Runing Apache though feeling a little bit insecure about how you've configured it, or perhaps how you've not configured it?

Some Linux vendors enable Apache features by default which can provide crackers and better insight into your system. Also insecure web applications could potentially allow crackers to execute system commands via Apache eventually allowing them to grab a shell on your server.

Here are 6 easy steps to quickly securing Apache.

Disable Apaches Server Signature and Server Tokens
Ever seen your web servers 404 page with something like the following in its footer?

Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 proxy_html/2.5 Server

From this, crackers are able to determine if your version of Apache, PHP, linux distribution or mod_proxy module are vulnerable to any known exploits. With 2 lines in your Apache conf, you can disable this banner.

ServerTokens Prod
ServerSignature Off

Dont allow users to serve content from their home directories
The Apache mod_userdir module allows users to serve content out of their home directories, typically ~/public_html. A cracker could somehow, be it through social engineering or another attack vector, upload a script into ~/public_html allowing them to access it from their web browser.

Once a cracker has an account on a box, they could easily setup a phishing site and run it out of ~/public_html not requiring write access to any of your Document Root directories.

Disable mod_userdir by ensuring that the userdir_module is not loaded by Apache.

The userdir_module may look something like this

LoadModule userdir_module /usr/lib/apache2/modules/mod_userdir.so

Move your web directories off onto another partition and force special mount options
There should be no reason why files within your web directories (not cgi-bin directories) are executable. Furthermore there is no reason to have a device node, or setuid scripts in the same web directories.

Consider moving your web directories off into another partition (say /srv/www) and force the noexec, nosuid and nodev mount options. Your /etc/fstab file may look something like

/dev/system/www /srv/www    ext3    acl,user_xattr,noatime,noexec,nosuid,nodev 1 2

Block outbound requests by the apache user
Crackers usually try and exploit the fact that the system user running apache can run something like wget to download a script from an external site and then execute it.

This can be stopped easily with the selinux boolean httpd_can_network_connect though not everyone has selinux installed let alone set to enforcing.

A quick and effective way to block outbound http requests (or any outbound packets) by the apache user is with iptables and the iptables owner module which allows you to match packets based on the user generating those packets.

Block outbound http and https from www-data user (the apache user on a plain jane debian and ubuntu system)

iptables -A  OUTPUT -m owner --uid-owner www-data -p tcp --dport 80 -j DROP
iptables -A  OUTPUT -m owner --uid-owner www-data -p tcp --dport 443 -j DROP

Ofcourse when it comes to firewalls, the best method is to deny everything and allow only certains rules through.

Enable a basic htaccess based password on applications you havent patched
Ok, Ok. This is a bit of a cop out but we've all experienced times when we're running a fairly outdated web application that isnt supported by the vendor. You could also have web applications that you're just not too confident in allowing everyone on the internet to hit it with a HTTP request even though it enforces its own authentication.

Bugs and vulnerablities may have been found in the web application though you're reluctant to upgrade because one of many reasons

• you dont have enough time
• customer is happy with what they have and dont care about security
• you're unable to schedule an outage

Why not quickly apply password or host based authentication to the web application if its not used by the general public?

This will stop most (if not all) crackers trying to exploit the vulnerable web application as their scanning scripts will get a 401 Authorization Required HTTP message.

Create a .htaccess file in your web applications Document Root and use password authentication

<Limit GET POST>
	AuthType Digest
	AuthName "webapp"
	AuthDigestDomain /webapp
	AuthUserFile /etc/apache2/.htpasswd
	Require valid-user
</Limit>

Check that you have auth_digest_module loaded

LoadModule auth_digest_module /usr/lib/apache2/modules/mod_auth_digest.so

And then add a user to the htpasswd file

$ sudo htdigest -c /etc/apache2/.htpasswd webapp [insert user here]

If password authentication is too much for your client to consider, force host based authentication with the following .htaccess

<Limit GET POST>
    Order Deny,Allow
    Deny from All
    AuthName "webapp"
    AuthType Basic

    # clients ip address
    Allow From 192.168.1.100
</Limit>

Disable the cgi-bin
Do you really require a cgi-bin? The web applications that are running on your apache server may not even use it. Always consider whether you can do without the cgi-bin and if so, remove the cgi_module

LoadModule cgi_module /usr/lib/apache2/modules/mod_cgi.so

Happy Hacking!