Apache 2 - Security


Here you'll find information about how to make your server more discreet and secure. By changing the UID you can also set your server to be less risky in case of being hack.



Be discreet!

PHP info

Check the current server status using a simple PHP info file.

vim /var/www/myServer/phpinfo.php


Put the following:

<?php
// Show all information, defaults to INFO_ALL
phpinfo();
?>


Adjust rights and ownership:

chown -R www-data:www-data /var/www/myServer
chmod -R 755 /var/www/myServer


Adjust verbose level

Do not give details about your configuration to outsiders.

vim /etc/apache2/conf-available/security.conf


Set the following settings

#### Ask your server to be more discret!
# ServerTokens
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
ServerTokens Prod

ServerSignature Off
TraceEnable Off


Restart Apache2

service apache2 restart


Re-run PHP info, you should have less information.



PHP5 security

PHP Security Info

If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org/projects/phpsecinfo/index.html


Installation

cd /tmp
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip
mv phpsecinfo-Version phpsecinfo
mv phpsecinfo/ /var/www
cd /var/www
chown -R www-data:www-data phpsecinfo


Virtual host configuration

Edit your V.Host configuration

vim /etc/apache2/sites-available/myServer

!! For security reason: DO NOT use 'phpsecinfo' as alias. It's too easy to guess.


<VirtualHost _default_:443>
         # PHPSecInfo
         Alias   /phpsec   /var/www/phpsecinfo
         <Location /phpsec >
                 Require all granted
                 ProxyPass !
                 order deny,allow
                 # allow from 127.0.0.1 192.168.1.0/24
                 allow from all
          </Location>
</VirtualHost>


Reload your configuration

/etc/init.d/apache2 reload


Run the test

To asset your current installation you can run the test: https://myServer/phpsec



Improve security

PHP5 sessions and temp files

Create specific directory to store the sessions and temp files:

mkdir -p /etc/php5/temp
mkdir -p /etc/php5/session
chown -R www-data:root /etc/php5/temp
chown -R www-data:root /etc/php5/session
chmod -R 770 /etc/php5/session
chmod -R 770 /etc/php5/temp


Edit the configuration file

vim /etc/php5/apache2/php.ini


Adjust:

  • line 801 → upload_tmp_dir = /etc/php5/temp
  • line 1357 → session.save_path = "/etc/php5/session"


PHP5 tweak

Edit the configuration file

vim /etc/php5/apache2/php.ini


Adjust:

  • line 376 → expose_php = Off
  • line 406 → memory_limit = 8M
  • line 480 → display_errors=Off
  • line 675 → post_max_size=256K
  • line 805 → upload_max_filesize=256K
  • line 814 → allow_url_fopen=Off
 DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)


Restart your server to load the changes:

service apache2 restart


Re-run the test, then:

  • Ignore the open_basedir and upload_tmp_dir alerts, if any.
  • You can enable some specific options with a .htaccess file



Change Apache 2 UID

IMPORTANT: Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...


This security trick is not crucial, it's just a "nice to have".


Change the Apache UID

vim /etc/group


Change www-data UID

    www-data:x:10033:


Change the Apache GID

 
vim /etc/passwd


Change the group settings

    www-data:x:10033:10033:www-data:/var/www:/bin/false


Apply modifications

chown -R www-data:www-data /var/www/*
chown -R www-data:root /etc/php5/*


To take on the modifications you have to reboot your server - and not just the service. You must reboot the server with "reboot" command.



Avoid DOS attacks

Source: Linux mag’ – Hors serie Apache2


You can protect your server from Denial Of Service (DOS) attacks through mod_evasive


Installation

apt-get install libapache2-mod-evasive


Prepare log directory

mkdir /var/log/apache2/mod_evasive
chown -R www-data:www-data  /var/log/apache2/mod_evasive


Enable module

a2enmod evasive


Configuration

Update / create the configuration file

vim /etc/apache2/mods-available/evasive.conf


Put:

# Mod evasive configuration
# Based upon Linux Mag 
<IfModule mod_evasive20.c>
   # Size of the hash table. 
   # The greater, the more memory is required but the faster it is! The value must be a prime number
   DOSHashTableSize 3097 

   # Limit user to 5 pages per 2 seconds
   DOSPageCount 5
   DOSPageInterval 2 

   # No more than 100 HTTP request per second (HTML, CSS, images, …) 
   DOSSiteCount 100
   DOSSiteInterval 1

   # Block client for 300 seconds
   DOSBlockingPeriod 300 

   # Send email alert
   #DOSEmailNotify "admin@myDomain" 

   # Log directory
   DOSLogDir "/var/log/apache2/mod_evasive" 

   # Command to execute on ban
   #DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"

   # Ignore following IP and networks
   DOSWhiteList 127.0.0.1 
   #DOSWhitelist 66.249.65.*
<IfModule mod_evasive20.c>


Apply changes

service apache2 restart




Change Apache2 ports number

You can change the Apache2 server ports. Except if you're a security paranoid person: you should NOT change the default ports.

vim /etc/apache2/ports.conf


Edit

# HTTP
Listen 80
# HTTPS 
Listen 443


Don't forget to adjust your IPTABLES script as well.