Best Practices in Hardening Apache Services under Linux



Similar documents
OS Installation Guide Red Hat Linux 9.0

SecuritySpy Setting Up SecuritySpy Over SSL

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

Configuring Ubuntu Server as a Firewall and Reverse Proxy for OWA 2007 Configuration Guide

II. Installing Debian Linux:

Enterprise SSL Support

Amahi Instruction Manual

How To Use 1Bay 1Bay From Awn.Net On A Pc Or Mac Or Ipad (For Pc Or Ipa) With A Network Box (For Mac) With An Ipad Or Ipod (For Ipad) With The

RecoveryVault Express Client User Manual

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

ThinkServer RD540 and RD640 Operating System Installation Guide

Online Backup Linux Client User Manual

Online Backup Client User Manual

Installation Quick Start SUSE Linux Enterprise Server 11 SP1

Installing Ubuntu LTS with full disk encryption

Novell Identity Manager Resource Kit

LOCKSS on LINUX. CentOS6 Installation Manual 08/22/2013

Online Backup Client User Manual

Securing Your Apache Web Server With a Thawte Digital Certificate

Installation Guide for WebSphere Application Server (WAS) and its Fix Packs on AIX V5.3L

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

SIMIAN systems. Setting up a Sitellite development environment on Windows. Sitellite Content Management System

Operating System Installation Guidelines

1. Product Information

Online Backup Client User Manual Linux

Uptime Infrastructure Monitor. Installation Guide

LOCKSS on LINUX. Installation Manual and the OpenBSD Transition 02/17/2011

Operating System Installation Guide

Also you need the C-MOR ISO file. This file you will find following this link:

Redhat 6.2 Installation Howto -Basic Proxy and Transparent

How to Install Multicraft on a VPS or Dedicated Server (Ubuntu bit)

McAfee SMC Installation Guide 5.7. Security Management Center

Red Hat Linux 7.2 Installation Guide

Setting Up CAS with Ofbiz 5

How to: Install an SSL certificate

Local Caching Servers (LCS): User Manual

Securing the OpenAdmin Tool for Informix web server with HTTPS

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

Pearl Echo Installation Checklist

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Avira Update Manager User Manual

Test instructions & HW/SW specifications Contents

Download Virtualization Software Download a Linux-based OS Creating a Virtual Machine using VirtualBox: VM name

How to setup HTTP & HTTPS Load balancer for Mediator

SIMIAN systems. Setting up a Sitellite development environment on Mac OS X. Sitellite Content Management System

Linux Development Environment Description Based on VirtualBox Structure

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

Lexia Network Installation Instructions

Reboot the ExtraHop System and Test Hardware with the Rescue USB Flash Drive

Semantic based Web Application Firewall (SWAF - V 1.6)

Introweb Remote Backup Client for Mac OS X User Manual. Version 3.20

Netscape Setup Instructions

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

HOW TO BUILD A VMWARE APPLIANCE: A CASE STUDY

Using Remote Web Workplace Version 1.01

Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

PARALLELS SERVER BARE METAL 5.0 README

TANDBERG MANAGEMENT SUITE 10.0

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Using. Microsoft Virtual PC. Page 1

10gAS SSL / Certificate Based Authentication Configuration


LoadMaster SSL Certificate Quickstart Guide

ThinkServer RD550 and RD650 Operating System Installation Guide

Install Apache on windows 8 Create your own server

Installing Operating Systems

Magaya Software Installation Guide

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

TECHNICAL BULLETIN. Configuring Wireless Settings in an i-stat 1 Wireless Analyzer

Richmond Web Services Installation Guide Web Reporting Version 10.0

APACHE HTTP SERVER 2.2.8

Required Virtual Interface Maps to... mgmt0. bridge network interface = mgmt0 wan0. bridge network interface = wan0 mgmt1

NI Real-Time Hypervisor for Windows

NETWRIX EVENT LOG MANAGER

Step by step guide how to password protect your USB flash drive

How to set up a free iscsi or NAS storage system for VMware ESX using Openfiler

Installing and Configuring vcloud Connector

Setting Up SSL on IIS6 for MEGA Advisor

SysAidTM Freeware Installation Guide

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

owncloud 8 and DigitalOcean Matthew Davidson Bluegrass Linux User Group 03/09/2015

ThinLinX TLXOS NUC / Compute Stick / RePC Installation Guide Creating the Installer (Step 1)

GUARD1 PLUS SE Administrator's Manual

Apache Security with SSL Using Ubuntu

Installation Guide for contineo

License Patrol TM Mac Client Installation Guide 7.0 for Mac OS X. September 2015 VERALAB TM

Newton Linux User Group Graphing SNMP with Cacti and RRDtool

The BackTrack Successor

W H I T E P A P E R. Best Practices for Building Virtual Appliances

ECT362 Installing Linux Virtual Machine in KL322

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Introduction to Mobile Access Gateway Installation

Server Software Installation Guide

ThinLinX TLXOS 64-bit Firmware Installation Guide for the Intel NUC Range. Materials Required

StarWind iscsi SAN Software: Using StarWind with VMware ESX Server

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report

WhatsUp Gold v16.2 MSP Edition Deployment Guide This guide provides information about installing and configuring WhatsUp Gold MSP Edition to central

VoIPon Tel: +44 (0) Fax: +44 (0)

NSi Mobile Installation Guide. Version 6.2

Transcription:

Best Practices in Hardening Apache Services under Linux Anthony Kent Web servers are attacked more frequently than anything else on the internet. Without the proper security measures it is just a matter of time before it is hacked. I will be covering some security basics for configuring an Apache web server on Linux. Not only is this setup a good base for a secure web server, but it is also all open source software. For the OS setup will be performing a custom installation of Open Suse Linux 10.2. Open Suse s latest released version can be downloaded at the following link: http://en.opensuse.org/released_version. The installation will be on a 32 bit workstation running at 1.667GHz with 512 MB of RAM and a 14GB disk. To start the installation, ensure that your machine is set boot off of the CD-ROM. Insert the disk and select installation of the first menu. Select the appropriate language and click next. To continue you must agree with the terms and select next again. It will then analyze your system briefly. Ensure that the new installation radial button is selected and click next. Find your appropriate time zone and set the hardware clock to UTC if you want your system to automatically switch to and from daylight savings. Check the time to see if it is correct and select next to continue. Since we are building a web server we will make our desktop selection text mode only under other on the Desktop Selection screen. Click next to continue and you will arrive at the installation settings menu (Figure 1). Click on change and select the partitioning option. Select create custom partitioning setup and click next. Choose the custom partitioning (for experts).

Figure 1 We will now setup the necessary partitions for our web server. Select create then primary partition and click ok. Select /boot as your mount point, ext2 as your file system, and under size type in +100MB under end of the cylinder size as shown in Figure 2. Create another primary partition and select swap as the file system and since the machine I will be using has 512MB of memory I will put +1GB as the end cylinder size. The rule of thumb is to make your swap size double the amount of memory that is in your machine. The rest of the partitions we will create will use ext3 as the file system. We will create /root as our last primary partition and make it 2GB in size. Create an extended partition afterwards and leave the start and end cylinder as the default to use the rest of the hard disk. Create the following

partitions in the extended partition: /usr (2 GB), /var (2GB), /home (1GB), /tmp (1GB), and for the last partition, /opt, we will use the rest of the disk since we will be compiling Apache in this directory. Accept the partitions if they are correct and it will bring you back to installation settings (Figure 3). Figure 2

Figure 3 Since we have selected text mode as our desktop preference it will setup a minimal install for the software, so the only software that will need to be added is Make, GCC, and WGet. Perform a search and use the spacebar to select each of them. Suse will auto-resolve any dependency issues. Select accept and confirm the installation. Suse will format your disk appropriately and then start the installation. After all the software is installed it asks for the root password. It is best practice to include at least one special character, one number, one upper case letter and at least eight characters. Hit Alt-Enter to go to the next screen. Deselect change hostname via DHCP and enter an appropriate hostname for your new web server. Accept those settings and then accept your network settings if they are correct. Test your internet connection and if successful download the latest updates. Use the local authentication method and go to the next screen. Create a user account with a different password then your root account with

the password best practices mentioned above. View the release notes and then accept your hardware specifications. Select Finish wrapping up the installation. As your user cd into /opt and perform wget on http://www.apache.org/dist/httpd/httpd- 2.2.4.tar.gz to download the source file of Apache s HTTPD and on http://www.openssl.org/source/openssl-0.9.8e.tar.gz to download Open SSL. Tar zxvf the httpd-2.2.4.tar.gz file to uncompress it and perform the same step on the Open SSL file. Configure httpd by running./configure enable-ssl with-ssl=<path to ssl source> --enablemodule=shared after you have changed yourself into the httpd directory. Configuring the file will take several minutes depending on your system. When it is done running type in make and hit enter and it will compile the code which may also take a few minutes. When it is done then type in make install to install Apache. To test that everything went according to plan enter opt/bin/apachectl start. You can go to another workstation on the network and type in your web server s IP address and you should arrive at the Apache test page. Once you copy your web page files into /opt/httpd/html/ website name then you can start to configure httpd.conf. To configure your http.conf file, start by putting your default site next to ServerName (Figure 4). Then next to DocumentRoot place in quotes the directory in which you will serve out documents for the default site. In our case we will serve pages out of /opt/www/html/sampleone (Figure 4). Then proceed to <Directory /opt/www/html > and ensure that the default directory is there as well. Uncomment NameVirtualHost (Figure 5) and create a virtual host for each website that you will be serving. It is important to remember that your first virtual host must be your default site. An example virtual host is given. I recommend that you copy the example and put in your info and then uncomment all the lines.

Figure 4 Figure 5

Once we have the sites up and running we can start to lock them down. A complete discussion of computer security would fill a library. However, the meat of what we want to accomplish is as follows. We want to make it impossible for strangers to copy, alter, or erase any of our data. We want to prevent others from running any unapproved programs on our machine. Just as important we want to prevent legitimate users from making mistakes that be have consequences just as serious as vandalism. Some of you may require more modules for the web services you are providing, but remember it is ideal to take the minimalist approach. You want to eliminate all modules that you don t need in order to reduce the potential exposure to security holes. What modules do you really need? The main reason that we did not use the Apache that is accompanied by Suse Linux is that it comes preloaded with many modules by default. Restricting access to files outside of your web root is necessary in securing your web server. The solution is to use the following in your httpd.conf and repeat for each directory that you want to exclude: <Directory /> Order deny, allow Deny from all AllowOverride None Options None </Directory> If you are using authentication for any of your web pages then SSL is a necessity. Secure Socket Layers (SSL) is the standard way to implement secure websites. By encrypting the traffic between the server and the client, which is what SSL does, that content is protected from a third party listening to the traffic going past.

To use SSL you must generate your certificates. At the CLI type: % openssl gensra out hostname.key 1024 %openssl req new key hostname.key out hostname.csr Now you have the choice of either signing the certificate yourself or send your Certificate Signing Request (CSR) off to one of the certificate authority companies, such as Thawte or Entrust, for them to sign. To sign the certificate yourself do the following at on your terminal: %opensl x509 req days 365 in hostname.csr signkey hostname.key out hostname.crt Once you have finished move the files over to the directory you want (preferably in /opt). Then add the following lines tour your httpd.conf configuration file: SSLCertificateFile /opt/conf/hostname.crt SSLCertificateKeyFile /opt/conf/hostname.key A key note is that if you are using this for internal traffic generating your own key is just fine, but if you want the public to connect to your page it is advisable to pay for your certificate to be signed by a reputable certificate of authority so users can trust your certificate. This is just the base for a web server, but as with anything your foundation is key part. Keep the minimalist approach and that will help, because you increase your vulnerability with every module or piece of software you add. Most versions of Linux can be stripped down to the bare essentials as we did with Suse Linux. Apache has great documentation so for further information please check out their site.

Works Cited Coar, Ken and Bowen, Rich. Apache Cookbook. Sebastopol, CA: Oreilly, 2004. Laurie, Ben and Laurie, Peter. Apache: The Definitive Guide. Sebastopol, CA: Oreilly, 2003. Apache: HTTP Server Project. 3 April 2006. Apache Software Foundation. 10 April 2007 <http://httpd.apache.org/>. *Archer, M. and Leonard, E. Modeling security-enhanced Linux policy specifications for analysis. DARPA Information Survivability Conference and Exposition Volume: 2 (2003): 164-169. Author(s). "Title of Article." Title of Journal Volume.Issue (Year): pages. *Xinyue Song; Stinson, M.; Lee, R.; Albee, P. An Approach to Analyzing the Windows and Linux Security Models. 5th IEEE/ACIS International Conference Issue 10-12 July (2006): 56-62

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information