Wednesday, May 7, 2008

Securing Apache 1.3

Securing Apache 1.3

Overview

There are many things to keep in mind when trying to secure anything, one of the most important is to make user that the system is usable and secure there is usually a bit of a trade off between security and usability. You could secure Apache by not allowing users to use any sort of scripts or only plain HTML pages but that’s not usually practical.

In this article I am going to go over the basic things to keep in mind on how to secure Apache but I will not go into running it in a jailed root mode. There is however a great article on this over at SecurityFocus.

Installation

Firstly you will need to install Apache if you are using FreeBSD then simply go to your ports directory and run a make install clean

/usr/ports/www/apache13
Or any of the other apache 1.3 ports that you might want to install
Like apache13-modssl or apache13-ssl/
In the case of the SSL apache versions you would install as follows
# make
# make certificate ( this is so you can create a self signed certificate)
# make install





Configuring

All your configuration files are now in /usr/local/etc/apache

This is up to you but I prefer breaking up my apache config.
Also you can neaten it up the Default httpd.conf file has tons of comments in it which might be handy to you are not always necessary.

If you want to split up your Apache config then this is what you can do.

In /usr/local/etc/apache
# mkdir conf
# mkdir conf/vhosts
# cd conf/vhosts
# vi vhosts.conf (you might want to split your http from your https vhosts here too by having a vhosts-ssl.conf file as well. In your vhosts.conf file you can now add your vhosts there is no need for anything else in this file at all other that the VirtualHost Information. This first vhost is the default catch-all domains that are pointed to your server.
Also if you want to change the Log directory make sure that it does exist.
# mkdir /var/log/httpd-logs

ServerName myservename.com
DirectoryIndex index.php index.html
ErrorLog /var/log/httpd-logs/server-default-error.log
CustomLog /var/log/httpd-logs/server-default-access.log combined
DocumentRoot /usr/local/www/data-dist/default
ServerName www.mysite1.com
DirectoryIndex intro.html index.htm index.php index.html
ErrorLog /var/log/http/www.mysite1.com-error-log
CustomLog /var/log/http/www.mysite1.com-access-log combined
DocumentRoot /usr/local/www/data-dist/mysite1/htdocs/
ScriptAlias /cgi-bin/ /usr/local/www/data-dist/mysite1/cgi-bin/
ServerName www.mysite2.com
DirectoryIndex intro.html index.htm index.php index.html
ErrorLog /var/log/http/www.mysite2.com-error-log
CustomLog /var/log/http/www.mysite2.com-access-log combined
DocumentRoot /usr/local/www/data-dist/mysite2/htdocs/
ScriptAlias /cgi-bin/ /usr/local/www/data-dist/mysite2/cgi-bin/
<--- Snip

As you can see I have a Log entries for each Virtual Host as well as a ScriptAlias /cgi-bin/ this gives the individual Virtual Host access to their own cgo-bin directory rather than having one centralized cgi-bin directory

In the main httpd.conf file you need to tell Apache where to find your vhosts.
And while we are doing this we might as well sort some other things out listed in no particular order.

#vi httpd.conf
You will probably want to enable NameVirtualHost

You would also probably want to change these settings

UseCanonicalName Off
ServerSignature Off
HostnameLookups Off

Include /usr/local/etc/apache/conf/vhosts
NameVirtualHost *:80

You an also use mod_rewrite to send suspicious requests elsewhere
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH.x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH..x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH...x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH....x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH.....x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)default\.ida(.*)$ http://www.sfsfsfsfsfrq.com


I am not suggesting that you redirect to a real site, rather point to something that does not exist like http://www.sfsfsfsfsfrq.com for instance. Of course you could redirect it to a real site that it your choice.

Also under DocumentRoot "/usr/local/www/data" add the following lines
If you want to use mod_security

Options FollowSymLinks
AllowOverride None
Include etc/apache/conf/modsecurity.conf
When you add a user make their home directory the path to the vhost
# adduser
Username: mysite1
Full name: My Site 1 Web User
Uid (Leave empty for default):
Login group [mysite1]:
Login group is mysite1. Invite mysite1 into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash nologin) [sh]:
Home directory [/home/mysite1]: /usr/local/www/data-dist/mysite1
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username : mysite1
Password : *****
Full Name : My Site 1 Web User
Uid : 1005
Class :
Groups : mysite1
Home : /usr/local/www/data-dist/mysite1
Shell : /bin/sh
Locked : no

Now that you have the user added.
Change to that directory and add the following 2 directories
# cd /usr/local/www/data-dist/mysite1
# mkdir htdocs
# mkdir htdocs/stats (if you are using something like AWStats this will make life a bit easier
# mkdir cgi-bin
Then chmod and chown appropriately

drwxr-xr-x 2 mysite1 mysite1 512 Jun 12 16:00 cgi-bin
drwxr-xr-x 4 mysite1 mysite1 1024 Jun 13 08:35 htdocs
drwxr-xr-x 2 root wheel 512 Jun 13 11:48 stats (this can also be chown www:www this is to ensure that the user is not able to delete the stats folder

This should get you most of the way through the config

No comments:

Joe's Store