|
1. Check your Apache Configuration is updated with latest Patches
if you're not patched up properly, there will be loop hole to attack the server
2. Protect and hide your Apache Version, and other important information.
By default many Apache installations tells the version of Apache you're running, which operating system, version, Apache Modules are installed..Attackers use this information to start attack.
There are two directives in your httpd.conf file:
ServerSignatureOffServerToken Prod
TheServerSignatureappears on the bottom of pages generated by Apache such as 303 pages, directory listings, etc.
The ServerToken directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows
Server: Apache
3. Check your apache is running its own user account and group
Several apache installations runs as the user nobody. So Apache, and your mail server were running as nobody an attack through Apache may allow the mail server to also be compromised, and also vise versa. So that change your apache to server as User & Group called Apache
User apacheGroup apache
4. Make sure that files outside the Document root are not served
User should not be able to access any files outside of its Document root. So keep all your web sites are placed under one directory called /usr/local/apache2/htdocs
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /usr/local/apache2/htdocs>
Order Allow,Deny
Allow from all
</Directory>
If we set Options None and AllowOverride None this will turn off all options and overrides for the server. Now have to say explicitly rule for each directory that requires an Option or Override.
5. Ensure to turn off directory browsing
Set anOptions directive inside a Directory tag as None or -Indexes
Options -Indexes
6. Turn off server side includes
Options -Includes
7. Turn off CGI execution
If not necessary use CGI, turn it off with the Options directive inside a Directory tag. Set Options to either None or–ExecCGI
Options -ExecCGI
8. Suggest not to allow apache to follow symbolic links
Options -FollowSymLinks
9. Force to turn off multiple Options
If you want to turn off all Options simply say that Options None or separate say in Options directive.
Options None
Options –ExecCGI –FollowSymlinks -Indexes
10. Turn off support for .htaccess files
This is done in a Directory tag but with the AllowOverride directive. Set it toNone.
AllowOverride None
If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:
AccessFileName .httpdoverride
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
11. Start Use mod_security
You can do the following withmod_security
-
Simple filtering
-
Regular Expression based filtering
-
URL Encoding Validation
-
Unicode Encoding Validation
-
Auditing
-
Null byte attack prevention
-
Upload memory limits
-
Server identity masking
-
Built in Chroot support
-
And more
Disable any unnecessary modules
Check your httpd.conf that containLoadModule. To disable the module you can typically just add a # at the beginning of the line.
# grepLoadModulehttpd.conf
Here are some modules that are typically enabled but often not necessary
mod_imap
mod_include
mod_info
mod_userdir
mod_status
mod_cgi
mod_autoindex.
12. Make sure only root has the access to apache's config and binaries files.
# chown –R root.root /usr/local/apache
# chown –R 600 /usr/local/apache
13. Decrease Timeout value
By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.
Timeout 45
14. Limiting large requests
Apache has several directives that allow you to limit the size of a request.This is also will be useful for mitigating the effects of a denial of service attack.
A good place to start is the LimitRequestBody directive. This directive is set to unlimited by default. If you are allowing file uploads of no larger than 1MB.
LimitRequestBody 1048576
If you're not allowing file uploads you can set it even smaller, the following options can be tried.
LimitRequestFields
LimitRequestFieldSize
LimitRequestLine.
15. How to limiting the size of an XML Body
If you're running mod_dav (typically used with subversion) then you may want to limit the max size of an XML request body. The LimitXMLRequestBodydirective is only available on Apache 2, and its default value is 1 million bytes [ approx 1mb ]. Many tutorials will have you set this value to 0 which means files of any size may be uploaded, which may be necessary if you're using WebDAV to upload large files, but if you're simply using it for source control, you can probably get away with setting an upper bound, such as 10mb
LimitXMLRequestBody 10485760
16. Setting up Limitation in Concurrency
Apache has several configuration settings that can be used to adjust handling of concurrent requests. The MaxClients is the maximum number of child processes that will be created to serve requests. This may be set too high if your server doesn't have enough memory to handle a large number of concurrent requests.
Other directives such as MaxSpareServers, MaxRequestsPerChild, and on Apache2 ThreadsPerChild, ServerLimit, and MaxSpareThreads are important to adjust to match your operating system, and hardware.
17. Restricting Access by IP
Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
18. Adjusting KeepAlive settings
In General HTTP Keep Alive's can improve client performance by as much as 50%. So be careful before changing these settings, it cause a slight denial of service mitigation.
KeepAlive's are turned on by default
MaxKeepAliveRequests which defaults to 100, and the
KeepAliveTimeoutwhich defaults to 15
Analyze your log files to determine the appropriate values.
19. Run Apache in a Chroot environment
chroot allows you to run a program in its own isolatedArea. This prevents a break in on one service from being able to effect anything else on the server.
It can be fairly tricky to set this up using chroot due to library dependencies. I mentioned above that the mod_security module has built in chroot support. It makes the process as simple as adding a mod_security directive to your configuration
SecChrootDir /chroot/apache
|
