GIT – Apache Tips & Tricks : here you can find various tips & tricks for configuring and administrating Apache that I found to be useful. Once I will add a new tip, I’ll link it here so you can use this page as a main placeholder for all the tips I will post in the future. Each tip will consist in a very short description, what is it used for, where can you apply it (globally, per directory or per virtual hosts, if it can be activated without administrative privileges in .htaccess) and of course a how to implement it. I will try to keep each tip as short as possible and on a single topic so you can go directly to what you are looking for.

1. Discover the web server software and version of a remote server

Applies: – (all web servers might respond with something ‘useful’ here, depends from configurations)
Required apache module: –
Scope: –
Type: informational, remote

Description: anyone can (if interested) find out (if not properly hidden) what software is running on a remote web server.
Useful: for testing. If you will implement my next tip (how to hide this information) then you might want to test this to see it is working properly. Also this is used by various companies like Netcraft to gather the required information for their statistics.

This can be achieved in many ways, but the simplest one in my opinion is to use a basic telnet connection on port 80 to the remote server and issue a regular request like “HEAD / HTTP/1.0” (I will use HEAD because we don’t care about the content):

 telnet remote_server.com 80 Trying remote_server.com... Connected to remote_server.com. Escape character is '^]'. HEAD / HTTP/1.0 <- after this press 2 times ENTER HTTP/1.1 200 OK Date: Fri, 09 Jun 2006 08:18:06 GMT Server: Apache/2.0.55 () /5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host. 

So as you can see, it is so simple to find out that this server is using: Debian as OS (from the other versions we can assume it is Etch version), Apache 2.0.55 as web server, PHP 5.1.2, and OpenSSL 0.9.8b… Hmm, that is too easy for remote users to find out so many information about our system, right? Well in this case you might want to check my next Apache Tip that will show you how to hide this information.

2.Default apache2 configuration files location

Applies: apache 2.0.x
Required apache module: –
Scope: global server configuration
Type: informational

Description: where the default apache2 configuration files are located on various distributions.
Useful: hmm… you probably know this already, so not really useful… Just as a reference in case you are not familiar with a particular Linux distribution package.

Based on the particular Linux distribution you are using, the apache package might use different defaults on where to place its configuration file. Here are the ones I have worked with… if you don’t see the one you are using feel free to ping me to add it here.

Debian:

Global server configuration location: /etc/apache2/apache2.conf
Other configuration files included in the global configuration:
– module loading
/etc/apache2/mods-enabled/*.load
/etc/apache2/mods-enabled/*.conf

– vhosts loading:
/etc/apache2/sites-enabled/[^.#]*
– other local configurations (added manually or by other packages):
/etc/apache2/conf.d/[^.#]*
– listening port:
/etc/apache2/ports.conf
– other user configurations:
/etc/apache2/httpd.conf

Running as: www-data (user) www-data (group)
Binary file: apache2 (/usr/sbin/apache2)

RHEL / Fedora / Centos:

Global server configuration location: /etc/httpd/conf/httpd.conf
Other configuration files included in the global configuration:
– various module configurations:
/etc/httpd/conf/conf.d/*.conf

Running as: apache (user) apache (group)
Binary file: httpd (/usr/sbin/httpd)

3.Hide apache software version

Applies: apache 1.3.x / apache 2.0.x
Required apache module: – (included in core)
Scope: global server configuration
Type: security

Description: How to hide the apache software version to remote requests.
Useful: to not disclose un-needed information. What version are we running? is it vulnerable? what modules, that also might have vulnerabilities, and even what operating system we are running… Too many information… This will not protect in any way from real vulnerabilities if they exist, but it will at least make their life harder. This will also not stop more complex fingerprinting programs to detect some information on the web server, but at least we should not make their life easier .

I will talk in this post about setting two apache directives: ServerTokens andServerSignature and how they can be used. Basically to provide only a minimal amount of information we will set this in the main config to:

ServerTokens ProductOnly ServerSignature Off

That’s it… For a more detailed describtion check out the rest of the post….

ServerTokens

This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

  • globally set in main server config.
  • the default is set to Full (ServerTokens Full). So if your Linux distribution has not overwritten this, then you will be presenting all the possible information to the world. For example RHEL will set this to ServerTokens OS, while Debian will not set anything leaving it to default (Full).

Possible values:

ServerTokens Setting Server Banner Header
ProductOnly Server: Apache
Major Server: Apache/2
Minor Server: Apache/2.0
Minimal Server: Apache/2.0.55
OS Server: Apache/2.0.55 (Debian)
Full (or not specified) default Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b

Starting with apache version 2.0.44, this directive also controls the information presented by the ServerSignature directive described bellow.

ServerSignature

This directive allows the configuration of a trailing footer line under server-generated documents (error messages, mod_proxy directory listings, etc.).

  • this can be set also outside the global server config in virtual hosts, per directory or .htaccess.
  • the default is off (ServerSignature Off), but some particular Linux distributions might enable this. For example Debian package enables ServerSignature on the default vhost.
  • be careful that setting this to Off can be overwritten on vhosts or directory level. So you might want to be sure that this is not the case.

Possible values:
Off (default): suppresses the footer line
On: adds a line with the server version number and ServerName of the serving virtual host. After version 2.0.44, the details of the server version number presented are controlled by theServerTokens directive.
EMail: includes all the information set with ON and additionally creates a “mailto:” reference to the ServerAdmin.

Note: setting the directives shown to provide minimal information will not make your server more secure. If you have vulnerable versions you should upgrade them as soon as possible. Still, there are many worms that will check this banner and if they find something they like (for example a vulnerable mod_ssl) they will launch the attack. But there are also many such worms that will not check anything and just try to exploit any server… Also there are other complex fingerprinting applications that can find out various information about your web server even with these directives set to minimum… But even in this case there are many advantages and they will not be able to get such accurate information as presented in the apache banner.

Conclusion: if you want to provide minimum information about your system set this in your main apache config:

ServerTokens ProductOnly ServerSignature Off

ps. check out other future tips that will show how you can change the apache banner to present some other information (like SomeWebServer for ex. instead of Apache).

4.Hide PHP version (X-Powered-By)

Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod-php4/mod-php5
Scope: php.ini
Type: security

Description: How to hide the PHP version to remote requests.
Useful: to not disclose un-needed information. This will show you how to suppress the PHP banner X-Powered-By.

But if you are using the PHP module in your web server (as most of us are), then there is one additional step that need to be completed, and this is what I will show you in this tip.

After implementing the apache directives ServerTokens and ServerSignature as shown in “Hide apache software version“, we test its functionality against a regular html file and we get the following response:

HEAD http://remote_server.com/index.html 200 OK Connection: close Date: Fri, 16 Jun 2006 01:13:23 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Fri, 16 Jun 2006 21:42:53 GMT Client-Peer: 192.168.0.102:80 Client-Response-Num: 1 

This looks good. But if we do the same thing against an URL that is a PHP file:

HEAD http://remote_server.com/index.php 200 OK Connection: close Date: Fri, 16 Jun 2006 01:16:30 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Fri, 16 Jun 2006 21:48:13 GMT Client-Peer: 192.168.0.102:80 Client-Response-Num: 1 X-Powered-By: PHP/5.1.2-1+b1 

Ups… As we can see PHP adds its own banner:
X-Powered-By: PHP/5.1.2-1+b1

Let’s see how we can it. In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate inphp.ini the variable expose_php and turn it off
By default expose_php is set to On
.
In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On” and set it to Off:

expose_php = Off 

After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.

5. Hide a file type from directory indexes

Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod_autoindex
Scope: global server configuration, virtual host, directory, .htaccess
Type: security

Description: How to hide some files from appearing in directory indexes.
Useful: to prevent certain files from appearing in directory indexes, in case this needs to remain enabled. This is particularly useful for non html files (or raw files not parsed by apache and returned as a html to the browser), for example: php include files, libraries (that will not have the extension php), or log files, or any other file that you might want to prevent the users to easily see in the browser.

Normally I will disable directory indexes, and this will not be needed, but in case you have to keep directory indexes ON for some reason, then it is a good idea to hide some files from showing in the directory indexes.
This will not prevent peoples to the files as long as they know (or guess) the file name/location, it will just hide the files from the index generation. Some good examples of what files to hide like this:

  • .htaccess (for obvious reasons)
  • *.bak *~ (this can lead to download the source of some parsed web files that are saved as backup files)
  • RCS CVS *,v *,t (hide cvs related files)
  • *.inc (or whatever files extensions you might use to include in regular php files)

These are just examples and you should use this directive based on your particular need.

IndexIgnore

We will use the apache directive IndexIgnore to hide the list of files. Since this can be used in global configuration and also in virtual host configuration, per directory or in .htaccess it is useful to know that any new IndexIgnore line will actually add the files to the list of hidden files and not overwrite a previous definition. So you can choose this as you see it fit (add them all in one place in a single line, or have more ignore list defined, etc.). To achieve our sample here is how we will hide the file types from above to appear in directory indexes:

IndexIgnore .htaccess IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t IndexIgnore *.inc

Or the same thing in one single line:

IndexIgnore .htaccess .??* *~ *# HEADER* README* RCS CVS *,v *,t *.inc

Some Linux distributions will include some defaults for this directive, but in case you havedirectory indexes ON you should really look into this directive and add the files you don’t want the users to see in a browser in a directory index.

6.Disable directory indexes

Applies: apache 1.3.x / apache 2.0.x
Required apache module: core/-mod_autoindex
Scope: global server configuration, virtual host, directory, .htaccess
Type: security

Description: How to disable directory indexes.
Useful: to prevent the server from showing a listing of the existing files in case there is no index (as defined by DirectoryIndex) in one folder. In my opinion if you need this enabled then you should enable it only on some particular directory where you need it and disable it server wide. Also it might be useful that in the places you have it enabled to hide any files that need to be private as shown in : “Hide a file type from directory indexes“.

Options – Indexes

The Options directive is the place where you can enable or disable the index generation. This is set by default to ALL (meaning that it will turn ON also Indexes), but normally you will see this overwritten by each distribution either globally or inside the default vhost definition.

As I said previously my approach is to start by disabling directory indexes globally. This is done in the main server config, by adding the Options directive (or only adding to it the -Indexes part in case you have other global options defined):

Options -Indexes

Now as long as you will not overwrite this inside any directory or vhost it will disable the generation of directory indexes. Your directory may look like this for example:

<Directory /> Options FollowSymLinks AllowOverride None </Directory>

the important thing is to not include the addition of Indexes. As long as you haveAllowOverride None it will prevent any accidental changes done in .htaccess files.

If you want to enable indexes generation on some particular directory or vhost just add theIndexes option:

<Directory /www/somefolder> Options Indexes FollowSymLinks AllowOverride None </Directory>

and this will enable only in that folder the generation of indexes. In this case, you might want to prevent the listing of some file types as seen in: “Hide a file type from directory indexes“.

7. Deny access to certain file types

Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod_access
Scope: global server configuration, virtual host, directory, .htaccess
Type: security

Description: How to deny access to certain file types.
Useful: to deny access to certain files that contain private information (log files, source code, files, etc.).

I have showed how we can hide some files from appearing in directory indexes. Even if the files will not appear in directory indexes this will not imply that access to the files will be denied and if a remote user knows the exact location of the file, he will still be able to access the file from a browser… How can someone find out about the location of the private file? well this doesn’t really matter too much, but he might see paths, or files, shown in a warning messages, or the files might be browsable (there is no hiding of the files in the directory indexes).
So if there are ‘special files’ that you want to not be served in any case to remote users then you will have to deny access to them.

In order to achieve this we will be using the standard apache module mod_access that will allow us to define rules for various contexts (<Directory>, <Files>, and <Location>sections). In this case we will be interested in the <Files> section.

Allow/Deny Directive in <Files>

Your apache might contain in the default configuration (or at least it would be nice) a configuration similar to the following one that will deny access from the browser to .htaccess files:

<Files ~ "^\.htaccess">
Order allow,deny
Deny from all
</Files>

This is a simple example of how we can deny access to a single file by its name. If you don’t have such a configuration, then it might be a good idea to add it .

Let’s see how we can deny access to several files; let’s consider that we want to deny access to all files with the extension .inc (includes in our php application). In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):

<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>

Similar to this we can deny access to whatever files we might need…

8.Deny access to some folders

Applies: apache 1.3.x / apache 2.0.x
Required apache module: mod_access
Scope: global server configuration, virtual host, directory, .htaccess
Type: security

Description: How to deny access to certain folders and the files inside them.
Useful: to deny access to certain folders containing private information (log files, source code, password files, etc.) How to deny access to all the subversion directories (.svn).

I have showed how we can deny access to files using a particular filename or all the files with a particular extension or any regexp we can match the files. In this post we will block access to folders, so instead of using the <Files> directive we will be using the <Directory> section.

Allow/Deny Directive in <Directory>

Let’s see how we can deny access to all the .svn folders that exist on the server.
In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):

<Directory ~ "\.svn">
Order allow,deny
Deny from all
</Directory>

Similar to this we can deny access to other folders we might need…

Note: this will show a Forbidden page (code 403) even if the folder does not exist and it is just called from the browser in the url.
Another way how this can be quickly accomplished is by using a Rewrite rule:

RewriteRule ^(.*/)?\\.svn/ - [F,L]

or using a redirect:

RedirectMatch 404 /\\.svn(/|$)

(in this last example I am using 404 as the returned code so this looks like the folder doesn’t exist on the server; of course if you prefer you can return 403 – forbidden code).

9.Disable the HTTP TRACE method

Applies: apache 1.3.x / apache 2.0.x
Required apache module: 
Scope: global server configuration
Type: security

Description: How to disable the HTTP TRACE method on recent apache versions.

Most vulnerability scanners (like the popular nessus, but commercial ones also) will complain (normally as a low thread or warning level) about TRACE method being enabled on the web server tested.

Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:

telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. TRACE / HTTP/1.0 Host: foo Any text entered here will be echoed back in the response <- ENTER twice to finish HTTP/1.1 200 OK Date: Sat, 20 Oct 2007 20:39:36 GMT Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Connection: close Content-Type: message/http TRACE / HTTP/1.0 Host: foo Any text entered here will be echoed back in the response Connection closed by foreign host.

Traditionally experts will suggest to disable this using some rewrite rules like:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).

Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not:
TraceEnable off
This needs to be added in the main server config and the default is enabled (on).TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.

After setting this and reloading the apache config the same server as above shows:

telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. TRACE / HTTP/1.0 Host: foo testing... <- ENTER twice HTTP/1.1 403 Forbidden Date: Sat, 20 Oct 2007 20:38:31 GMT Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Content-Length: 320 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML(link) PUBLIC "-//IETF//DTD HTML(link) 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access / on this server.</p> <hr> <address>Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Server at foo Port 80</address> </body></html> Connection closed by foreign host. 

mod-rewrite
Print Friendly

Comments

comments

Bài viết liên quan