customs.ini Reload L2server.ini Reload SkillData.txt Reload doordata.txt Reload decodata.txt Reload Multisell Reload DropList   Extender tested for more than 3 years. Assured stability. Possibility of adding MOD's upon request. (Not included, consult).
    • some peoples trash is another mans treasure, is that your treasure?   people might like the content but you are still the rat in the room     thats the community judging you.  
    • Keep reselling what I publish here for free!!! 🙂 GG  
  • Topics

×
×
  • Create New...