Thoughts on securing apache

**wmorri** · 02-27-2009, 10:42 PM

Hi,

I am looking for information on how to secure my apache server. It is just running with the standard security features. I did a little reading on how to secure it from the apache website but it didn't make a lot of senses to me. So I am looking for some ideas from the folks here at the forum.

I am running Fedora 10 and apache mod_ssl just so that you know.

Cheers!

Skie · 02-28-2009, 08:18 AM

mod_ssl will only give you SSL capabilities to encrypt the actual transmission. It won't do anything for you in regards to securing the actual software.

What things confused you? Perhaps someone can explain things better.

One place you may wish to start if you're using any PHP scripts (any scripts or no scripts, doesn't matter, it helps) is to install and configure ModSecurity. It basically looks for specific URL's that are accessing your server and rejects them. Here's an example of my Mod Security log.

Code:

Date  	Time  	IP  	GET  	Host  	Message  	Action
2007-11-24 	10:36:40 	1.2.3.4 	/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.1 	www.domain.com 	Access denied with code 406. Pattern match "/etc/passwd" at THE_REQUEST 	406

What's happening here is someone's trying to gain access to the /etc/passwd file and display it using cat. Normally, a properly configured Apache and PHP server won't allow something like this, but people do find security holes in the software and use it to take advantage of it. This time around, they're trying to use a perl script that may or may not be located in cgi-bin. What ModSecurity does is it stops these types of attacks from even reaching Apache/PHP/whatever.

**wmorri** · 02-28-2009, 08:18 PM

Skie,

Here are a couple of things that I am looking for. One is how to set up .htaccess. I have heard that it is important. The other thing is this server will be hosting my home business site, and I will be sending personal information over it, i.e. names and emails, so I don't want people to be able to see the traffic going through it.

These are just a couple that I can think of for now. Right now my server is just for my home use. But, I might want to use it for something else later on. I am definitely going to look at ModSecurity it looks really interesting.

Cheers!

Skie · 02-28-2009, 09:07 PM

The .htaccess file can do a number of things (redirecting users to a different page/website, blocking users from seeing a page, handling HTTP Authentication, etc). I haven't learned everything there is to know about them as there is a lot of features that you can use and sometimes they can get quite complex. I've only used the features that I specifically needed. If you take a look at this .htaccess generator, you'll see what I'm talking about. http://cooletips.de/htaccess/ Mod Rewrite is probably the most commonly used feature.

For transmitting personal information, you'll definately want SSL. You'll need to purchase an SSL certificate and you'll need a dedicated IP address (If any other websites share the same IP and you try to use https on them, you'll get the main site that's set up for SSL instead).

If you're using Apache 2.x, I can give you my ModSecurity config which should work for you without any issues. Unfortunately, if you're using Apache 1.x, then my config won't work as the syntax for ModSecurity changed between Apache versions.

The biggest security risk is the scripts/software that you're using. Everytime one of my customers has had their website hacked, it was because they failed to properly update their PHP or Perl scripts. However, you'll also want to make sure that you keep Apache, Perl and PHP itself updated. And I shouldn't have to say it, but keep the Kernel and the rest of the software on that system up to date as well. If you're not using the server for anything other then as a web server, disable any other software. Better yet, uninstall it. The more you have installed/running, the bigger the security risk. If you never use/login using a GUI, then remove Gnome/KDE/X. There's no reason to ever keep it.

**wmorri** · 03-01-2009, 07:50 PM

Hi Skie,

I am having problems with the ./configure command. It is giving me this:

Code:

[root@localhost apache2]# ./configure
checking for g++... no
checking for c++... no
checking for gpp... no
checking for aCC... no
checking for CC... no
checking for cxx... no
checking for cc++... no
checking for cl.exe... no
checking for FCC... no
checking for KCC... no
checking for RCC... no
checking for xlC_r... no
checking for xlC... no
checking for C++ compiler default output file name...
configure: error: in `/home/will/Desktop/modsecurity-apache_2.5.7/apache2':
configure: error: C++ compiler cannot create executables
See `config.log' for more details.
[root@localhost apache2]#

I am wondering if you could give me some insight on this and how to install some of these and I can take it from there. I tried to install them from terminal and was only able to install gpp.

Cheers!

Skie · 03-02-2009, 07:42 AM

It looks like gcc is not installed or not properly installed. Which distro are you using on that computer? If it's ubuntu, please run the following:

Code:

sudo apt-get install build-essential

If Fedora, you need to run the following as root:

Code:

yum install gcc
yum install binutils

That should take care of everything. If not, let me know.

**wmorri** · 03-02-2009, 10:04 PM

Here is what I get when I try that:

Code:

[root@localhost ~]# yum install gcc
Loaded plugins: refresh-packagekit
Setting up Install Process
Parsing package install arguments
Package gcc-4.3.2-7.i386 already installed and latest version
Nothing to do
[root@localhost ~]# yum install binutils
Loaded plugins: refresh-packagekit
Setting up Install Process
Parsing package install arguments
Package binutils-2.18.50.0.9-8.fc10.i386 already installed and latest version
Nothing to do
[root@localhost ~]#

Cheers!

Skie · 03-03-2009, 07:43 AM

Strange. Try this:

Code:

yum install gcc-c++ 
yum install cpp

You could combine those as "yum install gcc-c++ cpp", but I wrote them seperately. The first one should install fine, the second one should say it's already installed. Or they'll both install fine.

**wmorri** · 03-05-2009, 12:49 AM

Ok,

Sorry for the delay, I was taking a couple days off from this project to clear my head. I got some of the configure to work but now I am getting this message.

Quote:

configure: looking for Apache module support via DSO through APXS
configure: error: couldn't find APXS
[root@localhost apache2]#

I will do a little looking but don't know what I will find.

Cheers!

Skie · 03-05-2009, 08:49 AM

As root, run "updatedb". When it's done, type "locate apxs". If it's found, it should be at /usr/bin/apxs2.

**wmorri** · 03-05-2009, 04:33 PM

Hi,

Ok here is what I found when I did that.

Quote:

[root@localhost apache2]# locate apxs
/home/will/Desktop/modsecurity-apache_2.5.7/apache2/build/apxs-wrapper.in

Cheers!

02-27-2009, 10:42 PM	#1 (permalink)
wmorri Moderator/Fedora Amb. Join Date: May 2008 Location: /pm/etc Posts: 2,715 OS: Window 7/Fedora 10 My System	Thoughts on securing apache Hi, I am looking for information on how to secure my apache server. It is just running with the standard security features. I did a little reading on how to secure it from the apache website but it didn't make a lot of senses to me. So I am looking for some ideas from the folks here at the forum. I am running Fedora 10 and apache mod_ssl just so that you know. Cheers! __________________ Linux Forever!

02-28-2009, 08:18 AM	#2 (permalink)
Skie Manager, Alternative Comp Join Date: Mar 2003 Location: Chicago burbs Posts: 2,194 OS: Gentoo Linux, CentOS, OS X My System	Re: Thoughts on securing apache mod_ssl will only give you SSL capabilities to encrypt the actual transmission. It won't do anything for you in regards to securing the actual software. What things confused you? Perhaps someone can explain things better. One place you may wish to start if you're using any PHP scripts (any scripts or no scripts, doesn't matter, it helps) is to install and configure ModSecurity. It basically looks for specific URL's that are accessing your server and rejects them. Here's an example of my Mod Security log. Code: Date Time IP GET Host Message Action 2007-11-24 10:36:40 1.2.3.4 /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.1 www.domain.com Access denied with code 406. Pattern match "/etc/passwd" at THE_REQUEST 406 What's happening here is someone's trying to gain access to the /etc/passwd file and display it using cat. Normally, a properly configured Apache and PHP server won't allow something like this, but people do find security holes in the software and use it to take advantage of it. This time around, they're trying to use a perl script that may or may not be located in cgi-bin. What ModSecurity does is it stops these types of attacks from even reaching Apache/PHP/whatever. __________________

02-28-2009, 08:18 PM	#3 (permalink)
wmorri Moderator/Fedora Amb. Join Date: May 2008 Location: /pm/etc Posts: 2,715 OS: Window 7/Fedora 10 My System	Re: Thoughts on securing apache Skie, Here are a couple of things that I am looking for. One is how to set up .htaccess. I have heard that it is important. The other thing is this server will be hosting my home business site, and I will be sending personal information over it, i.e. names and emails, so I don't want people to be able to see the traffic going through it. These are just a couple that I can think of for now. Right now my server is just for my home use. But, I might want to use it for something else later on. I am definitely going to look at ModSecurity it looks really interesting. Cheers! __________________ Linux Forever!

02-28-2009, 09:07 PM	#4 (permalink)
Skie Manager, Alternative Comp Join Date: Mar 2003 Location: Chicago burbs Posts: 2,194 OS: Gentoo Linux, CentOS, OS X My System	Re: Thoughts on securing apache The .htaccess file can do a number of things (redirecting users to a different page/website, blocking users from seeing a page, handling HTTP Authentication, etc). I haven't learned everything there is to know about them as there is a lot of features that you can use and sometimes they can get quite complex. I've only used the features that I specifically needed. If you take a look at this .htaccess generator, you'll see what I'm talking about. http://cooletips.de/htaccess/ Mod Rewrite is probably the most commonly used feature. For transmitting personal information, you'll definately want SSL. You'll need to purchase an SSL certificate and you'll need a dedicated IP address (If any other websites share the same IP and you try to use https on them, you'll get the main site that's set up for SSL instead). If you're using Apache 2.x, I can give you my ModSecurity config which should work for you without any issues. Unfortunately, if you're using Apache 1.x, then my config won't work as the syntax for ModSecurity changed between Apache versions. The biggest security risk is the scripts/software that you're using. Everytime one of my customers has had their website hacked, it was because they failed to properly update their PHP or Perl scripts. However, you'll also want to make sure that you keep Apache, Perl and PHP itself updated. And I shouldn't have to say it, but keep the Kernel and the rest of the software on that system up to date as well. If you're not using the server for anything other then as a web server, disable any other software. Better yet, uninstall it. The more you have installed/running, the bigger the security risk. If you never use/login using a GUI, then remove Gnome/KDE/X. There's no reason to ever keep it. __________________

03-02-2009, 07:42 AM	#6 (permalink)
Skie Manager, Alternative Comp Join Date: Mar 2003 Location: Chicago burbs Posts: 2,194 OS: Gentoo Linux, CentOS, OS X My System	Re: Thoughts on securing apache It looks like gcc is not installed or not properly installed. Which distro are you using on that computer? If it's ubuntu, please run the following: Code: sudo apt-get install build-essential If Fedora, you need to run the following as root: Code: yum install gcc yum install binutils That should take care of everything. If not, let me know. __________________ Last edited by Skie; 03-03-2009 at 07:38 AM.

03-03-2009, 07:43 AM	#8 (permalink)
Skie Manager, Alternative Comp Join Date: Mar 2003 Location: Chicago burbs Posts: 2,194 OS: Gentoo Linux, CentOS, OS X My System	Re: Thoughts on securing apache Strange. Try this: Code: yum install gcc-c++ yum install cpp You could combine those as "yum install gcc-c++ cpp", but I wrote them seperately. The first one should install fine, the second one should say it's already installed. Or they'll both install fine. __________________

03-05-2009, 08:49 AM	#10 (permalink)
Skie Manager, Alternative Comp Join Date: Mar 2003 Location: Chicago burbs Posts: 2,194 OS: Gentoo Linux, CentOS, OS X My System	Re: Thoughts on securing apache As root, run "updatedb". When it's done, type "locate apxs". If it's found, it should be at /usr/bin/apxs2. __________________