Tuesday, November 29, 2011

Making your Apache Web Server more secure

I just wanted to post a few tips that you can use on your Apache 2.2 web server to help make your server a little more secure.  This isn't a list of every security measure you can take but, just a few tips.

One of the first things you should do to secure your Apache installation is to configure Apache file permissions.  This will help mitigate access to primary systems if someone is able to hack into your server through Apache. You can do this by performing the following steps (there are a few, fair warning):
  1. After Apache Web server has been installed open the "Computer Management" console by doing the following:
    1. Click on "Start"
    2. Go to "Administrative Tools"
    3. Click on "Computer Management"
  2. In the "Computer Management" window, expand the "Local Users and Groups" section.  Click on "Users" to see a list of the current users for your system.
  3. Right-click on "Users" and select the "New User" option.
  4. Enter the following information for the new user:
    1. User name
      1. apacheservice
    2. Password
      1. adminpw123 <put something secure here>
    3. Confirm Password
      1. adminpw123 <reminder, change this to something secure>
    4. Clear the "User must change password" check box
    5. Select the "User cannot change password" check box
    6. Select the "Password never expires" check box
  5. Click the "Create" button and then click "Close" to close the "New User" dialog.
  6. Right-click the "apacheservice" user you just created and select "Properties". Click the "Member Of" tab.
  7. Make sure the "apacheservice" user is a "Member Of" the "Users" group.  Click "Cancel" to close the properties window.
  8. Exit out of the "Computer Management" console.
  9. Open the "Services" console by doing the following:
    1. Click on "Start"
    2. Go to "Administrative Tools"
    3. Click on "Services"
  10. Right-click the "Apache2" service and select "Stop".
  11. Open Windows Explorer (not Internet Explorer) and navigate to the following:
    1. C:\Program Files\Apache Software Foundation\Apache2.2
  12. Right-click the "Apache2.2" folder, select "Properties" and then select the "Security" tab.
  13. Make sure that only READ and EXECUTE permissions are granted to the Users group.
  14. No changes should be necessary so just click "Cancel".
  15. Using Windows Explorer, review the permissions for the following:
    1. C:\Program Files\Apache Software Foundation\Apache2.2\logs
  16. Now, we do want to change permissions on the "logs" directory.  To do that do the following:
    1. In the logs Properties dialog's Security tab, click the "Advanced" button.
    2. Clear the "Allow inheritable permissions from the parent" check box.
    3. Click "Remove" in the security window.
    4. Select the "Replace permissions on all child objects" check box and click the "Add" button.
    5. In the "Enter the object name to select" field, type the username "administrator" and click OK.
    6. Under "Allow", select the check box for "Full Control" and click OK.
    7. Click the "Add" button again and in the "Enter the object name to select" field, type the username "apacheservice" and click OK.
    8. Select the following check boxes under Allow:
      1. List Folder/Read Data
      2. Read Attributes
      3. Read Extended Attributes
      4. Create Files/Write Data
      5. Create Folder/Append Data
      6. Write Attributes
      7. Write Extended Attributes
      8. Read Permissions
    9. Click OK when done.
  17. Click OK to close the "Advanced Security Settings" window and again, click OK when asked to continue.
  18. If you check permissions for the "apacheservice" user in the logs Properties dialog's Security tab, you will find we should now have read / write access only.
  19. Click OK to exit out of the logs Properties window.
  20. Now view the security permissions of your web root.  By default, this is the "htdocs" folder found under your Apache2.2 installation.
  21. Click the "Advanced" button under the "Security" tab.
  22. In the "Advanced Security Settings" dialog, clear the "Allow inheritable permissions from the parent" check box.
  23. Click "Copy" in the security window.
  24. Click the OK button to dismiss the Advanced Security Settings.
  25. Select the "Users" group and click Remove.
  26. Select the "SYSTEM" group and click Remove.
  27. Click the Add button and in the "Enter the object name to select" field type the username "apacheservice" and click OK.
  28. In the "Permissions for apacheservice" section, change the permission to Allow Read and Deny Write. Clear any other check box that may be selected.
  29. Click OK to close "WebRootFolder Properties" and click Yes when asked to continue.
    1. Those last steps will ensure that the "apacheservice" user will only ever be able to read, never write, to the root Web document folder.
  30. Switch back to the Services console, or open it again by select Start -> Administrative Tools -> Services.
  31. Right-click the "Apache2" service and select "Properties".
  32. In the properties window, select the "Log On" tab and perform the following steps:
    1. Select the "This account" radio button and type the user name "apacheservice".
    2. Enter the password and confirm the password for the account.
    3. Click the "Apply" button.
      1. You should see a message indicating the account has been granted the "Log On As A Service" right.  This is fine, click OK to dismiss.
    4. Click OK to close the Apache2 properties window.
    5. Right-click the "Apache2" service in the Services console and select "Start".
      1. If you see an error when restarting Apache, then there is a problem with the permissions of the apacheservice user.  Verify your steps by checking permissions (see the instructions leading up to this step).
  33. The last step is simple... When the server comes back up just surf to the URL and ensure it is working.

Now, lets add a few tweaks to our server config file. In the "httpd.conf" file that is located in the "conf" directory of your server you can add the following:
#
# Controls who can get stuff from this server.
#
<Limit GET HEAD POST>
    order deny,allow
    allow from {%}
    deny from all
</Limit>
This configuration is added under your <Directory> for your document root. Replace the {%} token above with any IP address or IP block.  For example you can use the site County IP Blocks to generate a block of IP addresses only from a particular country (such as the USA).  Anyone coming from an IP address not in your block would be denied access.  Or you can do the following...
allow from 127.0.0.1
...to ensure only local access to the Web server.
#
# Limit to POST and GET commands only.
#
<LimitExcept POST GET>
    Require valid-user
</LimitExcept>
This should also be added under your <Directory> root. This configuration will prevent other un-secure commands from being accessed by a user.  POST and GET are really all you should be allowing on your Web server anyway.
#
# Hide server details from the HTTP response header
#
ServerSignature off
ServerTokens prod
This configuration (added at the end of your conf file) hides detailed server information from your HTTP response headers (such as Apache version) from potential attackers.  Attackers use information like that to coordinate attacks on your server.

And, of course you should always follow the security tips provided by Apache.  Those can be located here:

http://httpd.apache.org/docs/2.2/misc/security_tips.html

I hope some of these tips can help you to make sure your Web Server is more secure.  I will likely post more in the future and will also try to include application servers (Tomcat) and even IIS.