Apache Web Server Hardening and Security in Red hat Enterprise Linux

Posted: December 15, 2017 in SERVER
Tags: , ,

In this tutorial we will learn how to configure web security in Red hat Enterprise Linux.Whenever you are using a Dedicated Server or a VPS Server and he/she has installed a Linux OS on his Machine then you must know how to secure your Apache Web Server to protect it from any kind of hacking.In this tutorial we will discuss how to Disable Directory Listing,Disable the Server signature,make use of right user and group,ensure that Apache web server info is disabled,Block certain ip or network,Disable banner and Disable Trace HTTP Request.

rhcsa and rhce training

STEP 1:Install and Configure Apache web server.
STEP 2: Again go to Apache configuration /etc/httpd/conf/httpd.conf
<Directory "/var/www/html">
AuthName "Private"
AuthType Basic
AuthUserFile /var/www/html/.htpasswd
require valid-user
</Directory>


STEP3: Create User For Apache Authentication.

# htpasswd -c /var/www/html/.htpasswd satish

# htpasswd -m /var/www/html/.htpasswd satish

 Disable Directory Listing

If you don’t have index.html under your WebSite Directory, the client will see all files and sub-directories listed in the browser (like ls –l output).

Solution:

To disable directory browsing, you can either set the value of Option directive to “None” or “-Indexes”

<Directory /your/website/directory>

 Options -Indexes 

</Directory>

Or

<Directory />
Options None
Order allow,deny
Allow from all
</Directory>

or

<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>

  Restrict Access to a Specific Network or IP

If you wish your site to be viewed only by specific IP address or network, you can modify your site Directory in httpd.conf I mean in Apache main Configuration File.In this way you can allow or block specific ip address or specific network you find suspicious.

Solution:

Give the network address in the Allow directive.

<Directory /yourwebsite>    
Options None    
AllowOverride None    
Order deny,allow    
Deny from all    
Allow from 192.168.0.102/24  
</Directory>


Give the IP address in the Allow directive.

<Directory /yourwebsite>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.20.1.56
</Directory>

 

 Disable Signature

we have to disable Apache Server Signature to stop our server to reveal or leak any information.The On setting simply adds a line with the server version number and ServerName of the serving virtual host.

Solution:

It’s good to disable Signature, as you may not wish to reveal Apache Version you are running.

ServerSignature Off


Disable Banner

Now I am going to show you how to disbale banner Function which reveals the server header information.This directive controls whether Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Solution: Just open Apache Configuration file /etc/httpd/conf/httpd.conf and do the settings as i have mentioned below.

ServerTokens Prod

Run as separate User & Group

By default, apache is configured to run with nobody or daemon. Don’t set User (or Group) to root unless you know exactly what you are doing, and what the dangers are.

Solution:

It is good to run Apache in its own non-root account. Modify User & Group Directive in httpd.conf of your Apache Web Server

User apache
Group apache

Disable Trace HTTP Request

 

TraceEnable on allows for Cross Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information.

Solution:

Address this security issue by disabling the TRACE HTTP method in Apache Configuration. You can do by Modifying/Adding below directive in your httpd.conf of your Apache Web Server.

By default Trace method is enabled in Apache web server. Having this enabled can allow Cross Site Tracing attack and potentially giving an option to a hacker to steal cookie information. Let’s see how it looks like in default configuration.

  •  Do a telnet web server IP with listening port Before Security.

[root@localhost ~]# telnet 192.168.0.103 80
Trying 192.168.0.103…
Connected to 192.168.0.103 (192.168.0.103).
Escape character is ‘^]’.
^]
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>^] to /index.html not supported.<br />
</p>
<hr>
<address>Apache/2.2.3 (Red Hat) Server at bogus_host_without_reverse_dns Port 80</address>
</body></html>
Connection closed by foreign host.
[root@localhost ~]#

  • Do a Telnet web server IP with listening port After Security.
    [root@localhost ~]# telnet 192.168.0.103 80
    Trying 192.168.0.103…
    Connected to 192.168.0.103 (192.168.0.103).
    Escape character is ‘^]’.
    ^]
    <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
    <html><head>
    <title>401 Authorization Required</title>
    </head><body>
    <h1>Authorization Required</h1>
    <p>This server could not verify that you
    are authorized to access the document
    requested. Either you supplied the wrong
    credentials (e.g., bad password), or your
    browser doesn’t understand how to supply
    the credentials required.</p>
    <hr>
    <address>Apache/2.2.3 (Red Hat) Server at localhost.localdomain Port 80</address>
    </body></html>
    Connection closed by foreign host.
    [root@localhost ~]#
TraceEnable off



Advertisements
Comments
  1. Thanks for the tutorial

    Regards
    Sandeep
    http://www.ttlbits.com

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s