Apache Security
As everyone knows Apache is the most widely used web server and it has got a 75-25 usage rate when compared to Microsoft IIS. IIS was widely used before Apache and some of the major security flaws made people to rely on Apache which is upfront in terms of Security , flexibility and Reliability. I am trying here to explain some of the Security features which can be incorporated with Apache in order to make Web Server Environment secure Reliable.
I will start with Apache compilation procedure. There are mainly two ways to compile Apache. One is Static method and the next being Dynamic ( DSO support ) method . Compiling Apache statically means you will have to accept whatever modules apache provides you and if you have to add another module you will have to repeat the entire process. The Dynamic compilation method overrides these difficulties. When you compile from source you are in a position to control the whole process. After a successful compilation using Dynamic method you can easily add an additional module ( if you want to ) by using the “apxs” utility. apxs binary will be in different paths depending on the –prefix option you keep while you compile Apache. The usual location would be /usr/local/apache/bin/apxs. For eg if you want to add mod_security to your Apache installation, then you will need to download the source dist, untar it and standing inside the directory you will need to initiate the following command:-
/usr/local/apache/bin/apxs -cia mod_security.c
This will compile the mod_security module to your Apache installation. Later on you can confirm the same by listing the modules compiled in using the “httpd -l” command or you can open the httpd.conf file and search for the LoadModule option for mod_security.
Another important thing is to verify the integrity of the Apache source downloaded. If you are not using standard mirrors there is a good chance for someone to compromise a mirror and replace the genuine archive with a trojaned version. This is definitely going to compromise you webserver anytime. So the following steps have to be followed after downloading the source to verify the integrity of the downloaded source file:-
One basic way to verify the integrity is to compare the MD5 sum of the downloaded file and the sum in the signature file. The following commands will give you a correct idea of the procedure. ( MD5 is an example of a hash function ; i hope everyone should be aware of the word “encryption” ) .
md5sum httpd-2.0.50.tar.gz
wget -O - -q http://www.apache.org/dist/httpd/httpd-2.0.50.tar.gz.md5
The results of the above two commands should match.There is one more method which uses Public Key Cryptography which is a much more advanced method compared to the former ( This method should be used thinking the Apache main dist repo has been compromised ) .
On a security point of view if you have to decide which method is to be used for compiling Apache , then static method would be safe, because static server binary cannot have a precompiled dynamic module Backdoor added to it. Adding a backdoor to a dynamically compiled server is as simple as including a module into the configuration file. To add a backdoor to a statically compiled server, the attacker has to recompile the whole server from scratch.
Selecting Modules to Install
I will advice you to take some time for researching the modules distributed with Apache so that you can correctly identify which modules are needed and which can be safely turned off. I will list some modules which are considered dangerous but some of these we usually enable for convenience:-
mod_userdir - Allows each user to have her own web site area under the ~username alias. This module could be used to discover valid account usernames on the server . An attacker can easily find the users present in the server , because Apache will give a normal 404 error when an invalid file is called.
mod_info - Exposes web server configuration as a web page.
mod_status - Provides real-time information about Apache, also as a web page.
mod_include - Provides simple scripting capabilities known under the name server-side includes (SSI). It is very powerful but often not used.
mod_rewrite - Allows incoming requests to be rewritten into anything of choice.
mod_headers - Allows request and response headers to be manipulated.
mod_setenvif - Allows environment variables to be set conditionally based on the request information.
To get a list of the modules provided by Apache use ./configure –help command. You will see some of the modules disabled and some enabled by default. You can enable it using –enable-module=modulename and disable an enabled one using –disable-module=modulename ( The following ./configure option is for Apache 1.x versions and if it is Apache 2.x use –enable-modulename & –disable-modulename format ) . For eg –enable-module=so &–enable-so ( for Apache 1.x and 2.x respectively ) .
Forcing Apache Listen to another Port
As everyone knows the default Apache port is 80. You can change this port which Apache listens to any port of your desire ( with out any conflicts of course ) using the “Listen” directive. You can also use this option to configure, to which IP address should Apache listen to.
Permission/Ownership of Apache Binary/Files
This is an important thing , that the files/binaries should have root:root ownership. In general all the directories & files except for those in /usr/local/apache/conf/ and /usr/local/apache/logs/ directory should have 755 and 644 permissions respectively. And for the files/folders inside the above two directories should not be having a read permission for “GROUPS” and “OTHERS” . Even though Apache is configured to server any file it can access and this will cause a serious security risk , like a configuration error can accidentally expose all the vital information of our file system. To prevent this , we will have to “Deny” access to the complete filesystem and then allow access to the DocumentRoot only by adding the following “Directory Directive” in to httpd.conf file.
<Directory />
Order Deny,Allow
Deny from all
</Directory>
<Directory /usr/local/apache/htdocs>
Order Allow,Deny
Allow from all
</Directory>
Apache Directives :- Directory , Options , AllowOverrride , LogFormat , CustomLog , ErrorLog etc
Out of the above, the main two Apache Directives are :- “Options” directive and “AllowOverride” directive. The Options directive can use the following values:
All
All options listed below except MultiViews (This is the default setting)
None
None of the options will be enabled.
ExecCGI
Allows execution of CGI scripts.
FollowSymLinks
Allows symbolic links to be followed.
Includes
Allows server-side includes.
IncludesNOEXEC
Allows SSIs but not the exec command, which is used to execute external scripts.(This setting does not affect CGI script execution.)
Indexes
Allows the server to generate the list of files in a directory when a default index file is absent.
MultiViews
Allows content negotiation.
SymLinksIfOwnerMatch
Allows symbolic links to be followed if the owner of the link is the same as the owner of the file it points to
Each of these options can be disabled and enabled using the “-” & “+” signs respectively. For eg if you want to disable “Directory Listing” you can use the following option:-
Options -Indexes
And if you want enable “SymLinksIfOwnerMatch” and disable “FollowSymlinks“you can use the following option:-
Options -FollowSymlinks +SymLinksIfOwnerMatch ( This directive can be used for security purposes particularly when you want don’t want Apache to Follow Sym links blindly and Follow the sym links only if the target and destination belong to the same user.
AllowOverride directive
The AllowOverride directive supports the following options:
AuthConfig
Allows use (in .htaccess files) of the authorization directives
FileInfo
Allows use of the directives controlling document types
Indexes
Allows use of the directives controlling directory indexing
Limit
Allows use of the directives controlling host access
Options
Allows use of the directives controlling specific directory functions
All
Allows all options listed
None
Ignores .htaccess configuration files
In a httpd.conf file we can use the directives of our choice by including them inside a “Directory Directive“. The following is an example for the AllowOverride directive. As an initial security measure we can use the “None” option. So the Directory directives will look like:-
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /usr/local/apache/htdocs>
Order Allow,Deny
Allow from all
</Directory>
Filed under: Security