Securing and Hardening an Apache Web Server | Lucideus Research

The Apache HTTP server is one of the most widely used and popular free and open-source cross-platform web servers. According to Netcraft’s February 2018 Web Survey, Apache continues to be the leader in web server, estimated to serve over 42.7% of all active websites (twice as many websites as its closes leader nginx).

Being the most widespread web server technology, it becomes one of the most vulnerable services to attack. Going through the CVE database, Apache HTTP server has around 205 vulnerabilities to its name. Despite the vulnerabilities, it has a good record for security and a large developer community dedicated to securing the same, still, it is inevitable that some problems (vulnerabilities), critical or low, will be discovered in a software after its release. Thus, it is of utmost importance that you should lock down on certain controls to secure and harden your Apache HTTP server installation to protect your applications, underlying server and most of all the data from getting in the wrong hands.

Here, we list out some of the controls and ways to harden your Apache installation:

This guide assumes you have installed the Apache HTTP server on a UNIX Platform (CentOS 7).

It is recommended that you take a backup of the existing configuration file(s) before any modifications

1. It's Good to be Updated
It is always recommended to have the latest version of Apache running to get the updated software release with all necessary patches to any existing vulnerabilities. 

To check the version of existing Apache installation:
# httpd -v


Now, to update the apache to the latest version:
# yum update httpd -y

We are already on the latest build of Apache, which is a good sign. 2. Hide Server Banner (Version and Operating System) This is considered to be the very first step in hardening your apache installation after installing the latest release. On default configuration, the apache server displays its current version and the underlying operating system. Here, we can see the Apache version and the operating system in the Response Headers


This lets the attacker know, what version of Apache the server is running, by which he can find version specific vulnerabilities and their exploits. We can easily turn this off by adding two lines in the Apache configuration

Add the following two lines at the end of the Apache configuration file and save(here /etc/httpd/httpd.conf)

ServerSignature Off
ServerTokens Prod

After editing the file, restart the apache service:
# service httpd restart

Verify the same by checking the response headers. Now, it only shows that the server is running on Apache without displaying the version or the OS.


3. Turn off Directory Listing By default, apache lists out the files in a directory by requesting a directory inside of Document Root (unless it contains an index file). This allows anyone (attacker) to view all the files inside that directory and in nested directories as well.


This can be disabled by modifying the Apache configuration file as follows:

Locate the <Directory> tag with the DocumentRoot folder. Here <Directory “/var/www/html”>
Before the closing </Directory> tag. Add the following line

Options -Indexes

Restart the apache service and check on the browser: # service httpd restart


4. Disable the TRACE HTTP Method
By default, Apache allows for the TRACE HTTP method. The TRACE method is used to return the full HTTP request back as the response, usually used for debugging purposes and should be turned off in a production environment. Having the TRACE method enabled, an attacker can potentially steal cookie information.


As you can see, TRACE method is working and giving us the request for the response. To disable it add the following directive in the Apache configuration file and restart the apache service TraceEnable off


You could also use the Rewrite Directives and redirect TRACE requests to a normal request as follows:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


5. Prevent ClickJacking
Clickjacking is a well-known web vulnerability, in which the attacker uses transparent and opaque layers (using CSS) to trick the victim into clicking on a button or link on another page when they were intending to click on on the top transparent page. This way, the attacker hijacks the clicking of the user into stealing the users’ information. This can be disabled by modifying the Apache configuration file as follows to set an X-Frame-Options header on all pages served by Apache.

Add the following line to the Apache configuration file, save and restart the apache service Header always append X-Frame-Options SAMEORIGIN


Notice the new header being sent by the server X-Frame-Options with the value of SAMEORIGIN. This enables opening of the webpages in a frame only from the same domain and not elsewhere. You can change the value to Deny to completely disable opening of pages in a frame.

6. Cookies with HttpOnly and Secure Flag set
Most of the XSS attacks result in stealing of cookies. Preventing XSS attack would be done at the application level, however you can prevent stealing of cookies from the server level by setting the HttpOnly and Secure flag set for all cookies on your server. This disables viewing of cookies through javascript and allows for cookie manipulation using HTTP only.

Set the HttpOnly and Secure flag on all cookies by adding the following line to the apache configuration. Save and restart the server

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure


7. XSS Prevention using the X-XSS-Protection Header
The X-XSS-Protection header was introduced as a feature in many browsers (IE 8 and above, Chrome, Safari which enables the browser to stop pages from loading when they detect an XSS attack being executed on the browser.

You can set the X-XSS-Protection header by adding the following line in the apache configuration.

Header set X-XSS-Protection "1; mode=block"


Save the file, restart the server and verify the header in the response:


These were the 7 most crucial controls you should apply on your apache installation without having to install any additional modules or third-party utilities. There are still many more ways to include as a part of apache server hardening, to secure your server even more, that may depend on the exposure of your web server and also the kind of applications you intend to host on the server. 
These may include:
Installing an SSL certification on your Apache server.

Installing the mod_security module and configuration of rules to prevent SQLi, malware detection, mitigating DoS attacks, Extensive Logging, etc.
Installing and configuring the mod_evasive module to protect against DoS and DDoS attacks by limiting the number of requests, blacklisting of IP based on traffic.

1 comment:

  1. WOHO! Great findings. This requires so many years of research guys. really!

    ReplyDelete

Powered by Blogger.