There's something wonderful about running your own webserver.  However, there's something definitely not wonderful about getting it hacked or having it attacked.  With this short little tutorial, I'm going to explain some of the smalll things that I do to keep my servers a bit safer on the web.  I'll show you how to secure Apache, PHP, MySQL, and install some third party addons that will keep the gates up and the baddies out.  This guide will be written for Redhat Enterprise Linux, but a lot of this stuff can also be used on Debian or even Windows with the appropriate change of various commands.

ModSecurity and Mod Evasive

When it comes down to it, the easiest thing you can do to secure a webserver is install these two modules for apache.  Both of them are wonderful and will do their own seperate things to keep your servers safe and secure.  ModSecurity is a module that helps protect you against some key exploits, including various SQL injection attacks and cross-site scripting attacks.  To install it, you can either go to ModSecurity.org or visit someone who makes the packages for your particular distro.

The second module, mod_evasive, helps to protect your server from brute force attacks and from some types of denial of service attacks.  It does this by keeping a table of addresses that attempt to connect to a resource, acting on them if they cross a certain threshold.  To get it, go to Jonathan Zdziarski's website (and give him thanks for keeping such a wonderful piece of software!).

These packages can be installed as follows on a RHEL5 system:

Install apxs by using Yum to install  httpd-devel.  apxs is a way to install modules in Apache.  You will also need pcre (the Perl-compatible regular expression library).  Install them both by smacking your keyboard until you type:

yum install httpd-devel pcre pcre-devel

Once you do this, you can install mod_evasive.

cd /usr/src
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -zxvf mod_evasive_1.10.1.tar.gz

Find the file called mod_evasive20.c and run the apxs command on it.

apxs -iac mod_evasive20.c

You have the option of setting a bunch of options for mod_evasive in your httpd.conf file.  here is a snippet of how mine is set in there:

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        40
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   60
</IfModule>
 

DOSEmailNotify 
 This e-mail address is being protected from spambots. You need JavaScript enabled to view it
 
DOSLogDir "/var/lock/mod_evasive"

To do mod_security, you can either follow a similar procedure, or you can install the sweet RPM provided by Jason Litka in his RPM repository! Hot darn!

I like doing it the old fashioned way though...by source.  Go to Modsecurity.org and download the source.

wget http://www.modsecurity.org/download/modsecurity-apache_2.5.9.tar.gz
tar -zxvf modsecurity-apache_2.5.9.tar.gz
cd modsecurity-apache_2.5.9/apache2
./configure

The software will look for APXS. and pcre support (did you install the RPMs yet? :) )
Now make it with the 'make' command.  Install it with 'make install'.

make
make install

Once you get it in, you can get the updated rules for Modsecurity at the modsecurity.org website.

cd /etc/httpd/modsecurity.d/
wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
tar -zxvf modsecurity-core-rules_2.5-1.6.1.tar.gz
ls -la
rm modsecurity-core-rules_2.5-1.6.1.tar.gz

Now tail the log file and see if you get any messages like the following:

Wed Jul 22 21:43:52 2009] [notice] ModSecurity for Apache/2.5.9
(http://www.modsecurity.org/) configured.
[Wed Jul 22 21:43:52 2009] [notice] Original server signature:
Apache/2.2.3 (Red Hat)

If so, Mod_security is installed!  You may have to add the line "SecRuleEngine On" to your httpd.conf, but I didn't have to.

SecRuleEngine On

To test it out and make sure it's working, you can throw it something and see if it catches it. If you have an index.php file, you can try tailing the log file at /var/log/httpd/modsec_audit.log while visiting this address (replace example.com with your webserver address):

http://www.example.com/index.php?action=&type=view&s=&id=-1'%20union%20select%200,
concat(char(85),char(115),char(101),char(114),char(110),char(97),char(109),char(101),
char(58),name,char(32),char(124),char(124),char(32),
char(80),char(97),char(115),char(115),char(119),char(111),char(114),char(100),char(58)
,pass),0,0,0,0,0%20from%20phpdesk_admin/*

It should throw an error in the log file.  If so, you have it set up correctly!

Securing Apache

The next step is to make sure your web server itself is good and secure.  Mostly, you want to make sure that it's not telling people more information than it possibly should.  If you are running Apache2, the following things will help to make your server be a little more selective in what information it gives out and a few other small tweeks.

First, turn of your server's signature.  When people get an error or status page, there is a little line at the bottom of the page that tells others about what type of server you are running.  In addition to this, any web page request also includes this information.  To eliminate the version information from your server's headers and from status pages, edit the "ServerTokens" line in your httpd.conf.  Also, you want to change ServerSignature to 'Off'.

ServerTokens Prod
ServerSignature Off

Good.  Look at the difference between these two header dumps of the web page.

With ServerTokens OS:

[root@bixby html]# lynx -head -dump http://www.annahegedus.com
HTTP/1.1 200 OK
Date: Thu, 23 Jul 2009 15:13:05 GMT
Server: Apache/2.2.0 (Fedora)
X-Powered-By: PHP/5.1.6
Set-Cookie: b416d3eb41c0974ec667a187e54069a9=kspn3g25smh78udendqib9m5d5; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 23 Jul 2009 15:13:05 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

With ServerTokens Prod:

HTTP/1.1 200 OK
Date: Thu, 23 Jul 2009 15:14:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Set-Cookie: b416d3eb41c0974ec667a187e54069a9=a6roe1bg6dsv09k7m0u9uip7v6; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 23 Jul 2009 15:14:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

Notice how the line "Server" has changed to one without any version information?  That's good because it keeps people from knowing what version of Apache you've got under the hood.

Next up, you want to comment out some of the less used modules in the install that are put there by default.  All of the LoadModule lines in your configuration can be looked over.  For example, I don't really use ldap, so I can disable the ldap module by putting a hash mark in front of it.

#LoadModule ldap_module modules/mod_ldap.so

I disabled the cgi_module, the info_module, the status_module, the ldap module, and a couple of others.  If something doesn't work anymore, you can always remove the hash and it'll load again after a 'service httpd restart'.

Next up, make sure you have lines like the following to make sure people can't view important files like .htaccess or .php files:

<Files ~ "^\.ht">
 Order allow,deny
 Deny from all
</Files>

<Files ~ "^\.conf">
 Order allow,deny
 deny from all
</Files>

<Files ~ "^\.cfg">
 Order allow,deny
 deny from all
</Files>

<Files ~ "^\.php~">
 Order allow,deny
 deny from all
</Files>

<Files ~ "^\.phps">
 Order allow,deny
 deny from all
</Files>

Now, protect the directories that you have important things in which you don't want anyone else to get to.  Do this with <Directory> lines, like the following:

<Directory /var/www/html/teddybears>
Options -ExecCGI -FollowSymLinks -Indexes
Order allow,deny
Allow from 192.168.1.0/24
Allow from 128.2.93.0/24
</Directory>

This will keep the directory named 'teddybears' unviewable to people outside of 192.168.1.0/24 and 128.2.93.0/24

Next up, turn off some of the options for the directories.  In the above example, CGI, the ability to follow symlinks, and Indexes have been turned off for the teddybears directory.  You might want to disable at least the directories, becuase they give people an idea of what's on your server if there is no default page to be served.

Some things to do for PHP

Look for a file called php.ini in your /etc/ folder and open it in a text editor.

Turn off expose_php.  This line shows that your server runs PHP, and while it's not a security measure by any means, the less info anybody has about my server, the better.

expose_php = Off

Now, turn off url_fopen. This allows websites to treat remote http links as files.

allow_url_fopen = Off

Don't show errors to people on the web. Disable that with display_errors.

display_errors = Off

Hopefully these few tips help you to secure your webserver a bit further than what you normally would. Happy web site building!

• Add New
• Search

Comments (0)

Write comment

Your Contact Details:

Name:

Email: do not notifynotify

Website:

Comment:

Title:

UBBCode:         -color-aquablackbluefuchsiagraygreenlimemaroonnavyolivepurpleredsilvertealwhiteyellow -size-tinysmallmediumlargehuge

Message:

Security

Please input the anti-spam code that you can read in the image.

Powered by !JoomlaComment 4.0 beta2