hardening apache web server by aswin
TRANSCRIPT
@agatestudio
Hardening Apache Web Server Security
Aswin
Knight
Agate Studio
HARDENING APACHE WEB
SERVER SECURITY Aswin Juari
INTRODUCTION
Security Aspect
Application Level
XSS
SQL Injection
Etc
HTTPD Service & Machine
Exposing Apache Configuration
DOS/DDOS
Etc
Etc
We will learn Security at the
Server Machine
SERVER SECURITY
SSH Authentication
Edit SSH Configuration:
Don’t Permit RootLogin
Recommended:
Use Private Key Authorization
Not Use Default Port
Limit Database Access
Authentication
IP WhiteList
APACHE CONFIGURATION HARDENING
Update Apache/SSL Version if any
Hide Apache Version
ServerSignature Off
ServerTokens Prod
Disable Directory Listing <Directory /var/www/html>
Options -Indexes
</Directory>
Disable Unnecessary Module
Turn Off CGI Executions
APACHE CONFIGURATION HARDENING
Restrict Directory Access <Directory /var/www/html/Admin>
Order allow, deny
Allow from xx.xx.xx.xx/24
Deny from all
</Directory>
Use Non Root for Run Httpd
User apache
Group apache
Limit Request Size
<Directory /var/www/html/user_uploads>
LimitRequestBody 512000
</Directory>
APACHE CONFIGURATION HARDENING
Mod_security
Can scan all messages received by your website
Can help prevent SQL Injection
Return 406 error if user entries URL
http://www.webapp.com/login.php?username=admin'">D
ROP%20TABLE%20users--
However:
There is additional load on server
The configuration must be done manually
APACHE CONFIGURATION HARDENING
Mod_evasive
If so many requests come to a same page in a few
times per second.
If any child process trying to make more than 50
concurrent requests.
If any IP still trying to make new requests when its
temporarily blacklisted.
Prevent DOS Attack
Enable Apache Logging
Error Log/Access Log
ANOTHER TOOLS
Fail2Ban
Fail2ban scans log files (e.g.
/var/log/apache/error_log) and bans IPs that show the
malicious signs -- too many password failures,
seeking for exploits, etc.
Feature:
Running as a daemon
Can use various methods to block attack
Iptables
Tcp wrappers (/etc/hosts.deny)
Can handle more than one service: ssh, apache
Can send email notifications
Can ban IP permanent/limited time
FURTHER READING
http://silverdire.com/2013/08/12/haproxy-
fail2ban/
http://systembash.com/content/how-to-stop-an-
apache-ddos-attack-with-mod_evasive/
http://www.fail2ban.org/wiki/index.php/Main_Pa
ge
http://www.tecmint.com/apache-security-tips/