Skip to main content

Securing Apache 1.3

Securing Apache 1.3

Overview

There are many things to keep in mind when trying to secure anything, one of the most important is to make user that the system is usable and secure there is usually a bit of a trade off between security and usability. You could secure Apache by not allowing users to use any sort of scripts or only plain HTML pages but that’s not usually practical.

In this article I am going to go over the basic things to keep in mind on how to secure Apache but I will not go into running it in a jailed root mode. There is however a great article on this over at SecurityFocus.

Installation

Firstly you will need to install Apache if you are using FreeBSD then simply go to your ports directory and run a make install clean

/usr/ports/www/apache13
Or any of the other apache 1.3 ports that you might want to install
Like apache13-modssl or apache13-ssl/
In the case of the SSL apache versions you would install as follows
# make
# make certificate ( this is so you can create a self signed certificate)
# make install





Configuring

All your configuration files are now in /usr/local/etc/apache

This is up to you but I prefer breaking up my apache config.
Also you can neaten it up the Default httpd.conf file has tons of comments in it which might be handy to you are not always necessary.

If you want to split up your Apache config then this is what you can do.

In /usr/local/etc/apache
# mkdir conf
# mkdir conf/vhosts
# cd conf/vhosts
# vi vhosts.conf (you might want to split your http from your https vhosts here too by having a vhosts-ssl.conf file as well. In your vhosts.conf file you can now add your vhosts there is no need for anything else in this file at all other that the VirtualHost Information. This first vhost is the default catch-all domains that are pointed to your server.
Also if you want to change the Log directory make sure that it does exist.
# mkdir /var/log/httpd-logs

ServerName myservename.com
DirectoryIndex index.php index.html
ErrorLog /var/log/httpd-logs/server-default-error.log
CustomLog /var/log/httpd-logs/server-default-access.log combined
DocumentRoot /usr/local/www/data-dist/default
ServerName www.mysite1.com
DirectoryIndex intro.html index.htm index.php index.html
ErrorLog /var/log/http/www.mysite1.com-error-log
CustomLog /var/log/http/www.mysite1.com-access-log combined
DocumentRoot /usr/local/www/data-dist/mysite1/htdocs/
ScriptAlias /cgi-bin/ /usr/local/www/data-dist/mysite1/cgi-bin/
ServerName www.mysite2.com
DirectoryIndex intro.html index.htm index.php index.html
ErrorLog /var/log/http/www.mysite2.com-error-log
CustomLog /var/log/http/www.mysite2.com-access-log combined
DocumentRoot /usr/local/www/data-dist/mysite2/htdocs/
ScriptAlias /cgi-bin/ /usr/local/www/data-dist/mysite2/cgi-bin/
<--- Snip

As you can see I have a Log entries for each Virtual Host as well as a ScriptAlias /cgi-bin/ this gives the individual Virtual Host access to their own cgo-bin directory rather than having one centralized cgi-bin directory

In the main httpd.conf file you need to tell Apache where to find your vhosts.
And while we are doing this we might as well sort some other things out listed in no particular order.

#vi httpd.conf
You will probably want to enable NameVirtualHost

You would also probably want to change these settings

UseCanonicalName Off
ServerSignature Off
HostnameLookups Off

Include /usr/local/etc/apache/conf/vhosts
NameVirtualHost *:80

You an also use mod_rewrite to send suspicious requests elsewhere
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH.x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH..x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH...x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH....x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)SEARCH.....x9(.*)$ http://www.sfsfsfsfsfrq.com
RedirectMatch permanent (.*)default\.ida(.*)$ http://www.sfsfsfsfsfrq.com


I am not suggesting that you redirect to a real site, rather point to something that does not exist like http://www.sfsfsfsfsfrq.com for instance. Of course you could redirect it to a real site that it your choice.

Also under DocumentRoot "/usr/local/www/data" add the following lines
If you want to use mod_security

Options FollowSymLinks
AllowOverride None
Include etc/apache/conf/modsecurity.conf
When you add a user make their home directory the path to the vhost
# adduser
Username: mysite1
Full name: My Site 1 Web User
Uid (Leave empty for default):
Login group [mysite1]:
Login group is mysite1. Invite mysite1 into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash nologin) [sh]:
Home directory [/home/mysite1]: /usr/local/www/data-dist/mysite1
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username : mysite1
Password : *****
Full Name : My Site 1 Web User
Uid : 1005
Class :
Groups : mysite1
Home : /usr/local/www/data-dist/mysite1
Shell : /bin/sh
Locked : no

Now that you have the user added.
Change to that directory and add the following 2 directories
# cd /usr/local/www/data-dist/mysite1
# mkdir htdocs
# mkdir htdocs/stats (if you are using something like AWStats this will make life a bit easier
# mkdir cgi-bin
Then chmod and chown appropriately

drwxr-xr-x 2 mysite1 mysite1 512 Jun 12 16:00 cgi-bin
drwxr-xr-x 4 mysite1 mysite1 1024 Jun 13 08:35 htdocs
drwxr-xr-x 2 root wheel 512 Jun 13 11:48 stats (this can also be chown www:www this is to ensure that the user is not able to delete the stats folder

This should get you most of the way through the config

Comments

Popular posts from this blog

Setting up and Installing Rancid on FreeBSD for Cisco Products

Setting up and Installing Rancid on FreeBSD for Cisco Products What is Rancid? Rancid is an application that monitors a devices configuration including software and hardware. The configuration is then stored in a Concurrent Version System or CVS. Most of the time it is used to back up router, switch and firewall configurations, as well as notify you when a configuration has changed, i.e a firewall rule or a routers IP address or access list change. here is an example of the output =================================================================== retrieving revision 1.29 diff -u -4 -r1.29 mpls-jhb-pe1 @@ -288,9 +288,9 @@ ! interface Serial0/0 description Link to Client X bandwidth 2048 - ip address 192.168.1.244 255.255.255.254 + ip address 192.168.1.234 255.255.255.254 ip route-cache flow ip tcp header-compression iphc-format ip tcp compression-connections 256 ! ip ospf message-digest-key 1 md5 the - symbol represents what was removed the + symbol represents what was added The abo...

Tacacs+ Install and Config Guide

Tacacs+ Install and Config Guide What is TACACS As per wikipedia Terminal access controller access control system (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Installing Tacacs on FreeBSD This guide is intended to be a basic implementation of TACACS+, so although there are may features I am just going to document what I generally use. Please note that tac_plus is also available from Shrubbery Networks if you would like to install and configure on another platform. You may also want to check out my Rancid How-To Once again its in your ports directory. cd to /usr/ports/net/tac_plus4/ run a "make install clean" Once installed vi /usr/local/etc/rc.d/tac_plus.sh Then Change the following line from NO to YES tac_plus_enable=$ Save the file, then vi /e...

FreeBSD, Postfix, Mailscanner and Mailwatch Installation

Installing postfix, mailscanner and mailwatch on FreeBSD I have setup a number of servers using mailscanner and postfix to do antispam and antivirus checking. This particular example will show you how to set the server up as a mail gateway. i.e. all inbound and outbound mail will go via this server. You can also use the server as a pop3/imap4 server and doing so, does make life a little easier as you don't have to worry about the transport and relay_hosts files. At a later stage I will show that info too..... when I get a chance. This my seem strange but as there is quite a bit involved in installing and configuring I am splitting this into two How-To's this one, The install How-To and the configuration How-To First off its probably best to start on a new install of FreeBSD. Once you have done the initial portsnap fetch and portsnap extract Right here we go. Two things you might want to do is force your NIC to 100MB full duplex and install lsof Type in ifconfig and check if the...