This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "SCG WS Apache"

From OWASP
Jump to: navigation, search
(Apache Global Server Configuration Files)
Line 63: Line 63:
 
ServerTokens ProductOnly
 
ServerTokens ProductOnly
 
</pre>
 
</pre>
 +
 +
=== Server Signature ===
 +
==== Description ====
 +
==== How to test ====
 +
==== Misconfiguration ====
 +
==== Remediation ====
 +
 +
 +
=== Info Leakage via defaut apache configuration ===
 +
==== Description ====
 +
==== How to test ====
 +
==== Misconfiguration ====
 +
==== Remediation ====
 +
 +
 +
== Operating System Privliges for Apache ==
 +
 +
=== Run Apache with least privilge user ===
 +
=== Restric Shell Access for Apache User===
 +
=== Lock Apache user account===
 +
=== Apache Directory Ownership and Permissions ===
 +
=== Apache File Ownership and Permissions ===
 +
 +
 +
== Access Control List in Apache ==
 +
=== Operating System  Root directory ===
 +
=== Improper access to web content ===
 +
=== Restrict OverRide for All Directories ===
 +
 +
== Apache Feature Configurations
 +
=== Limit HTTP Request Methods ===
 +
=== Disable HTTP Trace Method ===
 +
=== HTTP Protocol Version ===
 +
=== Restric access to .htaccess files ===
 +
=== Restric file extesions ===
 +
=== Remove Default HTML Page ===
  
 
== References ==
 
== References ==

Revision as of 17:12, 5 October 2015

This article is part of the OWASP Secure Configuration Guide.
Back to the OWASP Secure Configuration Guide ToC: https://www.owasp.org/index.php/Secure_Configuration_Guide Back to the OWASP Secure Configuration Guide Project: https://www.owasp.org/index.php/OWASP_Secure_Configuration_Guide


Summary

The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.

Important Files of Apache Server

Apache Global Server Configuration Files

Debian

/etc/apache2/apache2.conf

RHEL / Red Hat / CentOS / Fedora Linux

/etc/httpd/conf/httpd.conf

FreeBSD

/usr/local/etc/apache2x/httpd.conf

</pre> Note:x represents the version number

Apache Module Files

Debian
/etc/apache2/mods-enabled
RHEL / Red Hat / CentOS / Fedora Linux
/etc/httpd/conf/conf.d

Apache Port Configuration File

Debian
/etc/apache2/ports.conf
RHEL / Red Hat / CentOS / Fedora Linux
/etc/httpd/conf/conf.d

Apache Error Files

Debian
/var/log/apache2/error.log
RHEL / Red Hat / CentOS / Fedora Linux
var/log/httpd/error_log
FreeBSD
/var/log/httpd-error.log

Apache Error Files - Windows

Apache Server Information Leakage

Server Token

Description

By Default Apache ServerToken directive reveals the below information.

Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5

This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.

How to test

In order to test for ServerToken configuration, one should check the Apache configuration file.

Misconfiguration

ServerTokens Full

Remediation

Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly

ServerTokens Prod
or
ServerTokens ProductOnly

Server Signature

Description

How to test

Misconfiguration

Remediation

Info Leakage via defaut apache configuration

Description

How to test

Misconfiguration

Remediation

Operating System Privliges for Apache

Run Apache with least privilge user

Restric Shell Access for Apache User

Lock Apache user account

Apache Directory Ownership and Permissions

Apache File Ownership and Permissions

Access Control List in Apache

Operating System Root directory

Improper access to web content

Restrict OverRide for All Directories

== Apache Feature Configurations

Limit HTTP Request Methods

Disable HTTP Trace Method

HTTP Protocol Version

Restric access to .htaccess files

Restric file extesions

Remove Default HTML Page

References

https://httpd.apache.org/docs/current/misc/security_tips.html

https://wiki.debian.org/Apache/Hardening