Latest revision as of 18:05, 10 June 2014

Here you'll find information about how to make your server more discreet and secure. By changing the UID you can also set your server to be less risky in case of being hack.

1 Be discreet!
- 1.1 PHP info
- 1.2 Adjust verbose level
2 PHP5 security
- 2.1 PHP Security Info
- 2.2 Improve security
  - 2.2.1 PHP5 sessions and temp files
  - 2.2.2 PHP5 tweak
3 Change Apache 2 UID
- 3.1 Change the Apache UID
- 3.2 Change the Apache GID
4 Avoid DOS attacks
- 4.1 Installation
- 4.2 Configuration
5 Change Apache2 ports number

Be discreet!

PHP info

Check the current server status using a simple PHP info file.

vim /var/www/myServer/phpinfo.php

Put the following:

<?php
// Show all information, defaults to INFO_ALL
phpinfo();
?>

Adjust rights and ownership:

chown -R www-data:www-data /var/www/myServer
chmod -R 755 /var/www/myServer

Adjust verbose level

Do not give details about your configuration to outsiders.

vim /etc/apache2/conf-available/security.conf

Set the following settings

#### Ask your server to be more discret!
# ServerTokens
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
ServerTokens Prod

ServerSignature Off
TraceEnable Off

Restart Apache2

service apache2 restart

Re-run PHP info, you should have less information.

PHP5 security

PHP Security Info

If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org/projects/phpsecinfo/index.html

Installation

cd /tmp
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip
mv phpsecinfo-Version phpsecinfo
mv phpsecinfo/ /var/www
cd /var/www
chown -R www-data:www-data phpsecinfo

Virtual host configuration

Edit your V.Host configuration

vim /etc/apache2/sites-available/myServer

!! For security reason: DO NOT use 'phpsecinfo' as alias. It's too easy to guess.

<VirtualHost _default_:443>
         # PHPSecInfo
         Alias   /phpsec   /var/www/phpsecinfo
         <Location /phpsec >
                 Require all granted
                 ProxyPass !
                 order deny,allow
                 # allow from 127.0.0.1 192.168.1.0/24
                 allow from all
          </Location>
</VirtualHost>

Reload your configuration

/etc/init.d/apache2 reload

Run the test

To asset your current installation you can run the test: https://myServer/phpsec

Improve security

PHP5 sessions and temp files

Create specific directory to store the sessions and temp files:

mkdir -p /etc/php5/temp
mkdir -p /etc/php5/session
chown -R www-data:root /etc/php5/temp
chown -R www-data:root /etc/php5/session
chmod -R 770 /etc/php5/session
chmod -R 770 /etc/php5/temp

Edit the configuration file

vim /etc/php5/apache2/php.ini

Adjust:

line 801 → upload_tmp_dir = /etc/php5/temp
line 1357 → session.save_path = "/etc/php5/session"

PHP5 tweak

Edit the configuration file

vim /etc/php5/apache2/php.ini

Adjust:

line 376 → expose_php = Off
line 406 → memory_limit = 8M
line 480 → display_errors=Off
line 675 → post_max_size=256K
line 805 → upload_max_filesize=256K
line 814 → allow_url_fopen=Off

 DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)

Restart your server to load the changes:

service apache2 restart

Re-run the test, then:

Ignore the open_basedir and upload_tmp_dir alerts, if any.
You can enable some specific options with a .htaccess file

Change Apache 2 UID

IMPORTANT: Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...

This security trick is not crucial, it's just a "nice to have".

Change the Apache UID

vim /etc/group

Change www-data UID

    www-data:x:10033:

Change the Apache GID

 
vim /etc/passwd

Change the group settings

    www-data:x:10033:10033:www-data:/var/www:/bin/false

Apply modifications

chown -R www-data:www-data /var/www/*
chown -R www-data:root /etc/php5/*

To take on the modifications you have to reboot your server - and not just the service. You must reboot the server with "reboot" command.

Avoid DOS attacks

Source: Linux mag’ – Hors serie Apache2

You can protect your server from Denial Of Service (DOS) attacks through mod_evasive

Installation

apt-get install libapache2-mod-evasive

Prepare log directory

mkdir /var/log/apache2/mod_evasive
chown -R www-data:www-data  /var/log/apache2/mod_evasive

Enable module

a2enmod evasive

Configuration

Update / create the configuration file

vim /etc/apache2/mods-available/evasive.conf

Put:

# Mod evasive configuration
# Based upon Linux Mag 
<IfModule mod_evasive20.c>
   # Size of the hash table. 
   # The greater, the more memory is required but the faster it is! The value must be a prime number
   DOSHashTableSize 3097 

   # Limit user to 5 pages per 2 seconds
   DOSPageCount 5
   DOSPageInterval 2 

   # No more than 100 HTTP request per second (HTML, CSS, images, …) 
   DOSSiteCount 100
   DOSSiteInterval 1

   # Block client for 300 seconds
   DOSBlockingPeriod 300 

   # Send email alert
   #DOSEmailNotify "admin@myDomain" 

   # Log directory
   DOSLogDir "/var/log/apache2/mod_evasive" 

   # Command to execute on ban
   #DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"

   # Ignore following IP and networks
   DOSWhiteList 127.0.0.1 
   #DOSWhitelist 66.249.65.*
<IfModule mod_evasive20.c>

Apply changes

service apache2 restart

Change Apache2 ports number

You can change the Apache2 server ports. Except if you're a security paranoid person: you should NOT change the default ports.

vim /etc/apache2/ports.conf

Edit

# HTTP
Listen 80
# HTTPS 
Listen 443

Don't forget to adjust your IPTABLES script as well.

Anonymous

Search

Navigation

Navigation

Categories

Wiki tools

Wiki tools

Difference between revisions of "Apache 2 - Security"

Namespaces

Page actions

Latest revision as of 18:05, 10 June 2014

Contents

Be discreet!

PHP info

Adjust verbose level

PHP5 security

PHP Security Info

Installation

Virtual host configuration

Run the test

Improve security

PHP5 sessions and temp files

PHP5 tweak

Change Apache 2 UID

Change the Apache UID

Change the Apache GID

Avoid DOS attacks

Installation

Configuration

Change Apache2 ports number

@@ Line 1: / Line 1: @@
-=Apache 2 and PHP5: Secure your installation!=
+[[Category:Linux]]
+Here you'll find information about how to make your server more discreet and secure. By changing the UID you can also set your server to be less risky in case of being hack.
+=Be discreet!=
+==PHP info==
+Check the current server status using a simple PHP info file.
+<syntaxhighlight lang="bash">
+vim /var/www/myServer/phpinfo.php
+</syntaxhighlight>
+Put the following:
+<syntaxhighlight lang="php">
+<?php
+// Show all information, defaults to INFO_ALL
+phpinfo();
+?>
+</syntaxhighlight>
+Adjust rights and ownership:
+<syntaxhighlight lang="bash">
+chown -R www-data:www-data /var/www/myServer
+chmod -R 755 /var/www/myServer
+</syntaxhighlight>
+==Adjust verbose level==
+Do not give details about your configuration to outsiders.
+<syntaxhighlight lang="bash">
+vim /etc/apache2/conf-available/security.conf
+</syntaxhighlight>
+Set the following settings
+<syntaxhighlight lang="bash">
+#### Ask your server to be more discret!
+# ServerTokens
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+ServerTokens Prod
+ServerSignature Off
+TraceEnable Off
+</syntaxhighlight>
+Restart Apache2
+<syntaxhighlight lang="bash">
+service apache2 restart
+</syntaxhighlight>
+Re-run PHP info, you should have less information.
+=PHP5 security=
@@ Line 64: / Line 138: @@
+===PHP5 sessions and temp files===
-===PHP5 sessions and temp files===
 Create specific directory to store the sessions and temp files:
 <syntaxhighlight lang="bash">
 mkdir -p /etc/php5/temp
@@ Line 75: / Line 150: @@
 chmod -R 770 /etc/php5/temp
 </syntaxhighlight>
 Edit the configuration file
 <syntaxhighlight lang="bash">
 vim /etc/php5/apache2/php.ini
 </syntaxhighlight>
-line 798 → 	upload_tmp_dir = /etc/php5/temp
-line 1409 → 	session.save_path = "/etc/php5/session"
+Adjust:
+* line 801 → 	upload_tmp_dir = /etc/php5/temp
+* line 1357 → 	session.save_path = "/etc/php5/session"
 ===PHP5 tweak===
+Edit the configuration file
 <syntaxhighlight lang="bash">
 vim /etc/php5/apache2/php.ini
 </syntaxhighlight>
-line 261 → 	expose_php = Off
-line 480 →	display_errors=Off
-line 675 → 	post_max_size=256K
-line 814 → 	allow_url_fopen=Off
-DO NOT enable the open_basedir 	(even if the test say so! It’s a troublesome setting)
+Adjust:
+* line 376 → 	expose_php = Off
+* line 406 → 	memory_limit = 8M
+* line 480 →	display_errors=Off
+* line 675 → 	post_max_size=256K
+* line 805 → 	upload_max_filesize=256K
+* line 814 → 	allow_url_fopen=Off
+  DO '''NOT''' enable the open_basedir (even if the test say so! It’s a troublesome setting)
 Restart your server to load the changes:
 <syntaxhighlight lang="bash">
 service apache2 restart
 </syntaxhighlight>
-Re-run the test. Then:
+Re-run the test, then:
 * Ignore the open_basedir and upload_tmp_dir alerts, if any.
 * You can enable some specific options with a .htaccess file
-===Change Apache 2 UID===
-Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...
-====Change the Apache UID====
+=Change Apache 2 UID=
+IMPORTANT: '''Do not change the UID if you already have install web programs''' such as phpldapadmin or phpmyadmin, cacti, ...
+This security trick is not crucial, it's just a "nice to have".
+==Change the Apache UID==
 <syntaxhighlight lang="bash">
 vim /etc/group
 </syntaxhighlight>
 Change www-data UID
 <syntaxhighlight lang="bash">
      www-data:x:10033:
 </syntaxhighlight>
-====Change the Apache GID====
+==Change the Apache GID==
 <syntaxhighlight lang="bash">
 vim /etc/passwd
 </syntaxhighlight>
 Change the group settings
 <syntaxhighlight lang="bash">
-	www-data:x:10033:10033:www-data:/var/www:/bin/false
+    www-data:x:10033:10033:www-data:/var/www:/bin/false
 </syntaxhighlight>
 Apply modifications
 <syntaxhighlight lang="bash">
 chown -R www-data:www-data /var/www/*
@@ Line 135: / Line 245: @@
 </syntaxhighlight>
-To take on the modifications you have to reboot your server.
+To take on the modifications you have to reboot your server - and not just the service. '''You must reboot the server''' with "reboot" command.
+=Avoid DOS attacks=
-===Avoid DOS attacks===
 Source: Linux mag’ – Hors serie Apache2
 You can protect your server from Denial Of Service (DOS) attacks through mod_evasive
+==Installation==
 <syntaxhighlight lang="bash">
 apt-get install libapache2-mod-evasive
 </syntaxhighlight>
 Prepare log directory
 <syntaxhighlight lang="bash">
 mkdir /var/log/apache2/mod_evasive
 chown -R www-data:www-data  /var/log/apache2/mod_evasive
 </syntaxhighlight>
 Enable module
 <syntaxhighlight lang="bash">
-a2enmod mod-evasive
+a2enmod evasive
 </syntaxhighlight>
-===Configuration===
-Create the configuration file
+==Configuration==
+Update / create the configuration file
 <syntaxhighlight lang="bash">
-vim /etc/apache2/conf.d/mod_evasive.conf
+vim /etc/apache2/mods-available/evasive.conf
 </syntaxhighlight>
 Put:
 <syntaxhighlight lang="bash">
 # Mod evasive configuration
 # Based upon Linux Mag
 <IfModule mod_evasive20.c>
-	DOSHashTableSize 3097
+   # Size of the hash table.
+   # The greater, the more memory is required but the faster it is! The value must be a prime number
+   DOSHashTableSize 3097
-	# Limit user to 5 pages per 2 seconds
+   # Limit user to 5 pages per 2 seconds
-	DOSPageCount 5
+   DOSPageCount 5
-	DOSPageInterval 2
+   DOSPageInterval 2
-	# No more than 100 HTTP request per second (HTML, CSS, images, …)
+   # No more than 100 HTTP request per second (HTML, CSS, images, …)
-	DOSSiteCount 100
+   DOSSiteCount 100
-	DOSSiteInterval 1
+   DOSSiteInterval 1
-	# Block client for 300 seconds
+   # Block client for 300 seconds
-	DOSBlockingPeriod 300
+   DOSBlockingPeriod 300
-	# Send alert email
-	#DOSEmailNotify "admin@myDomain"
-	# Log directory
+   # Send email alert
-	DOSLogDir "/var/log/apache2/mod_evasive"
+   #DOSEmailNotify "admin@myDomain"
-	# Command to execute on ban
+   # Log directory
-	#DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"
+   DOSLogDir "/var/log/apache2/mod_evasive"
-	# Ignore following IP and networks
+   # Command to execute on ban
-	DOSWhiteList 127.0.0.1
+   #DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"
-	#DOSWhitelist 66.249.65.*
+   # Ignore following IP and networks
+   DOSWhiteList 127.0.0.1
+   #DOSWhitelist 66.249.65.*
 <IfModule mod_evasive20.c>
 </syntaxhighlight>
-DosHashTableSize = Size of the hash table.
-* The greater, the more memory is required but the faster it is! The value must be a prime number
+Apply changes
-Apply changes
 <syntaxhighlight lang="bash">
 service apache2 restart
 </syntaxhighlight>
+=Change Apache2 ports number=
+You can change the Apache2 server ports. Except if you're a security paranoid person: '''you should NOT change the default ports'''.
+<syntaxhighlight lang="bash">
+vim /etc/apache2/ports.conf
+</syntaxhighlight>
+Edit
+<syntaxhighlight lang="bash">
+# HTTP
+Listen 80
+# HTTPS
+Listen 443
+</syntaxhighlight>
+Don't forget to adjust your IPTABLES script as well.

Anonymous

Search

Navigation

Wiki tools

Page tools

Categories

Difference between revisions of "Apache 2 - Security"

Latest revision as of 18:05, 10 June 2014

Contents

Be discreet!

PHP info

Adjust verbose level

PHP5 security

PHP Security Info

Installation

Virtual host configuration

Run the test

Improve security

PHP5 sessions and temp files

PHP5 tweak

Change Apache 2 UID

Change the Apache UID

Change the Apache GID

Avoid DOS attacks

Installation

Configuration

Change Apache2 ports number