October 29, 2008

5 basic Apache security tips

Here are just few things to keep in mind when setting up Apache and undergoing a quick security audit.

1. Turn off TRACE or TRACK Methods on Apache

A Trace or Track method is a debug method used to debug webserver connections. A server supporting Trace connections can be subject to cross-site scripting attacks, dubbed XST for “Cross-Site Tracing” (cf to http://www.apacheweek.com/issues/03-01-24)

To disable Trace or Track methods… make sure first that mod_rewrite is enabled, then

RewriteCond %{REQUES_METHOD]^(TRACE|TRACK) RewriteRule .* - [F]

in your vhost directirves.

In case you are using Apache 1.3.34, 2.0.55 or 2.2, then you could use the TraceEnable directive.

2. Disable UserDir

It is very easy for an attacker to guess which local user are currently on a selected system. When UserDir is enabled (which is by default), http://IP/~userA, will try to read the web content of /home/userA/public_html (or depending on your home configuration path). When the public_html folder is inexistant, apache will then return a code error, which would give enough hint to the attacker that this user exists.

Valid system users can therefore be used in ssh brute force attacks (for example).

3. Disable SSL2

When setting up https connection, it is important to disable SSL2 and enable SSL3. The reason for it, is that SSL2 suffers from diverse cryptographic flaws. A possible attack when using SSL2 is the famous man-in-the-middle attack.

4. Hide Apache’s version number

This trick is quite over-seen and left out… Make sure to give no more info to anyone about your server configuration and mostly about your apache version.

Set “ServerSignature Off and ServerTokens Prod”

5. Apache’s conf and binaries permissions

Make sure only root has access to the apache’s configuration (httpd.conf in RedHat/Centos) and apache’s binaries

chown -R root:root /etc/httpd chmod -R o-rwx /etc/httpd