Apache Web Server Hardening and Security in Red hat Enterprise Linux

Posted: 15 Dec 2017 in SERVER
Tags: , , , , ,

In this tutorial we will learn how to configure web security in Red hat Enterprise Linux.This tutorial is for everyone using Linux machine.Whenever you are using a Dedicated Server or a VPS Server and he/she has installed a Linux OS on his Machine then you must know how to secure your Apache Web Server to protect it from any kind of hacking.In this tutorial we will discuss how to Disable Directory Listing,Disable the Server signature,make use of right user and group,ensure that Apache web server info is disabled,Block certain ip or network,Disable banner and Disable Trace HTTP Request.using this method one can easily protect his/here web server from few hacking attacks but it is not 100% secure it only increases the level of security.

STEP 1:Install and Configure Apache web server.
STEP 2: Again go to Apache configuration /etc/httpd/conf/httpd.conf
<Directory "/var/www/html">
AuthName "Private"
AuthType Basic
AuthUserFile /var/www/html/.htpasswd
require valid-user
</Directory>


STEP3: Create User For Apache Authentication.

# htpasswd -c /var/www/html/.htpasswd satish

# htpasswd -m /var/www/html/.htpasswd satish

 Disable Directory Listing

If you don’t have index.html under your WebSite Directory, the client will see all files and sub-directories listed in the browser (like ls –l output).

Solution:

To disable directory browsing, you can either set the value of Option directive to “None” or “-Indexes”

<Directory /var/www/html/>

 Options -Indexes 

</Directory>

Or

<Directory />
Options None
Order allow,deny
Allow from all
</Directory>

or

<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>

  Restrict Access to a Specific Network or IP

If you wish your site to be viewed only by specific IP address or network, you can modify your site Directory in httpd.conf I mean in Apache main Configuration File.In this way you can allow or block specific ip address or specific network you find suspicious.

Solution:

Give the network address in the Allow directive.

<Directory /var/www/html/linuxtiwary>       
Order deny,allow    
Deny from all 
Allow from .linuxtiwary.com   
Allow from 192.168.0.0/24  
</Directory>


Give the IP address in the Allow directive.

<Directory /yourwebsite>
Order deny,allow
Deny from all
Allow from 10.20.1.56
</Directory>

 

 Disable Signature

we have to disable Apache Server Signature to stop our server to reveal or leak any information.The On setting simply adds a line with the server version number and ServerName of the serving virtual host.

Solution:

It’s good to disable Signature, as you may not wish to reveal Apache Version you are running.

ServerSignature Off


Disable Banner

Now I am going to show you how to disbale banner Function which reveals the server header information.This directive controls whether Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Solution: Just open Apache Configuration file /etc/httpd/conf/httpd.conf and do the settings as i have mentioned below.

ServerTokens Prod

Run as separate User & Group

By default, apache is configured to run with nobody or daemon. Don’t set User (or Group) to root unless you know exactly what you are doing, and what the dangers are.

Solution:

It is good to run Apache in its own non-root account. Modify User & Group Directive in httpd.conf of your Apache Web Server

User apache
Group apache

Disable Trace HTTP Request

 

TraceEnable on allows for Cross Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information.

Solution:

Address this security issue by disabling the TRACE HTTP method in Apache Configuration. You can do by Modifying/Adding below directive in your httpd.conf of your Apache Web Server.

By default Trace method is enabled in Apache web server. Having this enabled can allow Cross Site Tracing attack and potentially giving an option to a hacker to steal cookie information. Let’s see how it looks like in default configuration.

  •  Do a telnet web server IP with listening port Before Security.

[root@localhost ~]# telnet 192.168.0.103 80
Trying 192.168.0.103…
Connected to 192.168.0.103 (192.168.0.103).
Escape character is ‘^]’.
^]
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>^] to /index.html not supported.<br />
</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at bogus_host_without_reverse_dns Port 80</address>
</body></html>
Connection closed by foreign host.
[root@localhost ~]#

 

  • Do a Telnet web server IP with listening port After Security.
    [root@localhost ~]# telnet 192.168.0.103 80
    Trying 192.168.0.103…
    Connected to 192.168.0.103 (192.168.0.103).
    Escape character is ‘^]’.
    ^]
    <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
    <html><head>
    <title>401 Authorization Required</title>
    </head><body>
    <h1>Authorization Required</h1>
    <p>This server could not verify that you
    are authorized to access the document
    requested. Either you supplied the wrong
    credentials (e.g., bad password), or your
    browser doesn’t understand how to supply
    the credentials required.</p>
    <hr>
    <address>Apache/2.2.3 (Red Hat) Server at localhost.localdomain Port 80</address>
    </body></html>
    Connection closed by foreign host.
    [root@localhost ~]#

Disable Track and Trace in Apache Web Server

TraceEnable off

 

Test it using below command:

curl -v -X TRACE http://www.ccnalinux.com

 

Limit Request Size

 

So The first question comes in our mind is why we use this and what is it’s benefits?

Always remember that The ‘LimitRequestBody’ Apache directive can be used to limit the number of bytes that are allowed in a request body.

Note:  By default, the ‘LimitRequestBody’ limit is set to unlimited and it can make you a victim of a Denial of service attacks (DOS).

 

The limit of this Apache directive can be set from 0 (unlimited) to 2147483647 (2GB).

For example, if you want to allow file upload with size of 100K to the /var/www/html/linuxtiwary directory

To do this we have to add below lines in our Apache web server Configuration File.

.

<Directory "/var/www/html/linuxtiwary directory">
LimitRequestBody 102400
</Directory>

 

Enable Logging in Apache web Server

As we know if we are using Apache Web server or any web server in our Linux Machine then Log files are always very helpful to get more information about the events that occur on your server.

Run below command for proper function of Apache Log Server.

 

#httpd -M |grep log_config_module

 

 

Keep Apache Web server up to date

To keep your Server safe and Secure you must Keep your Apache up to date.

To update the Apache web server to the latest version available execute the following command

#yum -y update httpd

 

apache security

 allow apache to be executed through SElinux

# settsebool -P httpd_enable_cgi 1

Allow cgi scripts to be executed through the webserver

 

# setsebool -P httpd_enable_home_dirs 1

 

How to configure SElinux to allow access to user’s home directories through the web server.

# Chcon -R -t httpd_sys_content_t ~user/public_html

if the directory /mnt is going to be used as a webserver DocumentRoot

 

# chcon -R -u system_u /mnt # chcon -R -t httpd_sys_content_t /mnt

Limiting Resources and Rejecting DoS attackes


StartServers 8

ServerLimit 256

MaxClients 256

Secure Apache Webserver through a firewall.

By default http and https port are blocked in firewall.
To allow the ports 80(HTTP) and 443(HTTPS) see the firewall rules.

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT

		
Advertisements
Comments
  1. This is really interesting, You’re an extremely skilled blogger.
    I’ve joined
    your feed and look forward to seeking more of your wonderful post.
    Also,
    I’ve distributed your website in my internet sites!

    Liked by 1 person

  2. Thanks for the tutorial

    Regards
    Sandeep
    http://www.ttlbits.com

    Liked by 1 person

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.