Basic Apache Hardening - Hsanokklis/2023-2024-Tech-journal GitHub Wiki

Turn off the MITM proxy before starting!

Remove Server Version Banner

Show Version of Apache with Google Chrome

Open a new tab in chrome
open developer mode
Browse to your web server
Network tab - Your site
Response Header - Apache Version

Apache/2.4.37 (rocky)

Exposing the version of your Apache server means you are helping hackers with the reconnaissance process. The default configuration will expose Apache Version and OS type as shown below.

Implementation:

Go to /etc/httpd/conf/httpd.conf folder
Modify httpd.conf
Add the following lines to the end of the file and save the httpd.conf--->

ServerTokens Prod
ServerSignature Off

restart Apache

ServerSignature will remove the version information from the page generated by errors like 403, 404, 502, etc. on the Apache web server. ServerTokens will change Header to production only, i.e. Apache

Apache Version is gone!!

Disable directory browser listing

Disable directory listing in a browser so the visitor doesn’t see wall the file and folders you have under root or subdirectory. Let’s test what it looks like with default settings.

Go to /var/www/html
Create a folder and add a few files inside -->

# mkdir test
# cd test
# make a simple text file called "hi" that has a message in it
# make a simple text file called "hello" that has a message in it

Accessing the Test directory via web browser

As you can see, it reveals the file/folders which you may not want to expose.

Open up the hello and hi files to read the messages

Restrict Directory Browsing

Go to /etc/httpd/conf/httpd.conf directory
Open httpd.conf
Search for the web root directory (/var/www/html) and change Options directive to None

<Directory /var/www/html>
...
Options None
....
</Directory>

change it from Options Indexes FollowSymLinks to None

Restart Apache

Forbidden Access to the /test directory!

Disable Trace HTTP Request

By default, the Trace method is enabled in Apache web server. The TRACE method will echo back whatever is in the Request. It was originally used to troubleshoot to make sure the server was receiving properly formatted headers from the client

Having this enabled can allow Cross Site Tracing attacks and potentially allowing a hacker to steal cookie information. Let’s see how it looks in the default configuration.

Install telnet if command is not found (yum install telnet)
From your web servers command line - you can open a telnet session to Apache on itself
make a TRACE request as show below

#telnet localhost 80 
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1 
Host: test
(enter)
(enter)

HTTP/1.1 200 OK
Date: Sat, 31 Aug 2013 02:13:24 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: message/http 20
TRACE / HTTP/1.1
Host: test 0
Connection closed by foreign host.
#

clear

As you can see above, the TRACE request responded to the query and echoes back the request (start line and headers).

Try sending it some different requests - as long as the general format is correct, it should work regardless of what you type.

TRACE /blahblahblah!!! HTTP/1.1
Host: ToTheMoon
Meaningless: NonSense

# Should echo Back what your wrote

Now imagine including a script in that request:

TRACE /<script>foo</script> HTTP/1.1
Host: ToTheMoon
Meaningless: NonSense <script>bar</script>

If that works - you can now see that even javascript can be injected in the TRACE request response which could be used to access headers meant for one site (such as authentication tokens) and send them to another. Known as Cross-Site Tracing (XST)

Disable Trace

Go to /etc/httpd/conf/httpd.conf directory
add the following directrive and save httpd.conf

 TraceEnable off

restart apache

Verification that you cannot make a trace request

#telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1 
Host: test
(enter)
(enter)


HTTP/1.1 405 Method Not Allowed
Date: Sat, 31 Aug 2013 02:18:27 GMT
Server: Apache Allow:
Content-Length: 223
Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p> </body></html>
Connection closed by foreign host.
#

As you can see above, the TRACE request has blocked request with a HTTP 405 Method Not Allowed.