https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=NishanthkumarpathiOWASP - User contributions [en]2026-04-28T10:06:31ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Nishanthkumarpathi&diff=239257Nishanthkumarpathi2018-04-03T15:56:29Z<p>Nishanthkumarpathi: /* Summary */</p>
<hr />
<div>== Overview ==<br />
A dynamic professional having total experience of 5+ years providing Advisory, Consulting, Managed Services and Training in Blockchain, Cyber Security & Information Security domains for various Telecommunications, Banking & Finance, Transportation, Industrial Manufacturing and Information Technology enabled industries to ensure the security of personal and business critical Information across multiple geographic locations.<br />
<br />
== Professional Summary ==<br />
<br />
• Presales experience including Proposal writing, Project Estimation with cost and effort, POC and presentations to prospective clients showing company relevant experience and solution approach.<br />
<br />
• Post Sales experience including Project ownership & Account Management, Project Execution, and Tracking deliverables as per defined milestones in proposal and billing customer.<br />
<br />
• Ownership and accountability for building of Statements of Work (SOWs) for custom solutions.<br />
<br />
• Eager to take initiative and quickly adapt to market changes<br />
<br />
• Holistic understanding of the various Engineering pieces required to deliver a secure product.<br />
<br />
• Research in the Blockchain, Cyber Security, Information Security space, concisely summarizing those developments and prioritizing insight for the clients and community involved<br />
<br />
• Communicate research work to both technical and non-technical audiences in the client organizations across various levels.<br />
<br />
== Credentials ==<br />
{| class="wikitable"<br />
|· IBM Blockchain Essentials<br />
<br />
· IBM Blockchain Foundation Developer<br />
<br />
· IBM Docker Essentials<br />
<br />
· Juniper Networks Certified Professional - Security<br />
<br />
· Juniper Networks Certified Specialist - Security <br />
|· PECB Certified Trainer<br />
<br />
· ISO/IEC 20000-1:2011 Lead Auditor<br />
<br />
· ISO 22301:2012 Lead Auditor<br />
<br />
· ISO/IEC 27001:2013 Lead Auditor<br />
<br />
· ITIL Foundation Certificate in IT Service Management<br />
|}<br />
<br />
== '''Knowledge Areas & Interests''' ==<br />
{| class="wikitable"<br />
|· Security strategy and Transformation<br />
<br />
· Cyber Security Posture Assessment<br />
<br />
· Vulnerability Assessment and Penetration Testing<br />
<br />
· Cloud Security<br />
<br />
· Security Incident and Event Management<br />
<br />
· Secure Architecture for Networks & Systems<br />
<br />
· Blockchain – Ethereum, Hyperledger, Multichain<br />
|· Information Security Management<br />
<br />
· IT Compliance and Risk Management<br />
<br />
· Data Privacy Assessment<br />
<br />
· Software Licenses Compliance Management<br />
<br />
· BCP and Disaster Recovery Management<br />
<br />
· Truffle, Solidity, NodeJS<br />
|}<br />
<br />
== Contributions ==<br />
<br />
* [https://www.owasp.org/index.php/Secure_Configuration_Guide Secure Configuration Guide]<br />
<br />
== Online ==<br />
* [http://nishanth.co.in/ Portfolio]<br />
* [http://in.linkedin.com/in/nishanthkumarpathi Linkedin Profile]<br />
* [http://www.slideshare.net/pathinishanth/presentations Presentations on Slideshare]<br />
<br />
== Contact ==<br />
<br />
* [https://twitter.com/nishanthkumarp @nishanthkumarp on Twitter]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=Nishanthkumarpathi&diff=202617Nishanthkumarpathi2015-10-24T15:12:40Z<p>Nishanthkumarpathi: </p>
<hr />
<div>== Summary ==<br />
Nishanth Kumar is a dynamic professional with an experience in Information Security, Network Security Analysis, and Compliance functions, Linux Administration, System Administration & Management to ensure secure information processing environment.<br />
<br />
== Skills ==<br />
<br />
Risk Assessment, Vulnerability Assessment, Penetration Testing, Perimeter Security, Incident handling, Log Analysis, Intrusion monitoring and networking.<br />
<br />
Deft in planning & managing entire IT infrastructure set-up which includes assessment of hardware /software requirements , negotiation of purchase , installation & configuration of entire IT infrastructure in line with business requirements and migration of data from legacy systems.<br />
Assessing organizational requirements for security & implementing security software system against various attacks; executing backup strategy etc.<br />
<br />
Knowledge in IT Security, Business Continuity, Risk Management and Security Audits.<br />
<br />
Documenting business process, drafting Policy / Procedures in line with ISMS standard, reviewing Business Continuity and Disaster Recovery plans & Generation of metrics review reports.<br />
<br />
Knowledge on auditing concepts.<br />
<br />
== Certifications ==<br />
<br />
Juniper Networks Certified Professional - Security <br><br />
Juniper Networks Certified Specialist - Security <br><br />
Juniper Networks Certified Associate - Junos <br><br />
<br />
== Contributions ==<br />
<br />
* [https://www.owasp.org/index.php/Secure_Configuration_Guide Secure Configuration Guide]<br />
<br />
== Online ==<br />
* [http://nishanth.co.in/ Portfolio]<br />
* [http://in.linkedin.com/in/nishanthkumarpathi Linkedin Profile]<br />
* [http://www.slideshare.net/pathinishanth/presentations Presentations on Slideshare]<br />
<br />
== Contact ==<br />
<br />
* [https://twitter.com/nishanthkumarp @nishanthkumarp on Twitter]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=202560SCG WS Apache2015-10-23T12:20:20Z<p>Nishanthkumarpathi: /* Remove Default HTML Page */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Restrict OS Root directory access using Allow,Deny Directive ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Restrict WebSite Content using Allow,Deny Directive === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can provide allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== MisConfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
<br />
<br />
Apache Server is capable of accepting and processing GET,HEAD,POST,OPTIONS,PUT,DELETE HTTP request methods.<br />
If we use <LimitExcept> directive then Apache will not process the unnecessary HTTP request methods.<br />
The primary security concerened is to disable the unnecessary HTTP request methods.<br />
Apache <LimitExcept> directive does not deny the TRACE request method. <br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
<br />
By default all the HTTP request methods are accepted by Apache Server.<br />
<br />
==== Remediation ====<br />
<br />
<pre><br />
<br />
<Directory "/usr/local/apache2/cgi-bin"><br />
. . .<br />
# Limit HTTP methods<br />
<LimitExcept GET POST OPTIONS><br />
deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
</pre><br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
HTTP Trace Method is enabled by default on the Apache Web Server.<br />
This method intended for diagnostics purposes.<br />
==== How to test ====<br />
Method 1:<br />
1. Locate the Apache configuration files and included configuration files.<br />
2. Verify there is a single TraceEnable directive configured with a value of off.<br />
<br />
Method 2:<br />
Telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system.<br />
The output of a server with TRACE enabled will look like:<br />
==== Misconfiguration ====<br />
Below is an example of MisConfiguration.<br />
<pre>TraceEnable on</pre><br />
==== Remediation ====<br />
1.Locate the main Apache configuration file such as httpd.conf.<br />
2.Add a TraceEnable directive to the server level configuration with a value of off as shown<br />
<pre>TraceEnable off</pre><br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
Many attacks in the process of enumeration they use Vulnerability Scanners,Automated Programs and other fingerprinting tools to send abnormal HTTP protocol version to check how Web Server responds and it is very important that we need to deny these requests.<br />
==== How to test ====<br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Verify that below module is loaded.<br />
<pre>mod_rewrite.so</pre><br />
==== Misconfiguration ====<br />
By default this module is not loaded.So we need to load the module.<br />
==== Remediation ====<br />
Method1:<br><br />
While compiling the Apache for installation we can enable this module and then install it.<br />
<pre>#./configure --enable-rewrite</pre><br />
If the Apache is installed with default parameter then we can also use the below Method<br> <br />
Method2:<br><br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Add the following line to the Configuration file.<br />
<pre>LoadModule rewrite_module modules/mod_rewrite.so</pre><br />
3.Add/change the RewriteEngine directive to the configuration as shown.<br />
<pre><br />
RewriteEngine On<br />
RewriteCond %{THE_REQUEST} !HTTP/1\.1$ <br />
RewriteRule .* - [F]<br />
</pre><br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
The following configuration prevent .htaccess and .htpasswd files from being viewed by Web clients.<br />
==== How to test ====<br />
Verify the below recommended configuration is present in the Apache config file and make sure they are not commented out.<br />
==== Misconfiguration ====<br />
Below is the Misconfiguration<br />
<pre><br />
<FilesMatch "^\.ht"><br />
Order allow<br />
</FilesMatch><br />
</pre><br />
==== Remediation ====<br />
1.Locate the Apache configuration files and included configuration files.<br />
2.Add the following line to the Configuration file.<br />
<pre><br />
<FilesMatch "^\.ht"><br />
Order allow,deny<br />
Deny from all<br />
Satisfy All<br />
</FilesMatch><br />
</pre><br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
There are many files that are often left within the web server document root that could provide an attacker with sensitive information. Most often these files are mistakenly left behind after installation, trouble-shooting, or backing up files before editing.<br />
We use FilesMatch directive to restrict access to only those file extensions that are appropriate for the web server.<br />
==== How to test ====<br />
Verify the below recommended configuration is present in the Apache config file and make sure they are not commented out.<br />
==== Misconfiguration ====<br />
Block all files by default, unless specifically allowed.<br><br />
<pre><br />
<FilesMatch "^.*$"><br />
Order Deny,Allow<br />
Deny from all<br />
</FilesMatch><br />
</pre><br />
==== Remediation ====<br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Add the following line to the Configuration file so that Web Server Allow files with specifically approved file extensions<br />
such as "css,htm,html,js,pdf,txt,xml,xsl"<br />
<pre><br />
<FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$"><br />
Order Deny,Allow<br />
Allow from all<br />
</FilesMatch><br />
</pre><br />
<br />
Note: File extensions should be matched carefully and should be changed based upon the reqruiement.<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
All of the Web Servers comes with a default page which is not required .<br />
==== How to test ====<br />
Review all pre-installed web pages and remove content which is not required from root directory of the Web Server.<br />
==== Misconfiguration ====<br />
Post installation of the Web Server if the below items exits in Server then that is considered as a Misconfiguration.<br />
1.Default Index Pages<br><br />
2.Welcome Page<br><br />
3.Apache User Manul<br><br />
4.Server Information Handlers and Status Handlers.<br />
==== Remediation ====<br />
1.Remove the default index pages like ( index.html,default.html)<br><br />
2.Remove the Welcome pages.<br><br />
3.Remove the Apache User manuals.<br><br />
4.Remove any Server Information Handlers and Status Handlers with configuration.<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=202559SCG WS Apache2015-10-23T12:11:20Z<p>Nishanthkumarpathi: /* Remediation */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Restrict OS Root directory access using Allow,Deny Directive ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Restrict WebSite Content using Allow,Deny Directive === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can provide allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== MisConfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
<br />
<br />
Apache Server is capable of accepting and processing GET,HEAD,POST,OPTIONS,PUT,DELETE HTTP request methods.<br />
If we use <LimitExcept> directive then Apache will not process the unnecessary HTTP request methods.<br />
The primary security concerened is to disable the unnecessary HTTP request methods.<br />
Apache <LimitExcept> directive does not deny the TRACE request method. <br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
<br />
By default all the HTTP request methods are accepted by Apache Server.<br />
<br />
==== Remediation ====<br />
<br />
<pre><br />
<br />
<Directory "/usr/local/apache2/cgi-bin"><br />
. . .<br />
# Limit HTTP methods<br />
<LimitExcept GET POST OPTIONS><br />
deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
</pre><br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
HTTP Trace Method is enabled by default on the Apache Web Server.<br />
This method intended for diagnostics purposes.<br />
==== How to test ====<br />
Method 1:<br />
1. Locate the Apache configuration files and included configuration files.<br />
2. Verify there is a single TraceEnable directive configured with a value of off.<br />
<br />
Method 2:<br />
Telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system.<br />
The output of a server with TRACE enabled will look like:<br />
==== Misconfiguration ====<br />
Below is an example of MisConfiguration.<br />
<pre>TraceEnable on</pre><br />
==== Remediation ====<br />
1.Locate the main Apache configuration file such as httpd.conf.<br />
2.Add a TraceEnable directive to the server level configuration with a value of off as shown<br />
<pre>TraceEnable off</pre><br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
Many attacks in the process of enumeration they use Vulnerability Scanners,Automated Programs and other fingerprinting tools to send abnormal HTTP protocol version to check how Web Server responds and it is very important that we need to deny these requests.<br />
==== How to test ====<br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Verify that below module is loaded.<br />
<pre>mod_rewrite.so</pre><br />
==== Misconfiguration ====<br />
By default this module is not loaded.So we need to load the module.<br />
==== Remediation ====<br />
Method1:<br><br />
While compiling the Apache for installation we can enable this module and then install it.<br />
<pre>#./configure --enable-rewrite</pre><br />
If the Apache is installed with default parameter then we can also use the below Method<br> <br />
Method2:<br><br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Add the following line to the Configuration file.<br />
<pre>LoadModule rewrite_module modules/mod_rewrite.so</pre><br />
3.Add/change the RewriteEngine directive to the configuration as shown.<br />
<pre><br />
RewriteEngine On<br />
RewriteCond %{THE_REQUEST} !HTTP/1\.1$ <br />
RewriteRule .* - [F]<br />
</pre><br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
The following configuration prevent .htaccess and .htpasswd files from being viewed by Web clients.<br />
==== How to test ====<br />
Verify the below recommended configuration is present in the Apache config file and make sure they are not commented out.<br />
==== Misconfiguration ====<br />
Below is the Misconfiguration<br />
<pre><br />
<FilesMatch "^\.ht"><br />
Order allow<br />
</FilesMatch><br />
</pre><br />
==== Remediation ====<br />
1.Locate the Apache configuration files and included configuration files.<br />
2.Add the following line to the Configuration file.<br />
<pre><br />
<FilesMatch "^\.ht"><br />
Order allow,deny<br />
Deny from all<br />
Satisfy All<br />
</FilesMatch><br />
</pre><br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
There are many files that are often left within the web server document root that could provide an attacker with sensitive information. Most often these files are mistakenly left behind after installation, trouble-shooting, or backing up files before editing.<br />
We use FilesMatch directive to restrict access to only those file extensions that are appropriate for the web server.<br />
==== How to test ====<br />
Verify the below recommended configuration is present in the Apache config file and make sure they are not commented out.<br />
==== Misconfiguration ====<br />
Block all files by default, unless specifically allowed.<br><br />
<pre><br />
<FilesMatch "^.*$"><br />
Order Deny,Allow<br />
Deny from all<br />
</FilesMatch><br />
</pre><br />
==== Remediation ====<br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Add the following line to the Configuration file so that Web Server Allow files with specifically approved file extensions<br />
such as "css,htm,html,js,pdf,txt,xml,xsl"<br />
<pre><br />
<FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$"><br />
Order Deny,Allow<br />
Allow from all<br />
</FilesMatch><br />
</pre><br />
<br />
Note: File extensions should be matched carefully and should be changed based upon the reqruiement.<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=202558SCG WS Apache2015-10-23T12:10:59Z<p>Nishanthkumarpathi: /* Restrict file extensions */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Restrict OS Root directory access using Allow,Deny Directive ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Restrict WebSite Content using Allow,Deny Directive === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can provide allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== MisConfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
<br />
<br />
Apache Server is capable of accepting and processing GET,HEAD,POST,OPTIONS,PUT,DELETE HTTP request methods.<br />
If we use <LimitExcept> directive then Apache will not process the unnecessary HTTP request methods.<br />
The primary security concerened is to disable the unnecessary HTTP request methods.<br />
Apache <LimitExcept> directive does not deny the TRACE request method. <br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
<br />
By default all the HTTP request methods are accepted by Apache Server.<br />
<br />
==== Remediation ====<br />
<br />
<pre><br />
<br />
<Directory "/usr/local/apache2/cgi-bin"><br />
. . .<br />
# Limit HTTP methods<br />
<LimitExcept GET POST OPTIONS><br />
deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
</pre><br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
HTTP Trace Method is enabled by default on the Apache Web Server.<br />
This method intended for diagnostics purposes.<br />
==== How to test ====<br />
Method 1:<br />
1. Locate the Apache configuration files and included configuration files.<br />
2. Verify there is a single TraceEnable directive configured with a value of off.<br />
<br />
Method 2:<br />
Telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system.<br />
The output of a server with TRACE enabled will look like:<br />
==== Misconfiguration ====<br />
Below is an example of MisConfiguration.<br />
<pre>TraceEnable on</pre><br />
==== Remediation ====<br />
1.Locate the main Apache configuration file such as httpd.conf.<br />
2.Add a TraceEnable directive to the server level configuration with a value of off as shown<br />
<pre>TraceEnable off</pre><br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
Many attacks in the process of enumeration they use Vulnerability Scanners,Automated Programs and other fingerprinting tools to send abnormal HTTP protocol version to check how Web Server responds and it is very important that we need to deny these requests.<br />
==== How to test ====<br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Verify that below module is loaded.<br />
<pre>mod_rewrite.so</pre><br />
==== Misconfiguration ====<br />
By default this module is not loaded.So we need to load the module.<br />
==== Remediation ====<br />
Method1:<br><br />
While compiling the Apache for installation we can enable this module and then install it.<br />
<pre>#./configure --enable-rewrite</pre><br />
If the Apache is installed with default parameter then we can also use the below Method<br> <br />
Method2:<br><br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Add the following line to the Configuration file.<br />
<pre>LoadModule rewrite_module modules/mod_rewrite.so</pre><br />
3.Add/change the RewriteEngine directive to the configuration as shown.<br />
<pre><br />
RewriteEngine On<br />
RewriteCond %{THE_REQUEST} !HTTP/1\.1$ <br />
RewriteRule .* - [F]<br />
</pre><br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
The following configuration prevent .htaccess and .htpasswd files from being viewed by Web clients.<br />
==== How to test ====<br />
Verify the below recommended configuration is present in the Apache config file and make sure they are not commented out.<br />
==== Misconfiguration ====<br />
Below is the Misconfiguration<br />
<pre><br />
<FilesMatch "^\.ht"><br />
Order allow<br />
</FilesMatch><br />
</pre><br />
==== Remediation ====<br />
1.Locate the Apache configuration files and included configuration files.<br />
2.Add the following line to the Configuration file.<br />
<pre><br />
<FilesMatch "^\.ht"><br />
Order allow,deny<br />
Deny from all<br />
Satisfy All<br />
</FilesMatch><br />
</pre><br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
There are many files that are often left within the web server document root that could provide an attacker with sensitive information. Most often these files are mistakenly left behind after installation, trouble-shooting, or backing up files before editing.<br />
We use FilesMatch directive to restrict access to only those file extensions that are appropriate for the web server.<br />
==== How to test ====<br />
Verify the below recommended configuration is present in the Apache config file and make sure they are not commented out.<br />
==== Misconfiguration ====<br />
Block all files by default, unless specifically allowed.<br><br />
<pre><br />
<FilesMatch "^.*$"><br />
Order Deny,Allow<br />
Deny from all<br />
</FilesMatch><br />
</pre><br />
==== Remediation ====<br />
1.Locate the Apache configuration files and included configuration files.<br />
2.Add the following line to the Configuration file so that Web Server Allow files with specifically approved file extensions<br />
such as "css,htm,html,js,pdf,txt,xml,xsl"<br />
<pre><br />
<FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$"><br />
Order Deny,Allow<br />
Allow from all<br />
</FilesMatch><br />
</pre><br />
<br />
Note: File extensions should be matched carefully and should be changed based upon the reqruiement.<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=202557SCG WS Apache2015-10-23T12:10:26Z<p>Nishanthkumarpathi: /* Restrict file extensions */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Restrict OS Root directory access using Allow,Deny Directive ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Restrict WebSite Content using Allow,Deny Directive === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can provide allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== MisConfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
<br />
<br />
Apache Server is capable of accepting and processing GET,HEAD,POST,OPTIONS,PUT,DELETE HTTP request methods.<br />
If we use <LimitExcept> directive then Apache will not process the unnecessary HTTP request methods.<br />
The primary security concerened is to disable the unnecessary HTTP request methods.<br />
Apache <LimitExcept> directive does not deny the TRACE request method. <br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
<br />
By default all the HTTP request methods are accepted by Apache Server.<br />
<br />
==== Remediation ====<br />
<br />
<pre><br />
<br />
<Directory "/usr/local/apache2/cgi-bin"><br />
. . .<br />
# Limit HTTP methods<br />
<LimitExcept GET POST OPTIONS><br />
deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
</pre><br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
HTTP Trace Method is enabled by default on the Apache Web Server.<br />
This method intended for diagnostics purposes.<br />
==== How to test ====<br />
Method 1:<br />
1. Locate the Apache configuration files and included configuration files.<br />
2. Verify there is a single TraceEnable directive configured with a value of off.<br />
<br />
Method 2:<br />
Telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system.<br />
The output of a server with TRACE enabled will look like:<br />
==== Misconfiguration ====<br />
Below is an example of MisConfiguration.<br />
<pre>TraceEnable on</pre><br />
==== Remediation ====<br />
1.Locate the main Apache configuration file such as httpd.conf.<br />
2.Add a TraceEnable directive to the server level configuration with a value of off as shown<br />
<pre>TraceEnable off</pre><br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
Many attacks in the process of enumeration they use Vulnerability Scanners,Automated Programs and other fingerprinting tools to send abnormal HTTP protocol version to check how Web Server responds and it is very important that we need to deny these requests.<br />
==== How to test ====<br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Verify that below module is loaded.<br />
<pre>mod_rewrite.so</pre><br />
==== Misconfiguration ====<br />
By default this module is not loaded.So we need to load the module.<br />
==== Remediation ====<br />
Method1:<br><br />
While compiling the Apache for installation we can enable this module and then install it.<br />
<pre>#./configure --enable-rewrite</pre><br />
If the Apache is installed with default parameter then we can also use the below Method<br> <br />
Method2:<br><br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Add the following line to the Configuration file.<br />
<pre>LoadModule rewrite_module modules/mod_rewrite.so</pre><br />
3.Add/change the RewriteEngine directive to the configuration as shown.<br />
<pre><br />
RewriteEngine On<br />
RewriteCond %{THE_REQUEST} !HTTP/1\.1$ <br />
RewriteRule .* - [F]<br />
</pre><br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
The following configuration prevent .htaccess and .htpasswd files from being viewed by Web clients.<br />
==== How to test ====<br />
Verify the below recommended configuration is present in the Apache config file and make sure they are not commented out.<br />
==== Misconfiguration ====<br />
Below is the Misconfiguration<br />
<pre><br />
<FilesMatch "^\.ht"><br />
Order allow<br />
</FilesMatch><br />
</pre><br />
==== Remediation ====<br />
1.Locate the Apache configuration files and included configuration files.<br />
2.Add the following line to the Configuration file.<br />
<pre><br />
<FilesMatch "^\.ht"><br />
Order allow,deny<br />
Deny from all<br />
Satisfy All<br />
</FilesMatch><br />
</pre><br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
There are many files that are often left within the web server document root that could provide an attacker with sensitive information. Most often these files are mistakenly left behind after installation, trouble-shooting, or backing up files before editing.<br />
We use FilesMatch directive to restrict access to only those file extensions that are appropriate for the web server.<br />
==== How to test ====<br />
Verify the below recommended configuration is present in the Apache config file and make sure they are not commented out.<br />
==== Misconfiguration ====<br />
Block all files by default, unless specifically allowed.<br><br />
<FilesMatch "^.*$"><br />
Order Deny,Allow<br />
Deny from all<br />
</FilesMatch><br />
==== Remediation ====<br />
1.Locate the Apache configuration files and included configuration files.<br />
2.Add the following line to the Configuration file so that Web Server Allow files with specifically approved file extensions<br />
such as "css,htm,html,js,pdf,txt,xml,xsl"<br />
<pre><br />
<FilesMatch "^.*\.(css|html?|js|pdf|txt|xml|xsl|gif|ico|jpe?g|png)$"><br />
Order Deny,Allow<br />
Allow from all<br />
</FilesMatch><br />
</pre><br />
<br />
Note: File extensions should be matched carefully and should be changed based upon the reqruiement.<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=202556SCG WS Apache2015-10-23T12:01:17Z<p>Nishanthkumarpathi: /* Restrict access to .htaccess files */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Restrict OS Root directory access using Allow,Deny Directive ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Restrict WebSite Content using Allow,Deny Directive === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can provide allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== MisConfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
<br />
<br />
Apache Server is capable of accepting and processing GET,HEAD,POST,OPTIONS,PUT,DELETE HTTP request methods.<br />
If we use <LimitExcept> directive then Apache will not process the unnecessary HTTP request methods.<br />
The primary security concerened is to disable the unnecessary HTTP request methods.<br />
Apache <LimitExcept> directive does not deny the TRACE request method. <br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
<br />
By default all the HTTP request methods are accepted by Apache Server.<br />
<br />
==== Remediation ====<br />
<br />
<pre><br />
<br />
<Directory "/usr/local/apache2/cgi-bin"><br />
. . .<br />
# Limit HTTP methods<br />
<LimitExcept GET POST OPTIONS><br />
deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
</pre><br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
HTTP Trace Method is enabled by default on the Apache Web Server.<br />
This method intended for diagnostics purposes.<br />
==== How to test ====<br />
Method 1:<br />
1. Locate the Apache configuration files and included configuration files.<br />
2. Verify there is a single TraceEnable directive configured with a value of off.<br />
<br />
Method 2:<br />
Telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system.<br />
The output of a server with TRACE enabled will look like:<br />
==== Misconfiguration ====<br />
Below is an example of MisConfiguration.<br />
<pre>TraceEnable on</pre><br />
==== Remediation ====<br />
1.Locate the main Apache configuration file such as httpd.conf.<br />
2.Add a TraceEnable directive to the server level configuration with a value of off as shown<br />
<pre>TraceEnable off</pre><br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
Many attacks in the process of enumeration they use Vulnerability Scanners,Automated Programs and other fingerprinting tools to send abnormal HTTP protocol version to check how Web Server responds and it is very important that we need to deny these requests.<br />
==== How to test ====<br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Verify that below module is loaded.<br />
<pre>mod_rewrite.so</pre><br />
==== Misconfiguration ====<br />
By default this module is not loaded.So we need to load the module.<br />
==== Remediation ====<br />
Method1:<br><br />
While compiling the Apache for installation we can enable this module and then install it.<br />
<pre>#./configure --enable-rewrite</pre><br />
If the Apache is installed with default parameter then we can also use the below Method<br> <br />
Method2:<br><br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Add the following line to the Configuration file.<br />
<pre>LoadModule rewrite_module modules/mod_rewrite.so</pre><br />
3.Add/change the RewriteEngine directive to the configuration as shown.<br />
<pre><br />
RewriteEngine On<br />
RewriteCond %{THE_REQUEST} !HTTP/1\.1$ <br />
RewriteRule .* - [F]<br />
</pre><br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
The following configuration prevent .htaccess and .htpasswd files from being viewed by Web clients.<br />
==== How to test ====<br />
Verify the below recommended configuration is present in the Apache config file and make sure they are not commented out.<br />
==== Misconfiguration ====<br />
Below is the Misconfiguration<br />
<pre><br />
<FilesMatch "^\.ht"><br />
Order allow<br />
</FilesMatch><br />
</pre><br />
==== Remediation ====<br />
1.Locate the Apache configuration files and included configuration files.<br />
2.Add the following line to the Configuration file.<br />
<pre><br />
<FilesMatch "^\.ht"><br />
Order allow,deny<br />
Deny from all<br />
Satisfy All<br />
</FilesMatch><br />
</pre><br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=202555SCG WS Apache2015-10-23T11:52:07Z<p>Nishanthkumarpathi: /* Remediation */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Restrict OS Root directory access using Allow,Deny Directive ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Restrict WebSite Content using Allow,Deny Directive === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can provide allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== MisConfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
<br />
<br />
Apache Server is capable of accepting and processing GET,HEAD,POST,OPTIONS,PUT,DELETE HTTP request methods.<br />
If we use <LimitExcept> directive then Apache will not process the unnecessary HTTP request methods.<br />
The primary security concerened is to disable the unnecessary HTTP request methods.<br />
Apache <LimitExcept> directive does not deny the TRACE request method. <br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
<br />
By default all the HTTP request methods are accepted by Apache Server.<br />
<br />
==== Remediation ====<br />
<br />
<pre><br />
<br />
<Directory "/usr/local/apache2/cgi-bin"><br />
. . .<br />
# Limit HTTP methods<br />
<LimitExcept GET POST OPTIONS><br />
deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
</pre><br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
HTTP Trace Method is enabled by default on the Apache Web Server.<br />
This method intended for diagnostics purposes.<br />
==== How to test ====<br />
Method 1:<br />
1. Locate the Apache configuration files and included configuration files.<br />
2. Verify there is a single TraceEnable directive configured with a value of off.<br />
<br />
Method 2:<br />
Telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system.<br />
The output of a server with TRACE enabled will look like:<br />
==== Misconfiguration ====<br />
Below is an example of MisConfiguration.<br />
<pre>TraceEnable on</pre><br />
==== Remediation ====<br />
1.Locate the main Apache configuration file such as httpd.conf.<br />
2.Add a TraceEnable directive to the server level configuration with a value of off as shown<br />
<pre>TraceEnable off</pre><br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
Many attacks in the process of enumeration they use Vulnerability Scanners,Automated Programs and other fingerprinting tools to send abnormal HTTP protocol version to check how Web Server responds and it is very important that we need to deny these requests.<br />
==== How to test ====<br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Verify that below module is loaded.<br />
<pre>mod_rewrite.so</pre><br />
==== Misconfiguration ====<br />
By default this module is not loaded.So we need to load the module.<br />
==== Remediation ====<br />
Method1:<br><br />
While compiling the Apache for installation we can enable this module and then install it.<br />
<pre>#./configure --enable-rewrite</pre><br />
If the Apache is installed with default parameter then we can also use the below Method<br> <br />
Method2:<br><br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Add the following line to the Configuration file.<br />
<pre>LoadModule rewrite_module modules/mod_rewrite.so</pre><br />
3.Add/change the RewriteEngine directive to the configuration as shown.<br />
<pre><br />
RewriteEngine On<br />
RewriteCond %{THE_REQUEST} !HTTP/1\.1$ <br />
RewriteRule .* - [F]<br />
</pre><br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=202554SCG WS Apache2015-10-23T11:47:09Z<p>Nishanthkumarpathi: /* HTTP Protocol Version */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Restrict OS Root directory access using Allow,Deny Directive ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Restrict WebSite Content using Allow,Deny Directive === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can provide allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== MisConfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
<br />
<br />
Apache Server is capable of accepting and processing GET,HEAD,POST,OPTIONS,PUT,DELETE HTTP request methods.<br />
If we use <LimitExcept> directive then Apache will not process the unnecessary HTTP request methods.<br />
The primary security concerened is to disable the unnecessary HTTP request methods.<br />
Apache <LimitExcept> directive does not deny the TRACE request method. <br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
<br />
By default all the HTTP request methods are accepted by Apache Server.<br />
<br />
==== Remediation ====<br />
<br />
<pre><br />
<br />
<Directory "/usr/local/apache2/cgi-bin"><br />
. . .<br />
# Limit HTTP methods<br />
<LimitExcept GET POST OPTIONS><br />
deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
</pre><br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
HTTP Trace Method is enabled by default on the Apache Web Server.<br />
This method intended for diagnostics purposes.<br />
==== How to test ====<br />
Method 1:<br />
1. Locate the Apache configuration files and included configuration files.<br />
2. Verify there is a single TraceEnable directive configured with a value of off.<br />
<br />
Method 2:<br />
Telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system.<br />
The output of a server with TRACE enabled will look like:<br />
==== Misconfiguration ====<br />
Below is an example of MisConfiguration.<br />
<pre>TraceEnable on</pre><br />
==== Remediation ====<br />
1.Locate the main Apache configuration file such as httpd.conf.<br />
2.Add a TraceEnable directive to the server level configuration with a value of off as shown<br />
<pre>TraceEnable off</pre><br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
Many attacks in the process of enumeration they use Vulnerability Scanners,Automated Programs and other fingerprinting tools to send abnormal HTTP protocol version to check how Web Server responds and it is very important that we need to deny these requests.<br />
==== How to test ====<br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Verify that below module is loaded.<br />
<pre>mod_rewrite.so</pre><br />
==== Misconfiguration ====<br />
By default this module is not loaded.So we need to load the module.<br />
==== Remediation ====<br />
Method1:<br><br />
While compiling the Apache for installation we can enable this module and then install it.<br />
<pre>#./configure --enable-rewrite</pre><br />
If the Apache is installed with default parameter then we can also use the below Method<br> <br />
Method2:<br><br />
1.Locate the Apache configuration files and included configuration files.<br><br />
2.Add the following line to the Configuration file.<br />
<pre>LoadModule rewrite_module modules/mod_rewrite.so</pre><br />
3.Add/change the RewriteEngine directive to the configuration as shown.<br />
<pre>RewriteEngine On</pre><br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=202553SCG WS Apache2015-10-23T11:30:00Z<p>Nishanthkumarpathi: /* Disable HTTP Trace Method */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Restrict OS Root directory access using Allow,Deny Directive ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Restrict WebSite Content using Allow,Deny Directive === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can provide allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== MisConfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
<br />
<br />
Apache Server is capable of accepting and processing GET,HEAD,POST,OPTIONS,PUT,DELETE HTTP request methods.<br />
If we use <LimitExcept> directive then Apache will not process the unnecessary HTTP request methods.<br />
The primary security concerened is to disable the unnecessary HTTP request methods.<br />
Apache <LimitExcept> directive does not deny the TRACE request method. <br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
<br />
By default all the HTTP request methods are accepted by Apache Server.<br />
<br />
==== Remediation ====<br />
<br />
<pre><br />
<br />
<Directory "/usr/local/apache2/cgi-bin"><br />
. . .<br />
# Limit HTTP methods<br />
<LimitExcept GET POST OPTIONS><br />
deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
</pre><br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
HTTP Trace Method is enabled by default on the Apache Web Server.<br />
This method intended for diagnostics purposes.<br />
==== How to test ====<br />
Method 1:<br />
1. Locate the Apache configuration files and included configuration files.<br />
2. Verify there is a single TraceEnable directive configured with a value of off.<br />
<br />
Method 2:<br />
Telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system.<br />
The output of a server with TRACE enabled will look like:<br />
==== Misconfiguration ====<br />
Below is an example of MisConfiguration.<br />
<pre>TraceEnable on</pre><br />
==== Remediation ====<br />
1.Locate the main Apache configuration file such as httpd.conf.<br />
2.Add a TraceEnable directive to the server level configuration with a value of off as shown<br />
<pre>TraceEnable off</pre><br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=Nishanthkumarpathi&diff=202552Nishanthkumarpathi2015-10-23T11:12:05Z<p>Nishanthkumarpathi: /* Over Internet */</p>
<hr />
<div>== Summary ==<br />
Nishanth Kumar is a dynamic professional with an experience in Information Security, Network Security Analysis, and Compliance functions, Linux Administration, System Administration & Management to ensure secure information processing environment.<br />
<br />
== Skills ==<br />
<br />
Risk Assessment, Vulnerability Assessment, Penetration Testing, Perimeter Security, Incident handling, Log Analysis, Intrusion monitoring and networking.<br />
<br />
Deft in planning & managing entire IT infrastructure setup which includes assessment of hardware /software requirements , negotiation of purchase , installation & configuration of entire IT infrastructure in line with business requirements and migration of data from legacy systems.<br />
Assessing organizational requirements for security & implementing security software system against various attacks; executing backup strategy etc.<br />
<br />
Knowledge in IT Security, Business Continuity, Risk Management and Security Audits.<br />
<br />
Documenting business process, drafting Policy / Procedures in line with ISMS standard, reviewing Business Continuity and Disaster Recovery plans & Generation of metrics review reports.<br />
<br />
Knowledge on auditing concepts.<br />
<br />
== Certifications ==<br />
<br />
Juniper Networks Certified Professional - Security <br><br />
Juniper Networks Certified Specialist - Security <br><br />
Juniper Networks Certified Associate - Junos <br><br />
<br />
== Over Internet ==<br />
* [http://nishanth.co.in/ Portfolio]<br />
* [http://in.linkedin.com/in/nishanthkumarpathi Linkedin Profile]<br />
* [https://twitter.com/nishanthkumarp @nishanthkumarp on Twitter]<br />
* [http://www.slideshare.net/pathinishanth/presentations Presentations on Slideshare]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=Nishanthkumarpathi&diff=202551Nishanthkumarpathi2015-10-23T11:10:29Z<p>Nishanthkumarpathi: /* Over Internet */</p>
<hr />
<div>== Summary ==<br />
Nishanth Kumar is a dynamic professional with an experience in Information Security, Network Security Analysis, and Compliance functions, Linux Administration, System Administration & Management to ensure secure information processing environment.<br />
<br />
== Skills ==<br />
<br />
Risk Assessment, Vulnerability Assessment, Penetration Testing, Perimeter Security, Incident handling, Log Analysis, Intrusion monitoring and networking.<br />
<br />
Deft in planning & managing entire IT infrastructure setup which includes assessment of hardware /software requirements , negotiation of purchase , installation & configuration of entire IT infrastructure in line with business requirements and migration of data from legacy systems.<br />
Assessing organizational requirements for security & implementing security software system against various attacks; executing backup strategy etc.<br />
<br />
Knowledge in IT Security, Business Continuity, Risk Management and Security Audits.<br />
<br />
Documenting business process, drafting Policy / Procedures in line with ISMS standard, reviewing Business Continuity and Disaster Recovery plans & Generation of metrics review reports.<br />
<br />
Knowledge on auditing concepts.<br />
<br />
== Certifications ==<br />
<br />
Juniper Networks Certified Professional - Security <br><br />
Juniper Networks Certified Specialist - Security <br><br />
Juniper Networks Certified Associate - Junos <br><br />
<br />
== Over Internet ==<br />
* [http://in.linkedin.com/in/nishanthkumarpathi Linkedin Profile]<br />
* [https://twitter.com/nishanthkumarp @nishanthkumarp on Twitter]<br />
* [http://www.slideshare.net/pathinishanth/presentations Presentations on Slideshare]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=Nishanthkumarpathi&diff=202500Nishanthkumarpathi2015-10-22T05:39:03Z<p>Nishanthkumarpathi: /* Certifications */</p>
<hr />
<div>== Summary ==<br />
Nishanth Kumar is a dynamic professional with an experience in Information Security, Network Security Analysis, and Compliance functions, Linux Administration, System Administration & Management to ensure secure information processing environment.<br />
<br />
== Skills ==<br />
<br />
Risk Assessment, Vulnerability Assessment, Penetration Testing, Perimeter Security, Incident handling, Log Analysis, Intrusion monitoring and networking.<br />
<br />
Deft in planning & managing entire IT infrastructure setup which includes assessment of hardware /software requirements , negotiation of purchase , installation & configuration of entire IT infrastructure in line with business requirements and migration of data from legacy systems.<br />
Assessing organizational requirements for security & implementing security software system against various attacks; executing backup strategy etc.<br />
<br />
Knowledge in IT Security, Business Continuity, Risk Management and Security Audits.<br />
<br />
Documenting business process, drafting Policy / Procedures in line with ISMS standard, reviewing Business Continuity and Disaster Recovery plans & Generation of metrics review reports.<br />
<br />
Knowledge on auditing concepts.<br />
<br />
== Certifications ==<br />
<br />
Juniper Networks Certified Professional - Security <br><br />
Juniper Networks Certified Specialist - Security <br><br />
Juniper Networks Certified Associate - Junos <br><br />
<br />
== Over Internet ==<br />
* [http://linkd.in/webappsecguy Linkedin Profile]<br />
* [https://twitter.com/nishanthkumarp @nishanthkumarp on Twitter]<br />
* [http://www.slideshare.net/pathinishanth/presentations Presentations on Slideshare]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=Nishanthkumarpathi&diff=202499Nishanthkumarpathi2015-10-22T05:38:31Z<p>Nishanthkumarpathi: /* Certifications */</p>
<hr />
<div>== Summary ==<br />
Nishanth Kumar is a dynamic professional with an experience in Information Security, Network Security Analysis, and Compliance functions, Linux Administration, System Administration & Management to ensure secure information processing environment.<br />
<br />
== Skills ==<br />
<br />
Risk Assessment, Vulnerability Assessment, Penetration Testing, Perimeter Security, Incident handling, Log Analysis, Intrusion monitoring and networking.<br />
<br />
Deft in planning & managing entire IT infrastructure setup which includes assessment of hardware /software requirements , negotiation of purchase , installation & configuration of entire IT infrastructure in line with business requirements and migration of data from legacy systems.<br />
Assessing organizational requirements for security & implementing security software system against various attacks; executing backup strategy etc.<br />
<br />
Knowledge in IT Security, Business Continuity, Risk Management and Security Audits.<br />
<br />
Documenting business process, drafting Policy / Procedures in line with ISMS standard, reviewing Business Continuity and Disaster Recovery plans & Generation of metrics review reports.<br />
<br />
Knowledge on auditing concepts.<br />
<br />
== Certifications ==<br />
<br />
Juniper Networks Certified Professional - SECURITY<br><br />
Juniper Networks Certified Specialist - SECURITY<br><br />
Juniper Networks Certified Associate - JUNOS<br><br />
<br />
== Over Internet ==<br />
* [http://linkd.in/webappsecguy Linkedin Profile]<br />
* [https://twitter.com/nishanthkumarp @nishanthkumarp on Twitter]<br />
* [http://www.slideshare.net/pathinishanth/presentations Presentations on Slideshare]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=Nishanthkumarpathi&diff=202498Nishanthkumarpathi2015-10-22T05:35:05Z<p>Nishanthkumarpathi: /* Over Internet */</p>
<hr />
<div>== Summary ==<br />
Nishanth Kumar is a dynamic professional with an experience in Information Security, Network Security Analysis, and Compliance functions, Linux Administration, System Administration & Management to ensure secure information processing environment.<br />
<br />
== Skills ==<br />
<br />
Risk Assessment, Vulnerability Assessment, Penetration Testing, Perimeter Security, Incident handling, Log Analysis, Intrusion monitoring and networking.<br />
<br />
Deft in planning & managing entire IT infrastructure setup which includes assessment of hardware /software requirements , negotiation of purchase , installation & configuration of entire IT infrastructure in line with business requirements and migration of data from legacy systems.<br />
Assessing organizational requirements for security & implementing security software system against various attacks; executing backup strategy etc.<br />
<br />
Knowledge in IT Security, Business Continuity, Risk Management and Security Audits.<br />
<br />
Documenting business process, drafting Policy / Procedures in line with ISMS standard, reviewing Business Continuity and Disaster Recovery plans & Generation of metrics review reports.<br />
<br />
Knowledge on auditing concepts.<br />
<br />
== Certifications ==<br />
<br />
JUNIPER NETWORKS CERTIFIED PROFESSIONAL - SECURITY<br><br />
JUNIPER NETWORKS CERTIFIED SPECIALIST - SECURITY<br><br />
JUNIPER NETWORKS CERTIFIED ASSOCIATE - JUNOS<br><br />
<br />
<br />
== Over Internet ==<br />
* [http://linkd.in/webappsecguy Linkedin Profile]<br />
* [https://twitter.com/nishanthkumarp @nishanthkumarp on Twitter]<br />
* [http://www.slideshare.net/pathinishanth/presentations Presentations on Slideshare]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=User:Makash&diff=202497User:Makash2015-10-22T05:34:12Z<p>Nishanthkumarpathi: /* Online */</p>
<hr />
<div>= Akash Mahajan = <br />
Akash is '''That Web Application Security Guy'''. A Certified Ethical Hacker with more than 10 years of experience in Application and Network Security. Before starting his own company he was a technical lead for one of the leading American commercial security software companies specialising in end point security. He started in security working on web infrastructure for the government of India.<br />
<br />
Akash is the founder and community Manager at ''null – The Open Security Group'' and ''Chapter Lead'' at [https://www.owasp.org/index.php/Bangalore OWASP Bangalore] while founding The AppSec Lab a company focussed on Application Security.<br />
<br />
He used to be actively involved with the Bangalore Barcamp Planners group, has done events like AppJam and MobileCamps all over India where he evangelized security to Small and Medium Enterprises. He is also the co-founder of Headstart Network Foundation a Section 25 Non-Profit company.<br />
<br />
== Online ==<br />
* [http://linkd.in/webappsecguy Linkedin Profile]<br />
* [http://www.slideshare.net/akashm/presentations Presentations on Slideshare]<br />
* [https://twitter.com/makash @makash on Twitter]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=User:Makash&diff=202495User:Makash2015-10-22T05:32:58Z<p>Nishanthkumarpathi: /* Online */</p>
<hr />
<div>= Akash Mahajan = <br />
Akash is '''That Web Application Security Guy'''. A Certified Ethical Hacker with more than 10 years of experience in Application and Network Security. Before starting his own company he was a technical lead for one of the leading American commercial security software companies specialising in end point security. He started in security working on web infrastructure for the government of India.<br />
<br />
Akash is the founder and community Manager at ''null – The Open Security Group'' and ''Chapter Lead'' at [https://www.owasp.org/index.php/Bangalore OWASP Bangalore] while founding The AppSec Lab a company focussed on Application Security.<br />
<br />
He used to be actively involved with the Bangalore Barcamp Planners group, has done events like AppJam and MobileCamps all over India where he evangelized security to Small and Medium Enterprises. He is also the co-founder of Headstart Network Foundation a Section 25 Non-Profit company.<br />
<br />
== Online ==<br />
* [https://www.linkedin.com/in/akashm Linkedin Profile]<br />
* [http://www.slideshare.net/akashm/presentations Presentations on Slideshare]<br />
* [https://twitter.com/makash @makash on Twitter]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=User:Makash&diff=202494User:Makash2015-10-22T05:30:29Z<p>Nishanthkumarpathi: /* Online */</p>
<hr />
<div>= Akash Mahajan = <br />
Akash is '''That Web Application Security Guy'''. A Certified Ethical Hacker with more than 10 years of experience in Application and Network Security. Before starting his own company he was a technical lead for one of the leading American commercial security software companies specialising in end point security. He started in security working on web infrastructure for the government of India.<br />
<br />
Akash is the founder and community Manager at ''null – The Open Security Group'' and ''Chapter Lead'' at [https://www.owasp.org/index.php/Bangalore OWASP Bangalore] while founding The AppSec Lab a company focussed on Application Security.<br />
<br />
He used to be actively involved with the Bangalore Barcamp Planners group, has done events like AppJam and MobileCamps all over India where he evangelized security to Small and Medium Enterprises. He is also the co-founder of Headstart Network Foundation a Section 25 Non-Profit company.<br />
<br />
== Online ==<br />
* [https://in.linkedin.com/in/nishanthkumarpathi Linkedin Profile]<br />
* [http://www.slideshare.net/pathinishanth/presentations Presentations on Slideshare]<br />
* [https://twitter.com/makash @makash on Twitter]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=Nishanthkumarpathi&diff=202493Nishanthkumarpathi2015-10-22T05:27:23Z<p>Nishanthkumarpathi: </p>
<hr />
<div>== Summary ==<br />
Nishanth Kumar is a dynamic professional with an experience in Information Security, Network Security Analysis, and Compliance functions, Linux Administration, System Administration & Management to ensure secure information processing environment.<br />
<br />
== Skills ==<br />
<br />
Risk Assessment, Vulnerability Assessment, Penetration Testing, Perimeter Security, Incident handling, Log Analysis, Intrusion monitoring and networking.<br />
<br />
Deft in planning & managing entire IT infrastructure setup which includes assessment of hardware /software requirements , negotiation of purchase , installation & configuration of entire IT infrastructure in line with business requirements and migration of data from legacy systems.<br />
Assessing organizational requirements for security & implementing security software system against various attacks; executing backup strategy etc.<br />
<br />
Knowledge in IT Security, Business Continuity, Risk Management and Security Audits.<br />
<br />
Documenting business process, drafting Policy / Procedures in line with ISMS standard, reviewing Business Continuity and Disaster Recovery plans & Generation of metrics review reports.<br />
<br />
Knowledge on auditing concepts.<br />
<br />
== Certifications ==<br />
<br />
JUNIPER NETWORKS CERTIFIED PROFESSIONAL - SECURITY<br><br />
JUNIPER NETWORKS CERTIFIED SPECIALIST - SECURITY<br><br />
JUNIPER NETWORKS CERTIFIED ASSOCIATE - JUNOS<br><br />
<br />
<br />
== Over Internet ==</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=Nishanthkumarpathi&diff=202478Nishanthkumarpathi2015-10-21T20:17:01Z<p>Nishanthkumarpathi: </p>
<hr />
<div>Nishanth Kumar is a dynamic professional with an experience in Information Security, Network Security Analysis, and Compliance functions, Linux Administration, System Administration & Management to ensure secure information processing environment.<br />
<br />
Certifications :<br />
<br />
JUNIPER NETWORKS CERTIFIED PROFESSIONAL - SECURITY<br><br />
JUNIPER NETWORKS CERTIFIED SPECIALIST - SECURITY<br><br />
JUNIPER NETWORKS CERTIFIED ASSOCIATE - JUNOS<br><br />
<br />
Skills :<br />
<br />
Risk Assessment, Vulnerability Assessment, Penetration Testing, Perimeter Security, Incident handling, Log Analysis, Intrusion monitoring and networking.<br />
<br />
Deft in planning & managing entire IT infrastructure setup which includes assessment of hardware /software requirements , negotiation of purchase , installation & configuration of entire IT infrastructure in line with business requirements and migration of data from legacy systems.<br />
Assessing organizational requirements for security & implementing security software system against various attacks; executing backup strategy etc.<br />
<br />
Knowledge in IT Security, Business Continuity, Risk Management and Security Audits.<br />
<br />
Documenting business process, drafting Policy / Procedures in line with ISMS standard, reviewing Business Continuity and Disaster Recovery plans & Generation of metrics review reports.<br />
<br />
Knowledge on auditing concepts.<br />
<br />
<br />
<br />
== Over Internet ==</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=OWASP_Secure_Configuration_Guide&diff=202477OWASP Secure Configuration Guide2015-10-21T20:03:11Z<p>Nishanthkumarpathi: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
==The OWASP Secure Configuration Guide==<br />
<br />
There are small unclassified parts of info of configuration issues on OWASP currently; this project is to create unified document of issues and solutions to avoid common misconfigurations in popular frameworks, web servers, network devices and more.<br />
<br />
The latest version of wiki is accessible here:<br />
https://www.owasp.org/index.php/Secure_Configuration_Guide<br />
<br />
<br />
<br />
==Description==<br />
<br />
All of us know such situations when robust and secure solution makes your defense even weaker if misconfigured.<br />
Nearly in every penetration testing report exists a chapter "Server/Framework/Service misconfiguration". <br />
Whereas using standard up-to-date impenetrable(*) software is certainly a good thing, one should consider proper configuration in order to verify its soundness.<br />
<br />
This project is useful for both defenders, who can learn the proper way of configuring rapidly growing number of different popular software, and attackers, as a good complement to Testing Guide.<br />
<br />
<br />
<br />
(*) Saying "impenetrable" we mean all public vulnerabilities are patched in the most recent version. 0-days are still a threat but it's a different talk.<br />
<br />
==Licensing==<br />
<br />
The OWASP Secure Configuration Guide is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:alexander.antukh@owasp.org Alexander Antukh]<br />
* [[User:Dvvord|Eduard Kovalets]]<br />
<br />
== Presentation ==<br />
<br />
[https://www.owasp.org/images/9/92/OWASP_Secure_Configuration.pptx Introduction to OWASP Secure Configuration Project.pptx]<br />
<br />
<br />
<br />
== Related Pages ==<br />
<br />
* [https://www.owasp.org/index.php/Secure_Configuration_Guide Table of Contents]<br />
* [https://www.owasp.org/index.php/Configuration OWASP Development Guide: Chapter on Configuration]<br />
* [https://www.owasp.org/index.php/Testing_for_configuration_management OWASP Testing Guide: Configuration Management]<br />
* [https://www.owasp.org/index.php/Insecure_Configuration_Management Insecure Configuration Management page ]<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
<br />
* [20 Dec 2014] Mailing list created<br />
* [19 Dec 2014] First article released<br />
* [25 Nov 2014] Project initiated<br />
<br />
== In Print ==<br />
<br />
This project can be purchased as a print on demand book from Lulu.com<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, reviewers, translators, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
* [[User:Alexander_Antukh|Alexander Antukh]]<br />
* [[User:Dnkolegov|Denis Kolegov]]<br />
* [[User:Makash|Akash Mahajan]]<br />
* [[User:Anant_Shrivastava|Anant Shrivastava]]<br />
* [[User:Dvvord|Eduard Kovalets]]<br />
* [[User:Nishanthkumarpathi|Nishanth Kumar Pathi]]<br />
<br />
<br />
We hope you find the information in the OWASP Secure Configuration Guide useful. Please contribute back to the project by sending your comments, questions, and suggestions to the OWASP SCG mailing list. Thanks!<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Project will help those looking for configuration issues when facing a new web application / framework, and at the same time let developers have all information of correct configuration settings (which are not always perfect by default) for common systems. Cases may vary from how to configure Drupal in order not to let unauthorized attacker to enumerate current users to how to protect your config files from being downloaded to how to forbid unauthorized firmware upload for your device.<br />
<br />
The idea is to create the unified source of knowledge (like Testing Guide), where all information will be accessible in one place. As new systems appear and new features are being added, the project will be continuously developed. Any penetration tester/administrator/security consultant can contribute when meeting new (yet undocumented) system.<br />
<br />
Initially planned chapters:<br />
- Web servers<br />
- Frameworks<br />
- Network devices / web panels<br />
- ... more to come<br />
<br />
=Project About=<br />
<br />
{{:Projects/OWASP__Secure_Configuration_Guide}} <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201824SCG WS Apache2015-10-08T12:12:32Z<p>Nishanthkumarpathi: /* Limit HTTP Request Methods */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Restrict OS Root directory access using Allow,Deny Directive ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Restrict WebSite Content using Allow,Deny Directive === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can provide allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== MisConfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
<br />
<br />
Apache Server is capable of accepting and processing GET,HEAD,POST,OPTIONS,PUT,DELETE HTTP request methods.<br />
If we use <LimitExcept> directive then Apache will not process the unnecessary HTTP request methods.<br />
The primary security concerened is to disable the unnecessary HTTP request methods.<br />
Apache <LimitExcept> directive does not deny the TRACE request method. <br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
<br />
By default all the HTTP request methods are accepted by Apache Server.<br />
<br />
==== Remediation ====<br />
<br />
<pre><br />
<br />
<Directory "/usr/local/apache2/cgi-bin"><br />
. . .<br />
# Limit HTTP methods<br />
<LimitExcept GET POST OPTIONS><br />
deny from all<br />
</LimitExcept><br />
</Directory><br />
<br />
</pre><br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201823SCG WS Apache2015-10-08T11:59:41Z<p>Nishanthkumarpathi: /* Operating System Root directory */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Restrict OS Root directory access using Allow,Deny Directive ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Restrict WebSite Content using Allow,Deny Directive === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can provide allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== MisConfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201822SCG WS Apache2015-10-08T11:58:13Z<p>Nishanthkumarpathi: /* Improper access to web content */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Restrict WebSite Content using Allow,Deny Directive === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can provide allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== MisConfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201821SCG WS Apache2015-10-08T11:55:29Z<p>Nishanthkumarpathi: /* Restrict OverRide for All Directories */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can prvode allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== AllowOverride Directive ===<br />
<br />
==== Description ====<br />
<br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride All<br />
</Directory><br />
</pre><br />
<br />
==== Remediation ====<br />
<pre><br />
<Directory /var/www/html><br />
AllowOverride None<br />
</Directory><br />
</pre><br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201820SCG WS Apache2015-10-08T11:46:53Z<p>Nishanthkumarpathi: /* Improper access to web content */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
Appropriate access to various files,directories, locations and virtual hosts that contains web site content can make attack surface strong.<br />
<br />
Based up on the requirement you can prvode allow access or you can deny.<br />
<br />
==== How to test ====<br />
<br />
1. Find the appropriate Apache configuration file in your Server. <br><br />
2. Ensure there is a single Order directive and set the value to deny, allow<br> <br />
3. Ensure there is a Deny directive, and set the value to "from all". <br><br />
4. Remove any Allow directives from the root <Directory> element. <br><br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory "/var/www/html"><br />
. . .<br />
Order deny,allow<br />
Allow from all<br />
</Directory> <br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory "/var/www/html/"><br />
Order deny,allow<br />
deny from all<br />
allow from 172.16.5.0/24<br />
</Directory> <br />
</pre><br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201819SCG WS Apache2015-10-08T11:39:44Z<p>Nishanthkumarpathi: /* Operating System Root directory */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
Apache will serve any file mapped from an URL to clients with efault configuration.<br />
<br />
It is better to create a deny policy that will not allow access to Operating system directoories or files.<br />
<br />
A small modification in the configuration will allow access to tthe required files.<br />
<br />
The order of the directive is important as it provides for otherr Allow diectives to override the default deny.<br />
<br />
==== How to test ====<br />
1. Find the appropriate Apache configuration file in your Server.<br />
2. Ensure there is a single Order directive and set the value to deny, allow<br />
3. Ensure there is a Deny directive, and set the value to "from all".<br />
4. Remove any Allow directives from the root <Directory> element. <br />
<br />
==== Misconfiguration ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order allow,deny<br />
Allow from all<br />
. . .<br />
</Directory><br />
</pre><br />
==== Remediation ====<br />
<pre><br />
<Directory /><br />
. . .<br />
Order deny,allow<br />
Deny from all<br />
. . .<br />
</Directory><br />
</pre><br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201818SCG WS Apache2015-10-08T11:22:57Z<p>Nishanthkumarpathi: /* Apache File Ownership and Permissions */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.<br />
<br />
Preventing execution of Apache binaries with limited permission will decrease the attack surface.<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
==== How to test ====<br />
Run the below command to check the file permissions.<br />
<br />
<pre>#ls -l /var/www/html</pre><br />
<br />
==== Misconfiguration ====<br />
<br />
Other than rwxr-xr-x would be considered as a mis configuration.<br />
<br />
==== Remediation ====<br />
<br />
Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201732SCG WS Apache2015-10-06T05:12:52Z<p>Nishanthkumarpathi: </p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201731SCG WS Apache2015-10-06T05:11:55Z<p>Nishanthkumarpathi: </p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
'''NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR A GOOD MATERIAL!'''<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201730SCG WS Apache2015-10-06T05:04:31Z<p>Nishanthkumarpathi: /* Lock Apache user account */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should have a valid password, but should be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
The below is the misconfiguration for an Apache user.<br />
<br />
Command<br />
<br />
<pre># passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache P 09/07/2015 0 99999 7 -1</pre><br />
<br />
==== Remediation ====<br />
<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Configuration using the below command in Linux.<br />
<br />
<pre>#passwd -S apache</pre><br />
<br />
Expected Output:<br />
<br />
<pre>apache LK 2015-09-09 0 99999 7 -1 </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201729SCG WS Apache2015-10-06T04:58:27Z<p>Nishanthkumarpathi: /* Restrict Shell Access for Apache User */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
Expected Output<br />
<pre><br />
Command to chec:<br />
#cat/etc/passwd<br />
Expected Output:<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should not have a valid password, but should<br />
be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Coonfiguration using the below command in linux.<br />
<pre>#passwd -s apache</pre><br />
Expected Output<br />
<pre>apache LK 2010-01-28 0 99999 7 -1 (Password locked.) </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201728SCG WS Apache2015-10-06T04:57:45Z<p>Nishanthkumarpathi: /* Remediation */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<br />
<pre>#chsh -s /usr/sbin/nologin apache</pre><br />
<br />
Expected Output<br />
<br />
<pre><br />
Command to chec:<br />
<br />
<br />
#cat/etc/passwd<br />
<br />
Expected Output:<br />
<br />
apache:x:48:48:Apache:/var/www:usr/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should not have a valid password, but should<br />
be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Coonfiguration using the below command in linux.<br />
<pre>#passwd -s apache</pre><br />
Expected Output<br />
<pre>apache LK 2010-01-28 0 99999 7 -1 (Password locked.) </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201727SCG WS Apache2015-10-06T04:53:34Z<p>Nishanthkumarpathi: /* Apache Directory Ownership and Permissions */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>chsh -s /sbin/nologin apache</pre><br />
Expected Output<br />
<pre>/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should not have a valid password, but should<br />
be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Coonfiguration using the below command in linux.<br />
<pre>#passwd -s apache</pre><br />
Expected Output<br />
<pre>apache LK 2010-01-28 0 99999 7 -1 (Password locked.) </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre><br />
# ls -l /usr/share/apache2<br />
</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre><br />
#chown –R root:root /usr/local/apache2<br />
</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201726SCG WS Apache2015-10-06T04:52:02Z<p>Nishanthkumarpathi: /* Apache Directory Ownership and Permissions */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>chsh -s /sbin/nologin apache</pre><br />
Expected Output<br />
<pre>/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should not have a valid password, but should<br />
be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Coonfiguration using the below command in linux.<br />
<pre>#passwd -s apache</pre><br />
Expected Output<br />
<pre>apache LK 2010-01-28 0 99999 7 -1 (Password locked.) </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate <br />
exploration severity and information disclosure.<br />
<br />
Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.<br />
<br />
==== How to test ====<br />
<br />
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.<br />
<br />
Example:<br />
<br />
<pre># ls -l /usr/share/apache2</pre><br />
<br />
<br />
<br />
==== Misconfiguration ====<br />
<br />
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.<br />
<br />
<pre><br />
drwxr-xr-x 6 alice sysadmin 4096 Sep 7 13:20 apache2<br />
</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will set a Directory named "apache2" with root user and root group recursively.<br />
<br />
<pre>#chown –R root:root /usr/local/apache2</pre><br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201697SCG WS Apache2015-10-05T18:28:14Z<p>Nishanthkumarpathi: /* Lock Apache user account */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>chsh -s /sbin/nologin apache</pre><br />
Expected Output<br />
<pre>/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
The user account under which Apache runs, should not have a valid password, but should<br />
be locked. <br />
==== How to test ====<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
<pre># passwd -l apache </pre><br />
<br />
Validate the Coonfiguration using the below command in linux.<br />
<pre>#passwd -s apache</pre><br />
Expected Output<br />
<pre>apache LK 2010-01-28 0 99999 7 -1 (Password locked.) </pre><br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201694SCG WS Apache2015-10-05T18:25:28Z<p>Nishanthkumarpathi: /* Restrict Shell Access for Apache User */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
The Apache account must not be used as a regular login account, and should be assigned an<br />
invalid or nologin shell to ensure that the account cannot be used to login.<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
Check the apache login shell in the /etc/password file for Linux Systems.<br />
<pre># grep apache /etc/passwd</pre><br />
<br />
<br />
==== Remediation ====<br />
The below command will configure the apache user with "nologin" restrictions.<br />
<pre>chsh -s /sbin/nologin apache</pre><br />
Expected Output<br />
<pre>/etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin</pre><br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201690SCG WS Apache2015-10-05T18:18:29Z<p>Nishanthkumarpathi: /* Run Apache with least privilege user */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
<br />
==== Description ====<br />
<br />
Apache typically is started with root privileges in order to listen on port 80 and 443.<br />
One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute.<br />
The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. <br />
Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services.<br />
The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts.<br />
A more secure alternative is to bind Apache web service to an unprivileged port so it is not<br />
necessary to start Apache as root.<br />
<br />
==== How to test ====<br />
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.<br />
<br />
==== Misconfiguration ====<br />
<br />
==== Remediation ====<br />
If the Apache user and group does exist, create the account and group as a unique system account.<br />
<br />
Example:<br />
<pre><br />
# groupadd –r apache<br />
# useradd apache -r -g apache -d /var/www -s /sbin/nologin<br />
</pre><br />
<br />
2. Configure the Apache user and group in the Apache configuration file.<br />
<pre><br />
User apache<br />
Group apache<br />
</pre><br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201689SCG WS Apache2015-10-05T18:04:13Z<p>Nishanthkumarpathi: /* Important Files of Apache Server */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201688SCG WS Apache2015-10-05T18:03:11Z<p>Nishanthkumarpathi: /* Apache Server Information Leakage */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
=== Apache Error Files - Windows===<br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201686SCG WS Apache2015-10-05T17:59:31Z<p>Nishanthkumarpathi: /* Server Signature */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
=== Apache Error Files - Windows===<br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
<br />
==== Description ====<br />
<br />
This Apache directive allows the configuration of a trailing footer line under server-generated documents. <br />
<br />
==== How to test ====<br />
In order to test for ServerSignature configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre>ServerSignature Off</pre><br />
<br />
==== Remediation ====<br />
Configure the ServerSingature directive in the Apache configuration to value of "Off".<br />
This tell Apache not to display the server version on error pages, or other pages it generates.<br />
<br />
<pre> ServerSignature On</pre><br />
<br />
=== Info Leakage via default Apache configuration ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201684SCG WS Apache2015-10-05T17:57:48Z<p>Nishanthkumarpathi: /* Apache Server Information Leakage */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
=== Apache Error Files - Windows===<br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Info Leakage via default Apache configuration ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201683SCG WS Apache2015-10-05T17:53:44Z<p>Nishanthkumarpathi: /* Server Token */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
=== Apache Error Files - Windows===<br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token Directive===<br />
<br />
==== Description ====<br />
<br />
This Directive Controls wheather Server response filed is sent back to clients includes a description of Generic OS Type of the Server.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.<br />
This tells Apache to only return "Apache" in the Server header, returned on every page request.<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Info Leakage via default Apache configuration ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201681SCG WS Apache2015-10-05T17:50:06Z<p>Nishanthkumarpathi: /* Apache Global Server Configuration Files */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2X/httpd.conf</pre><br />
<br />
Note:X represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
=== Apache Error Files - Windows===<br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token ===<br />
<br />
==== Description ====<br />
<br />
By Default Apache ServerToken directive reveals the below information.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Info Leakage via default Apache configuration ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201680SCG WS Apache2015-10-05T17:49:26Z<p>Nishanthkumarpathi: /* Apache Global Server Configuration Files */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2<b>X</b>/httpd.conf</pre><br />
<br />
Note:x represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
=== Apache Error Files - Windows===<br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token ===<br />
<br />
==== Description ====<br />
<br />
By Default Apache ServerToken directive reveals the below information.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Info Leakage via default Apache configuration ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=SCG_WS_Apache&diff=201679SCG WS Apache2015-10-05T17:48:50Z<p>Nishanthkumarpathi: /* Apache Global Server Configuration Files */</p>
<hr />
<div>{{Template:OWASP Secure Configuration Guide}}<br />
<br />
== Summary ==<br />
<br />
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.<br />
<br />
== Important Files of Apache Server ==<br />
=== Apache Global Server Configuration Files ===<br />
<br />
Debian<br />
<pre>/etc/apache2/apache2.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<br />
<pre>/etc/httpd/conf/httpd.conf</pre><br />
FreeBSD<br />
<pre>/usr/local/etc/apache2'''x'''/httpd.conf</pre><br />
<br />
Note:x represents the version number<br />
<br />
=== Apache Module Files ===<br />
Debian<pre>/etc/apache2/mods-enabled</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Port Configuration File ===<br />
Debian<pre>/etc/apache2/ports.conf</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>/etc/httpd/conf/conf.d</pre><br />
<br />
=== Apache Error Files ===<br />
Debian<pre>/var/log/apache2/error.log</pre><br />
RHEL / Red Hat / CentOS / Fedora Linux<pre>var/log/httpd/error_log</pre><br />
FreeBSD<pre>/var/log/httpd-error.log</pre><br />
=== Apache Error Files - Windows===<br />
<br />
== Apache Server Information Leakage ==<br />
<br />
=== Server Token ===<br />
<br />
==== Description ====<br />
<br />
By Default Apache ServerToken directive reveals the below information.<br />
<br />
<pre><br />
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5<br />
</pre><br />
<br />
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities<br />
are dependent upon specific software versions.<br />
<br />
==== How to test ====<br />
In order to test for ServerToken configuration, one should check the Apache configuration file.<br />
<br />
==== Misconfiguration ====<br />
<pre><br />
ServerTokens Full<br />
</pre><br />
<br />
==== Remediation ====<br />
<br />
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly<br />
<br />
<pre><br />
ServerTokens Prod<br />
or<br />
ServerTokens ProductOnly<br />
</pre><br />
<br />
=== Server Signature ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Info Leakage via default Apache configuration ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Operating System Privileges for Apache ==<br />
<br />
=== Run Apache with least privilege user ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Restrict Shell Access for Apache User=== <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Lock Apache user account===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Apache Directory Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
<br />
=== Apache File Ownership and Permissions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Access Control List in Apache == <br />
=== Operating System Root directory ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Improper access to web content === <br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict OverRide for All Directories ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== Apache Features ==<br />
<br />
=== Limit HTTP Request Methods ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Disable HTTP Trace Method ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== HTTP Protocol Version ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict access to .htaccess files ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restrict file extensions ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Remove Default HTML Page ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Apache Module Configuration ==<br />
<br />
=== Authentication and Authorization Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Status and Info Modules ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== AutoIndex Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Proxy Module ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== User Directory Moudule ===<br />
<br />
== SSL / TLS Configuration ==<br />
=== Install a valid certificate ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Restric weak SSL Protocols and Ciphers ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
=== Install mod_ssl Module === <br />
<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Avoid Insecure SSL Renogitation ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
<br />
== Attack Migigation ==<br />
=== DOS ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
=== Buffer Overflow ===<br />
==== Description ====<br />
==== How to test ====<br />
==== Misconfiguration ====<br />
==== Remediation ====<br />
<br />
== References ==<br />
<br />
https://httpd.apache.org/docs/current/misc/security_tips.html<br />
<br />
https://wiki.debian.org/Apache/Hardening<br />
<br />
https://wiki.apache.org/httpd/CommonMisconfigurations<br />
<br />
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=Talk:Nishanthkumarpathi&diff=201676Talk:Nishanthkumarpathi2015-10-05T17:44:04Z<p>Nishanthkumarpathi: Nishanthkumarpathi moved page User talk:Nishanthkumarpathi to Talk:Nishanthkumarpathi</p>
<hr />
<div>'''Welcome to ''OWASP''!'''<br />
We hope you will contribute much and well.<br />
You will probably want to read the [https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents help pages].<br />
Again, welcome and have fun! [[User:KateHartmann|KateHartmann]] ([[User talk:KateHartmann|talk]]) 09:43, 30 September 2015 (CDT)</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=User_talk:Nishanthkumarpathi&diff=201677User talk:Nishanthkumarpathi2015-10-05T17:44:04Z<p>Nishanthkumarpathi: Nishanthkumarpathi moved page User talk:Nishanthkumarpathi to Talk:Nishanthkumarpathi</p>
<hr />
<div>#REDIRECT [[Talk:Nishanthkumarpathi]]</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=Nishanthkumarpathi&diff=201674Nishanthkumarpathi2015-10-05T17:44:03Z<p>Nishanthkumarpathi: Nishanthkumarpathi moved page User:Nishanthkumarpathi to Nishanthkumarpathi</p>
<hr />
<div>Nishanth Kumar is a dynamic professional with an experience in Information Security, Network Security Analysis, and Compliance functions, Linux Administration, System Administration & Management to ensure secure information processing environment.<br />
<br />
Certifications :<br />
<br />
JUNIPER NETWORKS CERTIFIED PROFESSIONAL - SECURITY<br><br />
JUNIPER NETWORKS CERTIFIED SPECIALIST - SECURITY<br><br />
JUNIPER NETWORKS CERTIFIED ASSOCIATE - JUNOS<br><br />
<br />
Skills :<br />
<br />
Risk Assessment, Vulnerability Assessment, Penetration Testing, Perimeter Security, Incident handling, Log Analysis, Intrusion monitoring and networking.<br />
<br />
Deft in planning & managing entire IT infrastructure setup which includes assessment of hardware /software requirements , negotiation of purchase , installation & configuration of entire IT infrastructure in line with business requirements and migration of data from legacy systems.<br />
Assessing organizational requirements for security & implementing security software system against various attacks; executing backup strategy etc.<br />
<br />
Knowledge in IT Security, Business Continuity, Risk Management and Security Audits.<br />
<br />
Documenting business process, drafting Policy / Procedures in line with ISMS standard, reviewing Business Continuity and Disaster Recovery plans & Generation of metrics review reports.<br />
<br />
Knowledge on auditing concepts.</div>Nishanthkumarpathihttps://wiki.owasp.org/index.php?title=User:Nishanthkumarpathi&diff=201675User:Nishanthkumarpathi2015-10-05T17:44:03Z<p>Nishanthkumarpathi: Nishanthkumarpathi moved page User:Nishanthkumarpathi to Nishanthkumarpathi</p>
<hr />
<div>#REDIRECT [[Nishanthkumarpathi]]</div>Nishanthkumarpathi