Difference between revisions of "Apache 2 - Security"

(Improve security)
Line 123: Line 123:
  
  
===Change Apache 2 UID===
 
Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...
 
  
====Change the Apache UID====
+
 
 +
=Change Apache 2 UID=
 +
 
 +
 
 +
IMPORTANT: '''Do not change the UID if you already have install web programs''' such as phpldapadmin or phpmyadmin, cacti, ...
 +
 
 +
 
 +
This security trick is not crucial, it's just a "nice to have".
 +
 
 +
 
 +
 
 +
==Change the Apache UID==
 +
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
vim /etc/group
 
vim /etc/group
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
  
 
Change www-data UID
 
Change www-data UID
 +
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
     www-data:x:10033:
 
     www-data:x:10033:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
====Change the Apache GID====
+
 
 +
 
 +
==Change the Apache GID==
 +
 
 
<syntaxhighlight lang="bash">  
 
<syntaxhighlight lang="bash">  
 
vim /etc/passwd
 
vim /etc/passwd
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
  
 
Change the group settings
 
Change the group settings
 +
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
www-data:x:10033:10033:www-data:/var/www:/bin/false
+
    www-data:x:10033:10033:www-data:/var/www:/bin/false
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
  
 
Apply modifications
 
Apply modifications
 +
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
chown -R www-data:www-data /var/www/*
 
chown -R www-data:www-data /var/www/*
Line 152: Line 171:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
To take on the modifications you have to reboot your server.  
+
 
 +
To take on the modifications you have to reboot your server - and not just the service. '''You must reboot the server''' with "reboot" command.
 +
 
  
  
===Avoid DOS attacks===
+
 
 +
=Avoid DOS attacks=
 +
 
 
Source: Linux mag’ – Hors serie Apache2
 
Source: Linux mag’ – Hors serie Apache2
 +
  
 
You can protect your server from Denial Of Service (DOS) attacks through mod_evasive
 
You can protect your server from Denial Of Service (DOS) attacks through mod_evasive
 +
 +
 +
==Installation==
 +
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
apt-get install libapache2-mod-evasive
 
apt-get install libapache2-mod-evasive
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
  
 
Prepare log directory
 
Prepare log directory
 +
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
mkdir /var/log/apache2/mod_evasive
 
mkdir /var/log/apache2/mod_evasive
 
chown -R www-data:www-data  /var/log/apache2/mod_evasive
 
chown -R www-data:www-data  /var/log/apache2/mod_evasive
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
  
 
Enable module
 
Enable module
 +
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
a2enmod mod-evasive
+
a2enmod evasive
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
===Configuration===
+
 
Create the configuration file
+
==Configuration==
 +
 
 +
Update / create the configuration file
 +
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/apache2/conf.d/mod_evasive.conf
+
vim /etc/apache2/mods-available/evasive.conf
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
  
 
Put:
 
Put:
 +
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
# Mod evasive configuration
 
# Mod evasive configuration
 
# Based upon Linux Mag  
 
# Based upon Linux Mag  
 
<IfModule mod_evasive20.c>
 
<IfModule mod_evasive20.c>
DOSHashTableSize 3097  
+
  # Size of the hash table.
 +
  # The greater, the more memory is required but the faster it is! The value must be a prime number
 +
  DOSHashTableSize 3097  
 +
 
 +
  # Limit user to 5 pages per 2 seconds
 +
  DOSPageCount 5
 +
  DOSPageInterval 2
  
# Limit user to 5 pages per 2 seconds
+
  # No more than 100 HTTP request per second (HTML, CSS, images, …)
DOSPageCount 5
+
  DOSSiteCount 100
DOSPageInterval 2
+
  DOSSiteInterval 1
  
# No more than 100 HTTP request per second (HTML, CSS, images, …)
+
  # Block client for 300 seconds
DOSSiteCount 100
+
  DOSBlockingPeriod 300
DOSSiteInterval 1
 
  
# Block client for 300 seconds
+
  # Send email alert
DOSBlockingPeriod 300
+
  #DOSEmailNotify "admin@myDomain"  
# Send alert email
 
#DOSEmailNotify "admin@myDomain"  
 
  
# Log directory
+
  # Log directory
DOSLogDir "/var/log/apache2/mod_evasive"  
+
  DOSLogDir "/var/log/apache2/mod_evasive"  
  
# Command to execute on ban
+
  # Command to execute on ban
#DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"
+
  #DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"
  
# Ignore following IP and networks
+
  # Ignore following IP and networks
DOSWhiteList 127.0.0.1  
+
  DOSWhiteList 127.0.0.1  
#DOSWhitelist 66.249.65.*
+
  #DOSWhitelist 66.249.65.*
 
<IfModule mod_evasive20.c>
 
<IfModule mod_evasive20.c>
 
</syntaxhighlight>
 
</syntaxhighlight>
  
DosHashTableSize = Size of the hash table.
 
* The greater, the more memory is required but the faster it is! The value must be a prime number
 
  
 +
Apply changes
  
Apply changes
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
service apache2 restart
 
service apache2 restart
 
</syntaxhighlight>
 
</syntaxhighlight>

Revision as of 18:13, 8 June 2014

Apache 2 and PHP5: Secure your installation!

PHP Security Info

If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org/projects/phpsecinfo/index.html


Installation

cd /tmp
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip
mv phpsecinfo-Version phpsecinfo
mv phpsecinfo/ /var/www
cd /var/www
chown -R www-data:www-data phpsecinfo


Virtual host configuration

Edit your V.Host configuration 

vim /etc/apache2/sites-available/myServer

!! For security reason: DO NOT use 'phpsecinfo' as alias. It's too easy to guess. 


<VirtualHost _default_:443>
         # PHPSecInfo
         Alias   /phpsec   /var/www/phpsecinfo
         <Location /phpsec >
                 Require all granted
                 ProxyPass !
                 order deny,allow
                 # allow from 127.0.0.1 192.168.1.0/24
                 allow from all
          </Location>
</VirtualHost>


Reload your configuration 

/etc/init.d/apache2 reload


Run the test

To asset your current installation you can run the test: https://myServer/phpsec



Improve security

PHP5 sessions and temp files

Create specific directory to store the sessions and temp files: 

mkdir -p /etc/php5/temp
mkdir -p /etc/php5/session
chown -R www-data:root /etc/php5/temp
chown -R www-data:root /etc/php5/session
chmod -R 770 /etc/php5/session
chmod -R 770 /etc/php5/temp


Edit the configuration file 

vim /etc/php5/apache2/php.ini


Adjust:

  • line 801 → upload_tmp_dir = /etc/php5/temp
  • line 1357 → session.save_path = "/etc/php5/session"


PHP5 tweak

Edit the configuration file 

vim /etc/php5/apache2/php.ini


Adjust:

  • line 376 → expose_php = Off
  • line 406 → memory_limit = 8M
  • line 480 → display_errors=Off
  • line 675 → post_max_size=256K
  • line 805 → upload_max_filesize=256K
  • line 814 → allow_url_fopen=Off
 DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)


Restart your server to load the changes: 

service apache2 restart


Re-run the test, then:

  • Ignore the open_basedir and upload_tmp_dir alerts, if any.
  • You can enable some specific options with a .htaccess file



Change Apache 2 UID

IMPORTANT: Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...


This security trick is not crucial, it's just a "nice to have".


Change the Apache UID

vim /etc/group


Change www-data UID 

    www-data:x:10033:


Change the Apache GID

 
vim /etc/passwd


Change the group settings 

    www-data:x:10033:10033:www-data:/var/www:/bin/false


Apply modifications 

chown -R www-data:www-data /var/www/*
chown -R www-data:root /etc/php5/*


To take on the modifications you have to reboot your server - and not just the service. You must reboot the server with "reboot" command.



Avoid DOS attacks

Source: Linux mag’ – Hors serie Apache2


You can protect your server from Denial Of Service (DOS) attacks through mod_evasive


Installation

apt-get install libapache2-mod-evasive


Prepare log directory 

mkdir /var/log/apache2/mod_evasive
chown -R www-data:www-data  /var/log/apache2/mod_evasive


Enable module 

a2enmod evasive


Configuration

Update / create the configuration file 

vim /etc/apache2/mods-available/evasive.conf


Put: 

# Mod evasive configuration
# Based upon Linux Mag 
<IfModule mod_evasive20.c>
   # Size of the hash table. 
   # The greater, the more memory is required but the faster it is! The value must be a prime number
   DOSHashTableSize 3097 

   # Limit user to 5 pages per 2 seconds
   DOSPageCount 5
   DOSPageInterval 2 

   # No more than 100 HTTP request per second (HTML, CSS, images, …) 
   DOSSiteCount 100
   DOSSiteInterval 1

   # Block client for 300 seconds
   DOSBlockingPeriod 300 

   # Send email alert
   #DOSEmailNotify "admin@myDomain" 

   # Log directory
   DOSLogDir "/var/log/apache2/mod_evasive" 

   # Command to execute on ban
   #DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"

   # Ignore following IP and networks
   DOSWhiteList 127.0.0.1 
   #DOSWhitelist 66.249.65.*
<IfModule mod_evasive20.c>


Apply changes 

service apache2 restart
Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=Apache_2_-_Security&oldid=614"