Introduction
This document gives information with examples to establish a secure configuration for Apache HTTP web server 2.4 running on a Linux system. By following this process we can make the server secured and prevent it from threats like cyberattacks.
Recommendations
1. Planning and installation
By following this recommendation we can configure the planning and installation of Apache server.
- E.g Ensure the server is not a multi-use system
Description:
The number of Daemons and services executing on Apache servers should be limited to those that are required. A wide variety of services increases the risk to the system.
Audit:
Produce the list of services enable by following command,
$chkconfig –list | grep ‘:on’
Remediation:
Using the following command we can disable the services,
$chkconfig <servicename> off
Likewise, we can configure to ensure Apache is installed from an appropriate binary, Pre-installation planning checklist, etc.
2. Minimize Apache modules
This recommends that specific modules can be reviewed and disabled if not required for business purposes.
- E.g Ensure that log config module is enabled
Description:
This module provides for flexible logging of client requests.
Audit:
Use the http -m option as root to check that the module is loaded,
$httpd -M | grep log_config
Remediation:
$cd $DOWNLOAD_HTTPD
$ ./configure
Similarly perform for other modules.
3. Principles, Permissions and Ownership
With this recommendation we can configure Identities, permissions and ownership on Apache related filesystem resources.
- E.g Ensure apache user account has an invalid shell
Description:
Apache accounts must not be used as regular login accounts.
Audit:
Check apache login shell in the /etc/passwd/ file,
$grep apache /etc/passwd
Remediation:
Change the Apache account to use as invalid shell such as /dev/null
$chsh -s /sbin/nologin apache
4. Apache access control
This recommendation leads to a configurable access control mechanism that is available in HTTP Apache server.
- E.g Ensure override is disabled for all directories
Audit:
- Search the Apache configuration file to find any AllowOverride directives.
- Ensure there the value for allow override is none
$grep -i Allowoverride $APACHE_PREFIX/conf/httpd.conf
- Ensure there are no AllowOverridelist directives present
Remediation:
- Search the Apache configuration files to find any allow override directives
- Set the value for all AllowOverride to none
AllowOverride none
5. Minimize Features, Contents and Options
Using this recommendation we can reduce the effective Apache HTTP server.
- E.g Ensure options for OS root directory are restricted
Audit:
- Search the Apache configuration files to find a root directory element.
- Ensure there is a single option directive with the value of none.
Remediation:
- Search the Apache configuration files to find a root directory element.
- Set the single option directive with the value of none.
<Directory />
Options none
</ Directory>
6. Operational Logging, Monitoring and Maintenance
We can protect the web servers by operational procedures for logging, monitoring and maintenance .
- E.g Ensure syslog facility is configured for error logging
Audit:
- Verify the errorlog in the Apache server configuration.
- Verify there is a similar errorlog directive which is either configured or inherited for each virtual host.
Remediation:
- Add an errorlog directive if already not configured.
ErrorLog “syslog:locall”
7. Information leakage
We can Limit the disclosure of potentially sensitive information by following this recommendation
- E.g Confirm the server token is set to prod or product only
Audit:
Verify the server tokens directive is present in the Apache configuration and has a value of prod or product only.
Remediation:
Add or modify servertoken directives as shown below to have the value of prod or product only.
ServerTokens Prod
8. Denial of service mitigations
Recommendation helps to increase resiliency to Denial of Service attacks.
- E.g Ensure the Timeout is set to 10 seconds or less
Audit:
Verify the timeout directive is specified in the Apache configuration files to have a value of 10 seconds or shorter.
Remediation:
Add or modify the timeout directive in the Apache configuration to have a value of 10 seconds or shorter.
Timeout 10
9. Request Limits
It can reduce the maximum allowed size of request parameters, which reduces the threat of attack on the server.
10. Enable SELinux to restrict Apache processes
Mandatory access controls using the SELinux module is targeted mode can be provided by enabling SELinux to restrict Apache processes.
Conclusion
To prevent threats like cyberattacks, it’s important to secure the configuration of the webservers through CIS Benchmarks.