This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

SCG WS Apache

From OWASP
Revision as of 11:39, 8 October 2015 by Nishanthkumarpathi (talk | contribs) (Operating System Root directory)

Jump to: navigation, search
This article is part of the OWASP Secure Configuration Guide.
Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide


NEEDS TO BE REVIEWED, SEE REFERENCES BELOW FOR ANY QUERIES!

Summary

The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.

Important Files of Apache Server

Apache Global Server Configuration Files

Debian

/etc/apache2/apache2.conf

RHEL / Red Hat / CentOS / Fedora Linux

/etc/httpd/conf/httpd.conf

FreeBSD

/usr/local/etc/apache2X/httpd.conf

Note:X represents the version number

Apache Module Files

Debian
/etc/apache2/mods-enabled
RHEL / Red Hat / CentOS / Fedora Linux
/etc/httpd/conf/conf.d

Apache Port Configuration File

Debian
/etc/apache2/ports.conf
RHEL / Red Hat / CentOS / Fedora Linux
/etc/httpd/conf/conf.d

Apache Error Files

Debian
/var/log/apache2/error.log
RHEL / Red Hat / CentOS / Fedora Linux
var/log/httpd/error_log
FreeBSD
/var/log/httpd-error.log

Apache Server Information Leakage

Server Token Directive

Description

This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.

Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5

This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.

How to test

In order to test for ServerToken configuration, one should check the Apache configuration file.

Misconfiguration

ServerTokens Full

Remediation

Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.

ServerTokens Prod
or
ServerTokens ProductOnly

Server Signature

Description

This Apache directive allows the configuration of a trailing footer line under server-generated documents.

How to test

In order to test for ServerSignature configuration, one should check the Apache configuration file.

Misconfiguration

ServerSignature Off

Remediation

Configure the ServerSingature directive in the Apache configuration to value of "Off". This tell Apache not to display the server version on error pages, or other pages it generates.

 ServerSignature On

Operating System Privileges for Apache

Run Apache with least privilege user

Description

Apache typically is started with root privileges in order to listen on port 80 and 443. One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute. The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services. The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts. A more secure alternative is to bind Apache web service to an unprivileged port so it is not necessary to start Apache as root.

How to test

Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.

Misconfiguration

Remediation

If the Apache user and group does exist, create the account and group as a unique system account.

Example:

# groupadd –r apache
# useradd apache -r -g apache -d /var/www -s /sbin/nologin

2. Configure the Apache user and group in the Apache configuration file.

User apache
Group apache

Restrict Shell Access for Apache User

Description

The Apache account must not be used as a regular login account, and should be assigned an invalid or nologin shell to ensure that the account cannot be used to login.

How to test

Misconfiguration

Check the apache login shell in the /etc/password file for Linux Systems.

# grep apache /etc/passwd

Remediation

The below command will configure the apache user with "nologin" restrictions.

#chsh -s /usr/sbin/nologin apache

Expected Output

Command to chec:
#cat/etc/passwd
Expected Output:
apache:x:48:48:Apache:/var/www:usr/sbin/nologin

Lock Apache user account

Description

The user account under which Apache runs, should have a valid password, but should be locked.

How to test

Misconfiguration

The below is the misconfiguration for an Apache user.

Command

# passwd -S apache

Expected Output:

apache P 09/07/2015 0 99999 7 -1

Remediation

# passwd -l apache 

Validate the Configuration using the below command in Linux.

#passwd -S apache

Expected Output:

apache LK 2015-09-09 0 99999 7 -1 

Apache Directory Ownership and Permissions

Description

All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate exploration severity and information disclosure.

Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.

How to test

Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.

Example:

# ls -l /usr/share/apache2


Misconfiguration

In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.
drwxr-xr-x    6 alice sysadmin 4096 Sep  7 13:20 apache2


Remediation

The below command will set a Directory named "apache2" with root user and root group recursively.

#chown –R root:root /usr/local/apache2

Apache File Ownership and Permissions

Description

Setting the appropriate permissions on the Apache files and directories can help to prevent/mitigate exploitation severity and information disclosure.

Preventing execution of Apache binaries with limited permission will decrease the attack surface.

Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.

How to test

Run the below command to check the file permissions.

#ls -l /var/www/html

Misconfiguration

Other than rwxr-xr-x would be considered as a mis configuration.

Remediation

Permission of the Apache directories and files should be rwxr-xr-x and they can change if it is Apache binary or executable file.

Access Control List in Apache

Operating System Root directory

Description

Apache will serve any file mapped from an URL to clients with efault configuration.

It is better to create a deny policy that will not allow access to Operating system directoories or files.

A small modification in the configuration will allow access to tthe required files.

The order of the directive is important as it provides for otherr Allow diectives to override the default deny.

How to test

1. Find the appropriate Apache configuration file in your Server. 2. Ensure there is a single Order directive and set the value to deny, allow 3. Ensure there is a Deny directive, and set the value to "from all". 4. Remove any Allow directives from the root <Directory> element.

Misconfiguration

<Directory />
 . . .
 Order allow,deny
 Allow from all
 . . .
</Directory>

Remediation

<Directory />
 . . .
 Order deny,allow
 Deny from all
 . . .
</Directory>

Improper access to web content

Description

How to test

Misconfiguration

Remediation

Restrict OverRide for All Directories

Description

How to test

Misconfiguration

Remediation

Apache Features

Limit HTTP Request Methods

Description

How to test

Misconfiguration

Remediation

Disable HTTP Trace Method

Description

How to test

Misconfiguration

Remediation

HTTP Protocol Version

Description

How to test

Misconfiguration

Remediation

Restrict access to .htaccess files

Description

How to test

Misconfiguration

Remediation

Restrict file extensions

Description

How to test

Misconfiguration

Remediation

Remove Default HTML Page

Description

How to test

Misconfiguration

Remediation

Apache Module Configuration

Authentication and Authorization Modules

Description

How to test

Misconfiguration

Remediation

Status and Info Modules

Description

How to test

Misconfiguration

Remediation

AutoIndex Module

Description

How to test

Misconfiguration

Remediation

Proxy Module

Description

How to test

Misconfiguration

Remediation

User Directory Moudule

SSL / TLS Configuration

Install a valid certificate

Description

How to test

Misconfiguration

Remediation

Restric weak SSL Protocols and Ciphers

Description

How to test

Misconfiguration

Remediation

Install mod_ssl Module

Description

How to test

Misconfiguration

Remediation

Avoid Insecure SSL Renogitation

Description

How to test

Misconfiguration

Remediation

Attack Migigation

DOS

Description

How to test

Misconfiguration

Remediation

Buffer Overflow

Description

How to test

Misconfiguration

Remediation

References

https://httpd.apache.org/docs/current/misc/security_tips.html

https://wiki.debian.org/Apache/Hardening

https://wiki.apache.org/httpd/CommonMisconfigurations

http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration