Skip to main content

Apache Web Server Hardening - Points To Check


 


Web Server hardening is one of the very important steps which are required to be taken so that the website will be less vulnerable to attacks. In brief, below are few points to consider. 


  • Run Apache httpd server as a new Linux user other than the default user apache. 
  • Hide server signature (apache version disclosure) so that in case of runtime errors, apache version will not be disclosed to the users. Each apache version may have specific vulnerabilities which the attacker may target if he comes to know about the sever version.

  • Hide php version. Each php version may have specific vulnerabilities which the attacker may target if he comes to know about the php version.

  • Directory listing needs to be disabled. This will make sure that the contents of the website folder located on the hard disk will not be visible to the users. The user should be able to view only the file which he clicks in the web browser.

  • Apache configuration file includes many modules. It may not be required to activate all the modules. Disable the modules which are not required.

  • Disable access to directories of the website to which users are not authorized to access.

  • Apache by default follows symlinks. It is required to turn off this feature.

  • Turn off server side includes and CGI execution if not required by the website.

  • By default, apache has no limit on http request size. This may lead to Denial Of Service attacks on the website. It is required to limit this size.

  • Optional step but website owners may add SSL certificate i.e. access to website using https protocol only.

  • Install mod security and mod evasive security modules. Both these modules are free and open source and are very good tools as far as security of the website is concerned. OWASP (Open Web Application Security Project) provides core security rules set for mod security which are also required to be added to mod security installation. Brute Force, SQL Injection, Distributed Denial Of Service (DDOS) etc.. attacks are prevented to a great extent by both these modules.

  • By default, Apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol. HTTP OPTIONS such as PUT, DELETE, TRACE and CONNECT have potential risk. It is advisable to disable these HTTP OPTIONS if not necessary.

  • TRACE method is by default enabled in Apache Httpd Server. If this method is enabled an attacker can exploit it with Cross Site Tracing attack. It is advisable to disable the TRACE request on Apache server.

  • If HTTP Only and Secure flags are not set for session cookie, it is possible to steal session cookies with Cross Site Scripting attacks. It is necessary to set these flags for session cookies.

  • Clickjacking is a well-known web application vulnerability. To defence Clickjacking attack on Apache web server, use X-FRAME-OPTIONS to avoid website being loaded in i-frame.

  • Cross Site Scripting Protection (X-XSS Protection) need to be applied for the web application if it is disabled in the user browser.

  • HTTP 1.0 has security weakness related to session hijacking and directory traversal. Disable HTTP 1.0 by using mod_rewrite module.

  • By default Apache timed-out value is 300 seconds, this can lead to attacks like Slow Loris attack and Denial Of Service attack on the server. The value may be lowered to 60 sec.

  • Use prepared statements, parameterized queries with MYSQLi extension while developing SQL statements for the websites. This will minimize SQL Injection attacks.
Labels:

Comments

Post a Comment

Popular posts from this blog

Evolution X2.1 ROM on Samsung Galaxy Y Duos GT-S6102

I was searching for a custom ROM for Samsung Galaxy Y Duos GT-S6102 on internet and I found one on XDA Developers forums. The name of the ROM is Evolution X 2.1 ROM . The ROM Thread is present on XDA Developers forum. The installation process is pretty simple. I did not face any issues during the installation. I have made a walkthrough video of this ROM after I finished with the installation. The ROM gives really nice look and feel to the phone. I liked it.   Below are the features mentioned by the developer of this ROM on XDA Developer Forum thread:-   Rooted,Deodexed,zipaligned etc.. Based on DDLG1 firmware MIUI music player Highly minimalistic. Scrolling cache is disabled for smoother scrolling. Lidroid 15 toggles. 6 lockscreens swipe to remove notification Modded touchwiz launcher with *5 icon dock *Transparent 4x4 app drawer *List view *fly-in animation Ics style task switcher Bootanimation,boot ...
10 comments
Read more

N8XT ROM XXLT9 for Galaxy Note GT-N7000 With White UI , Samsung Tablet Feel and Note 8.0 Apps

New ROM for Galaxy Note GT-N7000 in town !!! Developer named "xperiacle"  (XDA Developers) has developed N8XT rom for Galaxy Note GT-N7000 and its available on XDA Developer Forums. Three cheers to him for such a brilliant work. I have never seen such a nice rom for N7000 till date. Do check his thread below..... http://forum.xda-developers.com/showthread.php?t=2366175 I am sharing few screenshots from my mobile here. I have also prepared a review video. Please find the same below.... Below are the list of features mentioned by xperiacle on XDA Developer Forums Thread.... XXLT9 deodex, zipaligned, rooted with busybox Optimized for just ONE UI - NO switching UI/DPI Mostly Note 8 apps Floating Windows using stock multiwindow bar as launcher 4-Layout Multiwindows selectable on the notification panel The most awesome Skip Track mod with ability to choose what the volume buttons do (next, play/pause, previous, s...
8 comments
Read more

Android 4.2.2 on Galaxy Note GT-N7000 - Touchwiz UI look and feel for AOSP / CyanogenMod based Stock / Custom ROMS

I am running AOSP/CM10.1 Android 4.2.2 based custom rom on my Galaxy Note GT-N7000. Note is rooted with ClockWorkMod Recovery installed. I wanted to have look and feel of TouchWiz UI on the rom. I started searching on internet for the same. Even though I am not fond of TouchWiz framework (due to heavy resource consumption), I do like the graphics provided by TouchWiz. I tried to find out ways to give such look and feel to my Note. After googling, I found out the following steps :- 1) Install CM10.1 TouchWiz 5.0 Theme I found out this theme on Play Store. The CM10.1 TouchWiz Free Theme can be downloaded using the below link, https://play.google.com/store/apps/details?id=com.thomassafca.theme.touchwiz.five.free Below is the makeover of the System UI after installing this theme. Looks coooool !!! 2) Install Galaxy S4 Launcher , Weather Widget and Wallpapers   I found out the Galaxy S4 Launcher and Weather Widget Port on XDA Developer Forums. Even the wallpa...
2 comments
Read more