Secure Apache Server installation
Apache web server installation using yum ( Yellow dog Update Modifier )
Apache is a freeware & opensource Web Server which is mostly used for the web server approx 70 % web servers are Apache web server .Apache web server is basically used to launch the web pages or the web sites.
we need to install latest Apache server with latest patches
some Important Info for Apache
Now yum install the Apache server
#service httpd start ( this is used to start the Apache service )
#service httpd stop ( this is used to stop the Apache service )
#service httpd restart ( this is used to restart or refress the Apache service )
#chkconfig httpd on ( this is used to continue running of Apache services Automatically after restarting the machine )
now we need to config the Apache server
Step 2 : now we need to open the conf file of Apache too config the Apache server
Apache web server installation using yum ( Yellow dog Update Modifier )
Apache is a freeware & opensource Web Server which is mostly used for the web server approx 70 % web servers are Apache web server .Apache web server is basically used to launch the web pages or the web sites.
we need to install latest Apache server with latest patches
some Important Info for Apache
- Service : V-managed Service
- package : httpd, httpd-devel,httpd-manual
- Demon : /usr/sbin/httpd
- script : /etc/init.d/httpd
- port used: 80 & 443 (http & https )
- conf. file : /etc/httpd/conf/httpd.conf
- Default selinux deamon : /var/www
step 1 : Login as root user & then type yum install httpd-* -y
#su
password:
#yum install httpd-* -y
Now yum install the Apache server
#service httpd start ( this is used to start the Apache service )
#service httpd stop ( this is used to stop the Apache service )
#service httpd restart ( this is used to restart or refress the Apache service )
#chkconfig httpd on ( this is used to continue running of Apache services Automatically after restarting the machine )
now we need to config the Apache server
Step 2 : now we need to open the conf file of Apache too config the Apache server
from here our security part begins
Remove the default config files
#rm -f /etc/httpd/conf.d/welcome.conf
#rm -f /var/www/error/noindex.html
Hide the Apache version number and other sensitive info
How we can hide Apache version & sensitive directory ?
Now we need to edit httpd.conf file
we need to add server signature off & server token prod
find ServerSignature if it is on then off it or mark as comments using # before the line ServerSignature
& now find the ServerToken it is off by default you may Prod it or use it as comments same as for ServerSignature.
Apache is must be running under it's own user account and group
use it as apache find these lines
user nobody
group nobody
both must be as
user apache
group apache
Conform the file outside the web root are not served
it means we Don't want that the files from outside the web root not be run remotely
Now how to do that ?
so for web server directory conf like
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
we set Options None and AllowOverride None this will turn off all options and override for the servers you now add that explicitly for each dir that have the Options or Override .
Directory traversing turning off
how to turn off Dirctory traverse browsing ?
this is same done by the Options inside the Directory tag we have to set it as Options to either None or -Includes
Options -Includes
& same if you are not using CGI execution then turn it off with same Directory tag Options set it either None or -ExecCGI
Options -ExecCGI
Next closing symbolic Links , How to do that ??
we knows the symbolic links are also vary important in web server . this can be done by using the same method in the Directory tag set Option None else -FollowSymLinks
Options -FollowSymlinks
Now Lets Combine them all to close the all Options
either we can use :
Options None
or else
Options -FollowSymlinks -ExecCGI -Includes
in Directory tag
Turn off Support for .htaccess files, No need to explain about .htaccess file .
So how to do that ?
this is all done by Directory tag but with AllowOverride directive. Set it to None
AllowOverride None
if you require Overrides ensure that they cannot be downloaded , and /or change the name of .htaccess that start with .ht name like .htnulloverride etc
AccessFileName .htnulloverride
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
Next we have to Disable unnecessary modules
Apache comes with various modules installed in it which are used by the programmers to run and use to retrieve data from the server always a good programmer need to study them that where a php programmer use there skills to secure the web site by scripts & also how to Destroy the sites just by using these modules .
to study these modules please refers to Module Documents of Apache Server .
Study these Modules & enables & Disables them according to Security .
So how to Disable these modules ??
In httpd.conf file there is LoadModule to disable these modules just comments it by using # in front of this line
i have some modules which are enables but not needed like
mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.
Run mod_security for security ..
mod_security is a very important mod for the security
if you want to learn in deep with mod_security module then study from here
we can perform various Security axns with mod_security
few are here
- Simple Filtering
- Regular Expression bashed filtering
- URL Encoding Validation
- Auditing
- And various more
Run the Apache config & binaries with read access only to the root user
this is done by permissions as
chown -R root:root /usr/local/apache
chown -R o-rwx /usr/local/apache
here /usr/local/apache is Apache installation directory
Now Let's work for DDos attack
the DDos Attack is basically on Apache server so i have a que how to prevent DDos or Dos Attack
in httpd.conf file i have find the resign for Dos Attack that means time to send request to a web server & then Returning back time . means to say if we restrict or limit the time out value just as 50 sec or 60 sec then we can restrict the DDos attack on the Apache server
so set
Timeout 50
in httpd.conf the old version having 200 to 300 so they are easily DDosed or Dosed by the Attacker
and we need to Limiting large Requests
there is one option of LimitRequestBody in httpd.conf to limiting the DDos & if you are allowing file uploads of not longer than 1MB we need to set this setting like this
LimitRequestBody 1048638
& if you are not allowing file uploading then you can set this value more smaller
Limiting IP Address Access
if i want to go in a particular IP Regions so how we can do that ?
wow i want to assign that my website can be access only by IP range from 117.86.0.0/24
so how we can do that ?
we just Allow from 117.86.0.0/24
Order Deny,Allow
Deny from all
Allow from 117.86.0.0/24
by default it is Allow from all in Directory tags
"Thnx for Reading to Protect Indian Cyber Space " i will try to find more staff like that
"Respect The Tri-Color"
No comments:
Post a Comment