This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
SCG WS Apache
This article is part of the OWASP Secure Configuration Guide.
Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide
- 1 Summary
- 2 Important Files of Apache Server
- 3 Apache Server Information Leakage
- 4 Operating System Privileges for Apache
- 5 Access Control List in Apache
- 6 Apache Features
- 7 Apache Module Configuration
- 8 SSL / TLS Configuration
- 9 Attack Migigation
- 10 References
Summary
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.
Important Files of Apache Server
Apache Global Server Configuration Files
Debian
/etc/apache2/apache2.conf
RHEL / Red Hat / CentOS / Fedora Linux
/etc/httpd/conf/httpd.conf
FreeBSD
/usr/local/etc/apache2X/httpd.conf
Note:X represents the version number
Apache Module Files
Debian/etc/apache2/mods-enabledRHEL / Red Hat / CentOS / Fedora Linux
/etc/httpd/conf/conf.d
Apache Port Configuration File
Debian/etc/apache2/ports.confRHEL / Red Hat / CentOS / Fedora Linux
/etc/httpd/conf/conf.d
Apache Error Files
Debian/var/log/apache2/error.logRHEL / Red Hat / CentOS / Fedora Linux
var/log/httpd/error_logFreeBSD
/var/log/httpd-error.log
Apache Error Files - Windows
Apache Server Information Leakage
Server Token Directive
Description
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.
How to test
In order to test for ServerToken configuration, one should check the Apache configuration file.
Misconfiguration
ServerTokens Full
Remediation
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.
ServerTokens Prod or ServerTokens ProductOnly
Server Signature
Description
This Apache directive allows the configuration of a trailing footer line under server-generated documents.
How to test
In order to test for ServerSignature configuration, one should check the Apache configuration file.
Misconfiguration
ServerSignature Off
Remediation
Configure the ServerSingature directive in the Apache configuration to value of "Off". This tell Apache not to display the server version on error pages, or other pages it generates.
ServerSignature On
Info Leakage via default Apache configuration
Description
How to test
Misconfiguration
Remediation
Operating System Privileges for Apache
Run Apache with least privilege user
Description
How to test
Misconfiguration
Remediation
Restrict Shell Access for Apache User
Description
How to test
Misconfiguration
Remediation
Lock Apache user account
Description
How to test
Misconfiguration
Remediation
Apache Directory Ownership and Permissions
Description
How to test
Misconfiguration
Remediation
Apache File Ownership and Permissions
Description
How to test
Misconfiguration
Remediation
Access Control List in Apache
Operating System Root directory
Description
How to test
Misconfiguration
Remediation
Improper access to web content
Description
How to test
Misconfiguration
Remediation
Restrict OverRide for All Directories
Description
How to test
Misconfiguration
Remediation
Apache Features
Limit HTTP Request Methods
Description
How to test
Misconfiguration
Remediation
Disable HTTP Trace Method
Description
How to test
Misconfiguration
Remediation
HTTP Protocol Version
Description
How to test
Misconfiguration
Remediation
Restrict access to .htaccess files
Description
How to test
Misconfiguration
Remediation
Restrict file extensions
Description
How to test
Misconfiguration
Remediation
Remove Default HTML Page
Description
How to test
Misconfiguration
Remediation
Apache Module Configuration
Authentication and Authorization Modules
Description
How to test
Misconfiguration
Remediation
Status and Info Modules
Description
How to test
Misconfiguration
Remediation
AutoIndex Module
Description
How to test
Misconfiguration
Remediation
Proxy Module
Description
How to test
Misconfiguration
Remediation
User Directory Moudule
SSL / TLS Configuration
Install a valid certificate
Description
How to test
Misconfiguration
Remediation
Restric weak SSL Protocols and Ciphers
Description
How to test
Misconfiguration
Remediation
Install mod_ssl Module
Description
How to test
Misconfiguration
Remediation
Avoid Insecure SSL Renogitation
Description
How to test
Misconfiguration
Remediation
Attack Migigation
DOS
Description
How to test
Misconfiguration
Remediation
Buffer Overflow
Description
How to test
Misconfiguration
Remediation
References
https://httpd.apache.org/docs/current/misc/security_tips.html
https://wiki.debian.org/Apache/Hardening
https://wiki.apache.org/httpd/CommonMisconfigurations
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration