Environment: Apache Webserver
Solution:
- In the absence of index file by default apache server will list the default content root directories
- We can turn off the directory listing by using Options directive in the httpd.conf or apache2.conf configuration file for any specific directory
1. Open the Httpd.conf or apache2.conf file
Options –Indexes
2. Restart the server
3. Go to website and access for the content root -/var/www/html or /content
4. You must see the Forbiden error(You don’t have permission to access/ on this server.
v How to hide Apache Version and OS Identity from Errors in Apache HTTP server
- When you install apache with source or package through installer like Yum, it displays the version of Apache and OS version in the errors.
- It also shows the module installed in the apache server
Steps to follow in RHEL, CentOS , Fedora, Debian and Ubuntu
1. Open the httpd.conf/apache2.conf file based on the OS
# vim /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
# vim /etc/apache2/apache2.conf (Debian/Ubuntu)
2. Add the below configuration to httpd.conf/apache2.conf and Save the file
ServerSignature Off
ServerTokens Prod
3. Restart the Server and That’s It
# service httpd restart (RHEL/CentOS/Fedora)
# service apache2 restart (Debian/Ubuntu)
v How to Keep updating Apache Regularly
Environment: Apache Webserver
Solution:
1. Check the apache version by using #httpd –v
2. Run the below command to update the version
# yum update httpd
#apt-get install apache2
3. That’s it! again check for the version of apache post upgrade #httpd -v
v Disable the Unnecessary modules
1. Insert # beginning at the module to comment the unnecessary module for loading
v Disable Apache’s following of Symbolic Links
- By default Apache webserver follows symlinks,
- We can turn off this feature with FollowSymLinks with Options directive.
- Open the httpd.conf file and add the below line.
# Options -FollowSymLinks
- If there is a need for FollowSymLinks feature, can be enabled by writing in the rule in “.htaccess” file from that website.
# Enable symbolic links
# Options +FollowSymLinks
Note: To enable rewrite rules inside “.htaccess” file “AllowOverride All” should be present in the main configuration globally.
v Turn off Server Side Includes and CGI Execution
Environment: Apache
Solution:
- Steps to turn off server side includes (mod_include)
- And CGI execution
- Modify the httpd.conf or apache2.conf file in the main configuration file.
- This can be applied to root directory or specific directory
- Open the main configuration file and add the below details
Options -Includes -ExecCGI
Or
Options -Includes -ExecCGI
- Restart the server. That’s it!.
v Statement: Below directives will help to prevent the DoS attacks and completely cannot be prevented
Environment: Apache webserver
Solution:
- Set the TimeOut:.
- Its default value is 300 secs, set the value to lower depending on the website functionalities.
- This will wait for a certain amount of time to complete the event. post the request will be failed.
- MaxClients:
- The default value is 256, set this value to lower to prevent DoS atatcks
- It allows you to set the no of maximum connection and to be served simultaneously.
- Once the limit crosses the every new connection will be queued up.
- KeepAliveTimeout :
- The default value is 5 sec
- The default value indicates the amount of time server will wait for the subsequent request before closing the connection
- LimitRequestFields: default value is 100, set this value to lower to prevent DoS atatcks
- LimitRequestFieldSize: it helps to set a size limit on the http request headers.
v Use mod_security and mod_evasive Modules to Secure Apache
- Mod_security:
§ It will act as a Firewall for web application and allow to monitor the traffic on a real time basis
§ It also protects the website or web server from brute force attacks
§ Install the Mod_security directive
- Install mod_security on Ubuntu/Debian
o $ sudo apt-get install libapache2-modsecurity
o $ sudo a2enmod mod-security
o $ sudo /etc/init.d/apache2 force-reload
- Install mod_security on RHEL/CentOS/Fedora/
o # yum install mod_security
o # /etc/init.d/httpd restart
- Mod_evasive
§ It handles the DoS
§ it handles the DDoS atatcks
§ It handles the Brute force attacks
§ This module detects three atatcks
o If Multiple requests come to the same page a few times per second.
o If the child process creates more than 50 concurrent requests.
o If temporarily blacklisted IP is trying to make new requests
No comments:
Post a Comment
If you have any doubts or questions, please let us know.