Jump to content

Recommended Posts

Posted

apache_http_server_logo.jpg

 

In this tutorial we will see the principles on how to secure our Apache Web Server. The Apache HTTP Server has a good record for security but there are some basic things we can do to make Apache a more secure Web server.

 

About Apache HTTP Server.

 

The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server.

 

The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project.

 

(Note: For the Purpose of this tutorial we will use BackBox (Based on Ubuntu) as OS and Apache2. There are no guarantees or absolutes for Apache security things, so proceed at your own risk.)

 

First let’s locate in which directory Apache running by typing the following command:

 

ps -ef | grep apache

 

root      1443     1  0 16:57 ?        00:00:00 /usr/sbin/apache2 -k start
root      2741  2118  0 18:21 pts/0    00:00:00 grep apache
www-data  5569  1443  0 17:06 ?        00:00:00 /usr/sbin/apache2 -k start

 

As we can see typing the above command Apache appears to be running in the following directory

 

/usr/sbin/apache2

 

(Note: Directory may differ from yours. Depends on the installation process if you change the destination folder during that and from the OS that is used.)

 

Next let’s take some important information about Apache like version and which file we will modify (httpd.conf, apache2.conf, etc). We can use a lot of ways to get a couple of information about the web server. So, on terminal we type one of the following ways:

 

curl -I [url=http://www.example.com]www.example.com[/url] 

 

or

 

/usr/sbin/apache2 -V 

 

or

 

apache -V 

 

(Note: With or without directory we take the same information. If we use -v instead of -V we get only the Server Version/built information.Change the directory with yours if differs)

 

Server version: Apache/2.2.16 (Debian)
Server built:   Apr  1 2012 06:40:08
Server's Module Magic Number: 20051115:24
Server loaded:  APR 1.4.2, APR-Util 1.3.9
Compiled using: APR 1.4.2, APR-Util 1.3.9
Architecture:   32-bit
Server MPM:     Prefork
threaded:     no
forked:     yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"

 

As we can see current version of Apache is 2.2.17, if not install/update the latest one. Also the line -D HTTPD_ROOT=”/etc/apache2″ specifies the location of the httpd.conf file and on line -D SERVER_CONFIG_FILE=”apache2.conf” we can verify in which file we ‘ll make the changes.

 

(Note: If the file on line -D SERVER_CONFIG_FILE= differs; you will make the changes to this one)

 

(Note: The httpd.conf file may be empty if your try to open it)

 

Set the right User:Group

 

First we open the apache2.conf file and we make sure that the lines

 

User
Group

 

are set to

 

User apache
Group apache 

 

Hiding and modifying Apache server information

 

Next an important think is to disable a couple of information like (Apache Version, OS configurations, Php configurations) that appears on broken pages

 

badurl.png

 

To hide this information we must add the following options.

 

# ServerSignature Off means that Apache will not display the server version
# on error pages, or in other pages that generates.
ServerSignature Off

# ServerTokens Prod tells apache to only return Apache in the Server header,
# returned on every page request.
ServerTokens Prod 

 

(Note: If you are using Debian or Ubuntu as OS you must do the above changes to the file /etc/apache2/conf.d/security otherwise or in apache2.conf or in httpd.comf file, it depends which OS are you using)

 

Hide PHP Version

 

Next we will modify the php.ini file. On terminal type:

 

nano /etc/php5/apache2/php.ini

 

and find and change the expose_php to off

 

expose_php = Off

 

Protecting System Settings and Server Files

 

Stop users from setting up .htaccess files which can override security features you’ve configured adding the following lines to the server configuration:

 

<Directory />
AllowOverride None
</Directory>

 

Next will disable access to the entire file system except for the directories that are explicitly allowed later.

 

<Directory />
Order Deny,Allow
Deny from all
</Directory>

 

Next will allow access to the specific directories prohibiting default access to the filesystem locations.

 

<Directory "/webdirectory">
Order Deny,Allow
Allow from all
</Directory>

 

<Directory "/var/www/*">

Order Allow,Deny

Allow from all

</Directory>

 

(Note: <Directory /*/public_html> will not match /home/user/public_html, but <Directory /home/*/public_html> will match.)

 

Restricting Access by IP

 

To restrict access by ip add the following lines:

 

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

 

Turn off .htaccess

 

You can do that by adding the following line inside a Directory blog.

 

AllowOverride None

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Posts

    • I assume you're some kind of Rito Games player too, right? If so, I've got some bad news for you. We've been reversing their stuff for years, and the VGK driver collects far more information from your PC than you could imagine.   I won't leak or discuss any specifics here for obvious reasons, but if you've played on certain "serious" projects, they may also have something running on your system. Whether it's mining your GPU or doing other shady things, the point is that you can't really say you're completely safe in today's gaming world. 😄 EAC, BE, Vanguard, FACEIT, and pretty much any kernel level anticheat have extremely deep access to your system.   In the wrong hands, that level of access can become a serious privacy risk. If you have the knowledge, dump the game and take a look for yourself. You might be surprised by what's actually going on behind the scenes.   No wonder the VGK team decided to remove the driver from startup and switch to an on demand approach. I guess the exposure became too much of a risk for them to ignore, so they had to make changes to protect their reputation and keep their image clean.   So let's get to the point. Any anticheat for Lineage 2, whether it's considered good or bad, comes with the same issue: if someone wants to compromise your privacy, they can potentially do it because you don't truly know what you're launching or what kind of drivers it installs or loads. TL;DR: Without proper knowledge and analysis, you can't really know what's happening behind the scenes. Cheers.   Let me remind some people who may have forgotten about this. Many years ago, there was a project called BeyondWorld H5. I saw people complaining that their systems became extremely laggy and their GPUs were overheating after running the game for a long time. After further analysis, we found that the client was heavily using the GPU in a way that appeared to be mining related. The point is that nothing is impossible  if someone has enough access and knowledge, many things can happen.   As for AAC It installs a kernel mode driver. The binary references active64.sys and active64_internal.sys, along with user facing error messages like "Driver installation error, please close all games." This means part of the anti cheat runs in ring 0 kernel mode ROFL, not only as a normal user mode process. Basically, it has a much higher privilege level than the game itself. XD 
    • I said I'd buy it for my player, I didn't say I would run it on my pc. 
    • Hi there! I am starting to develop my server and I am looking for a professional interface editor. I already have a client and I would like to hire somebody to edit it for me or to offer their own interfaces. I have looked around but all the pre-made interfaces out there, so far, has not pleased me and I what I need for my server. So if you are a professional interface maker, please let me know! Thank you!
    • Thanks FunBasec, I recommend this developer ! He is very friendly and professional.
  • Topics

×
×
  • Create New...

Important Information

This community uses essential cookies to function properly. Non-essential cookies and third-party services are used only with your consent. Read our Privacy Policy and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..