Secure Apache Web Server



  1. Apache Sslciphersuite Recommended
  2. Apache Web Server Directory Structure
  3. Videos For Secure Apache Web Server
  4. 10 Best Practices To Secure And Harden Your Apache Web Server
  5. How To Secure Your Apache Web Server

Access control is an important part of security and is its most visible aspect, leading people to assume it is security. You may need to introduce access control to your system for a few reasons. The first and or most obvious reason is to allow some people to see (or do) what you want them to see/do while keeping the others out. However, you must also know who did what and when, so that they can be held accountable for their actions.

This chapter covers the following: Adobe flash 9.0.

You can undo this change by editing your web server's configuration. Select the appropriate number 1-2 then enter (press 'c' to cancel): Select your choice then hit ENTER. The configuration will be updated, and Apache will reload to pick up the new settings.

Identification
Authentication
Authorization
Accountability
  1. Apache is one of the most popular web servers, hence usually susceptible to hacking attacks. With default configuration which exposes sensitive information about the server, shortens the reconnaissance time for a hacker. Most of the attacks are done through.
  2. To encrypt the traffic between server and client, web servers use SSL certificates. Let’s Encrypt helps in obtaining and installing a trusted certificate for free. In this tutorial we will see how to secure an Apache Web Server on Ubuntu 16.04 using Let’s Encrypt. Install Let’s Encrypt.
  3. SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domainname.key (or server.key) Note: Some instances of Apache will store Virtual Host information in an ssl.conf file. If your httpd.conf.
Something you know (Type 1)
Something you have (Type 2)
Something you are (Type 3)

Engaging in secure, authenticated communication when using an unencrypted channel is impossible. Once you add SSL to the server (see Chapter 4), it corrects most of the problems people have had with Basic authentication. If using SSL is not an option, then deployment of Digest authentication is highly recommended. There are many freely available tools that allow almost anyone (since no technical knowledge is required) to automatically collect Basic authentication passwords from the traffic flowing on the network. But I haven’t seen any tools that automate the process of performing a replay attack when Digest authentication is used. The use of Digest authentication at least raises the bar to require technical skills on the part of the attacker.

Fb2ePub in an application used to convert eBook FB2 (Fiction book 2) format files, widely adopted in Russia, into more world wide adopted ePub file format. The conversion can be performed either by right-click mouse button on the file name in Windows Explorer or using the command line utility. Fb2 epub mobi. Convert your FB2 files to EPUB. Embed font that suits you best. Fb2epub is a useful tool for the users that want to convert FB2 eBooks to the EPUB format in order to read them on mobile devices. In order to convert an ebook you need to specify the FB2 file.

Apache

There is one Digest authentication feature that is very interesting: server authentication. As of RFC 2617 (which obsoletes RFC 2609), clients can use Digest authentication to verify that the server does know their password. Sounds like a widespread use of Digest authentication could help the fight against numerous phishing attacks that take place on the Internet today (see Chapter 10).

Note

Warning

Chapter 4 discusses cryptography, SSL, and client certificates. Here, I bring a couple of authentication-related points to your attention. Only two directives are needed to start asking clients to present their private certificates provided everything else SSL-related has been configured:

Warning

192.168.254.125
192.168.254
192.168.254.0/24
192.168.254.0/255.255.255.0
ivanr.apachesecurity.net
.apachesecurity.net

Note

In Apache 1, proxy access control is done through a specially named directory (proxy:), using network access control (as discussed in the Section 7.3.5):

In Apache 2, the equivalent <Proxy> directive is used. (Apache 2 also provides the <ProxyMatch> directive, which allows the supplied URL to be an arbitrary regular expression.)

Proxying SSL requests requires use of a special CONNECT method, which is designed to allow arbitrary TCP/IP connection tunneling. (See Chapter 11 for examples.) Apache will allow connection tunneling to target only ports 443 (SSL) and 563 (SNEWS) by default. You should not allow other ports to be used (using the AllowCONNECT directive) since that would allow forward proxy users to connect to other services through the proxy.

One consequence of using a proxy server is transfer of trust. Instead of users on the internal network, the target server (or application) is seeing the proxy as the party initiating communication. Because of this, the target may give more access to its services than it would normally do. One common example of this problem is using a forward proxy server to send email. Assuming an email server is running on the same machine as the proxy server, this is how a spammer would trick the proxy into sending email:

This works because SMTP servers are error tolerant. When receiving the above request, the proxy opens a connection to port 25 on the same machine (that is, to the SMTP server) and forwards the request to that server. The SMTP server ignores errors incurred by the HTTP request line and the header that follows and processes the request body normally. Since the body contains a valid SMTP communication, an email message is created and accepted.

Unlike for the CONNECT method, Apache does not offer directives to control target ports for normal forward proxy requests. However, Apache Cookbook (Recipe 10.2) provides a solution for the proxy-sending-email problem in the form of a couple of mod_rewrite rules:

I will mention more Apache directives related to access control. Prior to presenting that information, I would like to point out one more thing: many modules other than the ones described in this chapter can also be used to perform access control, even if that isn’t their primary purpose. I have used one such module, mod_rewrite, many times in this book to perform things that would be impossible otherwise. Some modules are designed to perform advanced access control. This is the case with mod_dosevasive (mentioned in Chapter 5) and mod_security (described in detail in Chapter 12).

GET
HEAD
POST
PUT
DELETE
CONNECT
OPTIONS
TRACE
PROPFIND
PROPPATCH
MKCOL
COPY
MOVE
LOCK
UNLOCK
Any
All

If you have a situation where the authentication server is not on a trusted network, you could use the Stunnel universal SSL driver (as described in the Appendix A) to secure communication between mod_auth_remote and the authentication server. However, if you recall the discussion from Chapter 4, establishing an SSL communication channel is the most expensive part of SSL communication. Without proper SSL support built into mod_auth_remote (enabling session reuse), performance will be inadequate.

Credential caching (actually the absence of it) is a frequent problem with authentication modules. The new authentication backend (the one from the 2.1 branch) includes a module mod_authn_cache (http://mod-auth.sourceforge.net/docs/mod_authn_cache/) to enable caching. For Apache 1, similar functionality is provided by mod_auth_cache (http://mod-auth-cache.sourceforge.net).

Setting up a web server with Apache on a Linux distribution is a very quick process, however to make it a secure setup takes some work. This article will show you how to make your Apache web server more secure from an attack by effectively using Access control and authentication strategies.

Bill Keys
All the examples below assumes that you are using Ubuntu 7.10 with a basic Apache configuration setup. However, these examples will help any user running an Apache server to make it more secure since the concepts will still apply. This HOWTO should be used on a test server then once that is secure migrated to a production web server.
File Permissions and Access Control
Users and groups:
One of the first things to ensure is that Apache does not run as root because if Apache is cracked then an attacker could get control of the root account. Lets take a look at what user and group Apache is running as.
Run the following command:
# ps auwwfx | grep apache www-data 25675 0.0 0.0 10348 508 ? S Jan21 0:00 _ /usr/sbin/apache2 -k start
www-data 25686 0.0 0.2 231816 2208 ? Sl Jan21 0:00 _ /usr/sbin/apache2 -k start
www-data 25688 0.0 0.2 231816 2200 ? Sl Jan21 0:00 _ /usr/sbin/apache2 -k start
Secure Apache Web Server As you can see www-data is the user running Apache. However if it's not then you need to edit your Apache configurations and create a new user and group by:
# groupadd www-data
# useradd -g www-data www-data
# vi /etc/apache2/apache2.conf
Change:
User root
Group root
To:
User www-data
Group www-data
Do a reload to make sure the changes take effect:
# /etc/init.d/apache2 reload
Permissions to serve files:Secure Apache Web Server
One of the most overlooked security practices is correctly using the chmod command. For example, we just created a index.cgi in our Apache html root directory but when we go to open the file in our browser we get the error message permission denied. To get our index.cgi file working we do a chmod 777 index.cgi. Before you try this, every Apache administrator should think to themselves' is this secure? The answer should be NO! But how do we make the permissions secure enough and allow the index.cgi script to work?
chmod:
Apache needs to have permission to execute the index.cgi file. However, we don't want everyone to read and write to index.cgi. The owner of the file should have permission to read and write to the file. We do this by:
# chmod 755 index.cgi
Files outside the web root should not be served:
It's very important to have the following lines in your apache.conf:

Options FollowSymLinks
AllowOverride None

Notes
1.The above lines prevent Apache from having access to files outside of its web root.
2.Some distributions have better default security configuration then others. EnGarde Secure Linux is one example where they include the above lines in their Apache configuration file by default.

Apache Web Server Directory Structure


We don't want users running CGI scripts anywhere on the filesystem but we do need them to run in the web root. The solution to this problem is the 'Options ExecCGI' directive.
Example:
Add the following lines to /etc/apache2/apache2.conf:

AllowOverride None
Options ExecCGI
Order Deny,Allow
Deny from all
Allow from 192.168.0.0/16
Do a reload to make sure the changes take effect:
# /etc/init.d/apache2 reload
Now only users on you internal network can run CGI script in '/home/username/public_html/cgi-bin'
Authentication
How can we allow only users with the correct password and username to have access to a part of our web root? The following steps will show you how to do this securely.
Basic authentication:
Enable .htaccess
# vi /etc/apache2/apache2.conf
Change: Web
AllowOverride None
To:
AllowOverride AuthConfig
Do a reload to make sure the changes take effect:
# sudo /etc/init.d/apache2 reload
Create a password file:
# mkdir /var/www/misc
# chmod a+rx /var/www/misc
# cd /var/www/misc
# htpasswd -bc private.passwords username password
Adding password for user username
Create .htaccess
# cd /home/username/public_html/cgi-bin
# vi .htaccess
Add the below in .htaccess
AuthName My Private Area'
AuthType Basic
AuthUserFile /var/www/misc/private.passwords
AuthGroupFile /dev/null require valid-user
Change:

AllowOverride .htaccess
Options ExecCGI
Order Deny,Allow
Deny from all
Allow from 192.168.0.0/16

Do a reload to make sure the changes take effect:
# /etc/init.d/apache2 reload
Digest authentication:
Another method for authentication is called digest authentication. With digest authentication your password is never sent across the network in the clear because they are always transmitted as an MD5 digest of the user's password. This way passwords cannot be determined by sniffing network traffic:
Create a password file:
# mkdir /var/www/misc
# chmod a+rx /var/www/misc
# cd /var/www/misc
# htdigest -c private.passwords realm username
Adding password for username in realm realm.
New password:
Create .htaccess
# cd /home/username/public_html/cgi-bin
# vi .htaccess
Add the below in .htaccess
AuthName 'My Private Area'
AuthType Digest
AuthUserFile /var/www/misc/private.passwords
AuthGroupFile /dev/null require valid-user
Notes
1.For more information on htdigest please check the man pages.
2.Some older versions of Web browsers don't support Digest authentication.
3.To fully protect your .htaccess use SSL.

Videos For Secure Apache Web Server

Where to go from here?

10 Best Practices To Secure And Harden Your Apache Web Server


The next step in a more secure Apache is to use some of the Apache modules decided for helping Apache security even more. Some examples are mod_security and mod_chroot. Also, to protect our authentication we will need to configure SSL. In a upcoming HOWTO it will show you how to use SSL to further increase your web server's security and other advance techniques. What ways would you suggest to best secure a Apache web server?
References:
Security Tips for Server Configuration:
Apche.org - Security Tips
Security and Apache: An Essential Primer:
Linuxplanet/- Apache Tutorial
Apache Homepage:

How To Secure Your Apache Web Server

https://www.apache.org