Intro
I am far from an expert in Apache. But I have a good knowledge of general best practices which I apply when running Apache web server. None of my tips are particularly insightful – they all can be found elsewhere, but this will be a single place to help find them all together.
To Compile or Not
As of this writing the current version is 2.2.21. The version supplied with the current version of SLES, SLES 11, is 2.2.10. To find the version run httpd -v
I think that’s fairly typical for them to be so many version behind. I recommend compiling your own version. But pay attention to security advisories and check every quarter to see what the latest release is. You’ll have to keep up with it on your own or you’ll actually be in worse shape than if you used the vendor version and applied patches regularly.
What You’ll Need to Know for the Range DOS Vulnerability
When you get the source you might try a simple ./configure, followed by a make and finally make install. And it would all seem to work. You can fetch the home page with a curl localhost. Then you remember about that recent Range header denial of service vulnerability described here. If you test for whether you support the Range header you’ll see that you do. I like to test for this as follows:
$ curl -H "Range: bytes=1-2" localhost
If before you saw something like
<html><body><h1>It works!</h1>
now it becomes
ht
i.e., it grabbed bytes one and two from <html>…
Now there are options and opinions about what to do about this. I think turning off Range header support is the best option. But if you try that you will fail. Why? Because you did not compile in the mod_headers module. To turn off Range headers add these lines to the global part of your configuration:
RequestHeader unset Range RequestHeader unset Request-Range
To see what modules you have available in your apache binary you do
/usr/local/apache2/bin/httpd -l
which should look like the following if you have taken all the defaults:
Compiled in modules: core.c mod_authn_file.c mod_authn_default.c mod_authz_host.c mod_authz_groupfile.c mod_authz_user.c mod_authz_default.c mod_auth_basic.c mod_include.c mod_filter.c mod_log_config.c mod_env.c mod_setenvif.c mod_version.c prefork.c http_core.c mod_mime.c mod_status.c mod_autoindex.c mod_asis.c mod_cgi.c mod_negotiation.c mod_dir.c mod_actions.c mod_userdir.c mod_alias.c mod_so.c
Notice there is no mod_headers.c which means there is no mod_headers module. And in fact when you restart your apache web server you are likely to see this error:
Syntax error on line 360 of /usr/local/apache2/conf/httpd.conf: Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included in the server configuration |
So you need to compile in mod_headers. Begin by cleaning your slate by running make clean in your source directory; then run configure as follows:
./configure –enable-headers –enable-rewrite
I’ve thrown in the –enable-rewrite qualifier because I like to be able to use mod_rewrite. It is not actually used for the security problems being discussed in this article.
Side note for those using the system-provided apache2 package on SLES
As an alternative to compiling yourself, you may be using an apache package. I have only tested this for SLES (so it would probably be the same for openSUSE). There you can edit the /etc/sysconfig/apache2 file and add additional modules to load. In particular the line
APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 reqtimeout" |
can be changed to
APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 reqtimeout headers" |
Back to compiling. Note that ./configure -help gives you some idea of all the options available, but it doesn’t exactly link the options to the precise module names, though it gives you a good idea via the description.
Then run make followed by make install as before. You should be good to go!
A Built-in Contradiction
You may have successfully suppressed use of range-headers, but on my web server, I noticed a contradictory HTTP Response header was still being issued after all that:
Accept-Ranges:
I use a simple
curl -i localhost
to look at the HTTP Response headers. The contradiction is that your server is not accepting ranges while it’s sending out the message that it is!
So turn that off to be consistent. This is what I did.
# need the following line to not send Accept-Ranges header Header unset Accept-Ranges #
Don’t Give Away the Keys
Don’t reveal too much about your server version such as OS and patch level of your web server. I suppose it is OK to reveal your web server type and its major version. Here is what I did:
# don't reveal too much about the server version - just web server and major version # see http://www.ducea.com/2006/06/15/apache-tips-tricks-hide-apache-software-version/ ServerTokens Major
After all these changes curl -i localhost output looks as follows:
HTTP/1.1 200 OK Date: Fri, 04 Nov 2011 20:39:02 GMT Server: Apache/2 Last-Modified: Fri, 14 Oct 2011 15:37:41 GMT ETag: "12005-a-4af4409a09b40" Content-Length: 10 Content-Type: text/html
See? I’ve gotten rid of the Accept-Ranges and provide only sketchy information about the server.
I put these security-related measures into a single file I include from the global configuration file httpd.conf into a file I call security.conf. To put it all toegther, at this point my security.conf looks like this:
# 11/2011 # prevent DOS attack. # See http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%[email protected]%3E - JH 8/31/11 # a good explanation of how to test it: # http://devcentral.f5.com/weblogs/macvittie/archive/2011/08/26/f5-friday-zero-day-apache-exploit-zero-problem.aspx # looks like we do have this vulnerability, # trying curl -i -H 'Range:bytes=1-5' http://bsm2.com/index.html # note that I had to compile with ./configure --enable-headers to be able to use these directives RequestHeader unset Range RequestHeader unset Request-Range # # need the following line to not send Accept-Ranges header Header unset Accept-Ranges # # don't reveal too much about the server version - just web server and major version # see http://www.ducea.com/2006/06/15/apache-tips-tricks-hide-apache-software-version/ ServerTokens Major
SSL (added December, 2014)
Search engines are encouraging web site operators to switch to using SSL for the obvious added security. If you’re going to use SSL you’ll also need to do that responsibly or you could get a false sense of security. I document it in my post on working with cipher settings.
Disable folder browsing/directory listing
I recently got caught out on this rookie mistake: Web Directories listing vulnerability. The solution is simple. In side your main HTDOCS section of configuration you may have a line that looks like:
Options Indexes FollowSymLinks ExecCGI |
Get rid of that Indexes – that’s what permits folder browsing, So this is better:
Options FollowSymLinks ExecCGI |
Turn off php version listing, December 2016 update
Oops. I read about how the 47% of the top million web sites have security issues. One bases for the judgment is to see what version of PHP is running based on the headers. So i checked my https server, and, oops:
$ curl ‐s ‐i ‐k https://drjohnstechtalk.com/blog/|head ‐22
HTTP/1.1 200 OK Date: Fri, 16 Dec 2016 20:00:09 GMT Server: Apache/2 Strict-Transport-Security: max-age=15811200; includeSubDomains; preload Vary: Cookie,Accept-Encoding X-Powered-By: PHP/5.4.43 X-Pingback: https://drjohnstechtalk.com/blog/xmlrpc.php Last-Modified: Fri, 16 Dec 2016 20:00:10 GMT Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html lang="en-US"> <head> ... |
So there is was, hanging out for all to see, PHP version 5.4.43. I’d rather not publicly admit that. So I turned it off by adding the following to my php.ini file and re-starting apache:
expose_php = off
After this my HTTP response headers show only this:
HTTP/1.1 200 OK Date: Fri, 16 Dec 2016 20:00:55 GMT Server: Apache/2 Strict-Transport-Security: max-age=15811200; includeSubDomains; preload Vary: Cookie,Accept-Encoding X-Pingback: https://drjohnstechtalk.com/blog/xmlrpc.php Last-Modified: Fri, 16 Dec 2016 20:00:57 GMT Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 |
I must have overlooked this when I compiled my own apache v 2.4 and used it to run my principal web server over https.
June 2017 update
PCI compliance will ding you for lack of an X-Frame-Options header. So for a simple web site like mine I can always safely send one out by adding this to my apache.conf file (or whichever apache conf file you deem most appropriate. I have a special security file in conf.d where I actually put it):
# don't permit framing from other sources, DrJ 6/16/17 # https://www.simonholywell.com/post/2013/04/three-things-i-set-on-new-servers/ Header always append X-Frame-Options SAMEORIGIN |
PCI compliance will also ding you if TRACE method is enabled. In that security file of my configuration I disable it thusly:
TraceEnable Off |
Test both those things in one fell swoop
$ curl ‐X TRACE ‐i ‐k https://drjohnstechtalk.com/
HTTP/1.1 405 Method Not Allowed Date: Fri, 16 Jun 2017 18:20:24 GMT Server: Apache/2 X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15811200; includeSubDomains; preload Allow: Content-Length: 295 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1> <p>The requested method TRACE is not allowed for the URL /.</p> <hr> <address>Apache/2 Server at drjohnstechtalk.com Port 443</address> </body></html> |
See? X-Frame-Options header now comes out with desired value. TRACE method was disallowed. All good.
Conclusion
Make sure you are taking some precautions against known security problems in Apache2. For information on running multiple web server instances under SLES see my next post Running Multiple Web Server Instances under SLES.
References and related
Remember, for handling the apache SSL hardening go here.
Compiling apache 2.4
drjohnstechtalk is now an HTTPS site!
TRACE method sounds useful for debugging, but I guess there are exploits so it needs to be disabled. Wikipedia documents it: https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods. Don’t forget that curl -v also shows you your request headers!
One reply on “Apache Tips in Light of Security Problems”
I recently was affected by the fix for the Range DOS because forgot to remove
the Accept-Ranges advertisment by the server. Apparently, adobe pdf plugin for firefox 11, for large files, gets really upset if it gets back the full document when it asks for a byte range. (I believe this is an adobe plugin bug, as RFC 2616 section 14.35.2 says server may ignore a Range request).
Anyway, I also found that
Header unset Accept-Ranges
is not enough, as section 14.5 says the server need not provide a Accept-Ranges header, and clients may still make a byte range request.Header set Accept-Ranges none
seems to be a more informative response if you are going to drop all byte ranges.Anyway, the adobe pdf plugin for ff11 will properly display large files (after waiting for the whole thing to download) only if the header explicitly states it does not accept byte ranges.
See also the
MaxRanges
directive in apache 2.2.21; a nice compromise.