After having been through security audits over the years I now have a short list of things I always change after having installed an Apache HTTP Server.
It is not much, but it always moves the focus from the Apache server to the applications and thereby off my desk
Before moving to the configuration I have a couple of other tips.
Download and installation
You should of cause always use the latest version of Apache. Don’t download and install Apache “manually” unless you are forced to do it. If you are using Red Hat / Oracle Linux use the Apache that is distributed with them.
Notice that the Red Hat version numbers are different from what http://httpd.apache.org uses.
Currently the latest official version of Apache 2.2 is 2.2.23. The latest 2.2 from Red Hat is called httpd-2.2.15-15. But if you check the CVE identifiers that were fixed with version 2.2.23 they are also fixed in httpd-2.2.15-15.
If you use Windows you have to download and install Apache yourself. Don’t trust the files you download from mirror sites. On the main Apache site you can find PGP signature and MD5 hashes for all downloads. So check that they match. You can use the fciv tool to do an MD5 hash.
C:\Temp>fciv httpd-2.2.22-win32-x86-no_ssl.msi // // File Checksum Integrity Verifier version 2.05. // 29764b87d44f4f873758a3b5452d66ce httpd-2.2.22-win32-x86-no_ssl.msi
Update – The Windows binaries are not available from the Apache Software Foundation anymore.
Always install as little as possible. I do not install the documentation and the Service Taskbar Icon.
It’s a good idea to scan your servers for weaknesses on a regular basis. Nessus seems to be the weapon of choice but it is expensive. You can try if for free for a couple of weeks.
I have sometimes used Nikto.
It is easy to get started just download and unzip/untar. You need Perl and for ssl support you need the perl-Net-SSLeay package.
To run simple scans:
perl nikto.pl -h scanme.nmap.org -p 80 -nossl perl nikto.pl -h scanme.nmap.org -p 443 -ssl
In the httpd.conf file you should change the below. On Windows some changes should be in the httpd-default.conf file instead.
ServerSignature Off TraceEnable Off ServerTokens Prod
In the latest audit the auditors wanted us to remove the default index.html file. It only contains “It works!” but they still wanted it gone. If you delete some of the standard files I have experienced that they have been recreated when you run a yum update. So instead of removing it I just prevent all access to DocumentRoot. I normally only use Apache servers as proxy or Load Balancer so I don’t need access to DocumentRoot.
In the Directory tag that contains the path to DocumentRoot I put:
Order allow,deny Allow from all
Don’t load modules that you do not need. Default a lot of modules are loaded that you probably do not need.
Which protocols and ciphers that is “safe” changes all the time. I currently use the below in
ssl.conf (httpd-ssl.conf on Windows):
SSLProtocol -ALL +SSLv3 +TLSv1 SSLHonorCipherOrder on SSLCipherSuite RC4-SHA:HIGH:!ADH
If your Apache is exposed to the Internet you can test your SSL configuration via https://www.ssllabs.com/ssltest
Update – It is now possible to protect against the CRIME attack on both Windows and Red Hat. On Windows you just need to install version 2.2.24. A SSLCompression directive has been introduced and it is default set to off. The directive is not available on Red Hat (yet?). Compression can instead be disabled by inserting the below in /etc/sysconfig/httpdexport OPENSSL_NO_DEFAULT_ZLIB=1
Now your servers should be back to an A rating on https://www.ssllabs.com/ssltest
There are of cause other things you can do to harden your installation but the above should cover the minimum.Google+