Hardening the Apache HTTP Server

Peter Lorenzen
14/02-2013

After having been through security audits over the years I now have a short list of things I always change after having installed an Apache HTTP Server.

It is not much, but it always moves the focus from the Apache server to the applications and thereby off my desk :-)

Before moving to the configuration I have a couple of other tips.

Download and installation
You should of cause always use the latest version of Apache. Don’t download and install Apache “manually” unless you are forced to do it. If you are using Red Hat / Oracle Linux use the Apache that is distributed with them.

Notice that the Red Hat version numbers are different from what http://httpd.apache.org uses.
Currently the latest official version of Apache 2.2 is 2.2.23. The latest 2.2 from Red Hat is called httpd-2.2.15-15. But if you check the CVE identifiers that were fixed with version 2.2.23 they are also fixed in httpd-2.2.15-15.

If you use Windows you have to download and install Apache yourself. Don’t trust the files you download from mirror sites. On the main Apache site you can find PGP signature and MD5 hashes for all downloads. So check that they match. You can use the fciv tool to do an MD5 hash.

C:\Temp>fciv httpd-2.2.22-win32-x86-no_ssl.msi
//
// File Checksum Integrity Verifier version 2.05.
//
29764b87d44f4f873758a3b5452d66ce httpd-2.2.22-win32-x86-no_ssl.msi

Update – The Windows binaries are not available from the Apache Software Foundation anymore.

Always install as little as possible. I do not install the documentation and the Service Taskbar Icon.

Scanners
It’s a good idea to scan your servers for weaknesses on a regular basis. Nessus seems to be the weapon of choice but it is expensive. You can try if for free for a couple of weeks.

I have sometimes used Nikto.

It is easy to get started just download and unzip/untar. You need Perl and for ssl support you need the perl-Net-SSLeay package.

To run simple scans:

perl nikto.pl -h scanme.nmap.org -p 80 -nossl 
perl nikto.pl -h scanme.nmap.org -p 443 -ssl

Configuration
In the httpd.conf file you should change the below. On Windows some changes should be in the httpd-default.conf file instead.

ServerSignature Off
TraceEnable Off
ServerTokens Prod

In the latest audit the auditors wanted us to remove the default index.html file. It only contains “It works!” but they still wanted it gone. If you delete some of the standard files I have experienced that they have been recreated when you run a yum update. So instead of removing it I just prevent all access to DocumentRoot. I normally only use Apache servers as proxy or Load Balancer so I don’t need access to DocumentRoot.

In the Directory tag that contains the path to DocumentRoot I put:

   Order allow,deny
   Allow from all

Don’t load modules that you do not need. Default a lot of modules are loaded that you probably do not need.

SSL configuration
Which protocols and ciphers that is “safe” changes all the time. I currently use the below in
ssl.conf (httpd-ssl.conf on Windows):

SSLProtocol -ALL +SSLv3 +TLSv1
SSLHonorCipherOrder on
SSLCipherSuite RC4-SHA:HIGH:!ADH

If your Apache is exposed to the Internet you can test your SSL configuration via https://www.ssllabs.com/ssltest

Update – It is now possible to protect against the CRIME attack on both Windows and Red Hat. On Windows you just need to install version 2.2.24. A SSLCompression directive has been introduced and it is default set to off. The directive is not available on Red Hat (yet?). Compression can instead be disabled by inserting the below in /etc/sysconfig/httpd

export OPENSSL_NO_DEFAULT_ZLIB=1

Now your servers should be back to an A rating on https://www.ssllabs.com/ssltest :-)

There are of cause other things you can do to harden your installation but the above should cover the minimum.

{ 1 comment… read it below or add one }

Jakob Kristensen April 30, 2013 at 12:45

Hi Peter,

just a small addition to the Update above.

‘apachectl restart’ did not seem to activate the change to /etc/sysconfig/httpd

Only after an ‘/etc/init.d/httpd restart’ did the no-compression setting kick in for me.

BR Jakob

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: