Learn Linux CCNA CEH IPv6 Cyber-Security Online

In this tutorial we will learn how to configure web security in Red hat Enterprise Linux.This tutorial is for everyone using Linux machine.Whenever you are using a Dedicated Server or a VPS Server and he/she has installed a Linux OS on his Machine then you must know how to secure your Apache Web Server to protect it from any kind of hacking.In this tutorial we will discuss how to Disable Directory Listing,Disable the Server signature,make use of right user and group,ensure that Apache web server info is disabled,Block certain ip or network,Disable banner and Disable Trace HTTP Request.using this method one can easily protect his/here web server from few hacking attacks but it is not 100% secure it only increases the level of security.

STEP 1:Install and Configure Apache web server.

STEP 2: Again go to Apache configuration /etc/httpd/conf/httpd.conf

<Directory "/var/www/html">
AuthName "Private"
AuthType Basic
AuthUserFile /var/www/html/.htpasswd
require valid-user
</Directory>


STEP3: Create User For Apache Authentication.

# htpasswd -c /var/www/html/.htpasswd satish

# htpasswd -m /var/www/html/.htpasswd satish

 Disable Directory Listing

If you don’t have index.html under your WebSite Directory, the client will see all files and sub-directories listed in the browser (like ls –l output).

Solution:

To disable directory browsing, you can either set the value of Option directive to “None” or “-Indexes”

<Directory /var/www/html/>

 Options -Indexes 

</Directory>

Or

<Directory />
Options None
Order allow,deny
Allow from all
</Directory>

or

<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>

  Restrict Access to a Specific Network or IP

If you wish your site to be viewed only by specific IP address or network, you can modify your site Directory in httpd.conf I mean in Apache main Configuration File.In this way you can allow or block specific ip address or specific network you find suspicious.

Solution:

Give the network address in the Allow directive.

<Directory /var/www/html/linuxtiwary>       
Order deny,allow    
Deny from all 
Allow from .linuxtiwary.com   
Allow from 192.168.0.0/24  
</Directory>


Give the IP address in the Allow directive.

<Directory /yourwebsite>
Order deny,allow
Deny from all
Allow from 10.20.1.56
</Directory>

 Disable Signature

we have to disable Apache Server Signature to stop our server to reveal or leak any information.The On setting simply adds a line with the server version number and ServerName of the serving virtual host.

Solution:

It’s good to disable Signature, as you may not wish to reveal Apache Version you are running.

ServerSignature Off

Disable Banner

Now I am going to show you how to disbale banner Function which reveals the server header information.This directive controls whether Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Solution: Just open Apache Configuration file /etc/httpd/conf/httpd.conf and do the settings as i have mentioned below.

ServerTokens Prod

Run as separate User & Group

By default, apache is configured to run with nobody or daemon. Don’t set User (or Group) to root unless you know exactly what you are doing, and what the dangers are.

Solution:

It is good to run Apache in its own non-root account. Modify User & Group Directive in httpd.conf of your Apache Web Server

User apache
Group apache

Disable Trace HTTP Request

TraceEnable on allows for Cross Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information.

Solution:

Disable Track and Trace in Apache Web Server

TraceEnable off

curl -v -X TRACE http://www.ccnalinux.com

So The first question comes in our mind is why we use this and what is it’s benefits?

Always remember that The ‘LimitRequestBody’ Apache directive can be used to limit the number of bytes that are allowed in a request body.

Note:  By default, the ‘LimitRequestBody’ limit is set to unlimited and it can make you a victim of a Denial of service attacks (DOS).

The limit of this Apache directive can be set from 0 (unlimited) to 2147483647 (2GB).

For example, if you want to allow file upload with size of 100K to the /var/www/html/linuxtiwary directory

To do this we have to add below lines in our Apache web server Configuration File.

.

<Directory "/var/www/html/linuxtiwary directory">
LimitRequestBody 102400
</Directory>

Enable Logging in Apache web Server

As we know if we are using Apache Web server or any web server in our Linux Machine then Log files are always very helpful to get more information about the events that occur on your server.

Run below command for proper function of Apache Log Server.

#httpd -M |grep log_config_module

Keep Apache Web server up to date

To keep your Server safe and Secure you must Keep your Apache up to date.

To update the Apache web server to the latest version available execute the following command

#yum -y update httpd

 allow apache to be executed through SElinux

# settsebool -P httpd_enable_cgi 1

Allow cgi scripts to be executed through the webserver

# setsebool -P httpd_enable_home_dirs 1

How to configure SElinux to allow access to user’s home directories through the web server.

# Chcon -R -t httpd_sys_content_t ~user/public_html

if the directory /mnt is going to be used as a webserver DocumentRoot

# chcon -R -u system_u /mnt # chcon -R -t httpd_sys_content_t /mnt

Limiting Resources and Rejecting DoS attackes

StartServers 8

ServerLimit 256

MaxClients 256

Secure Apache Webserver through a firewall.

By default http and https port are blocked in firewall.
To allow the ports 80(HTTP) and 443(HTTPS) see the firewall rules.

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT