Use Appropriate Modules to Improve Apache’s Security

3.16 Web Server

3.16.4 Use Appropriate Modules to Improve Apache’s Security

# Only allow specific methods (this command is case-sensitive!)

Order allow,deny

</LimitExcept>

# ...

</Directory>

3.16.4 Use Appropriate Modules to Improve Apache’s Security

Among the modules available for Apache are several whose use may improve the security of the web server installation. This section recommends and discusses the deployment of security-relevant modules.

3.16.4.1 Deploy mod ssl

Because HTTP is a plain text protocol, all traffic is susceptible to passive monitoring. If there is a need for confidentiality, SSL should be configured and enabled to encrypt content.

Note: mod nss is a FIPS 140-2 certified alternative to mod ssl. The modules share a considerable amount of code and should be nearly identical in functionality. If FIPS 140-2 validation is required, then mod nss should be used. If it provides some feature or its greater compatibility is required, thenmod ssl should be used.

3.16.4.1.1 Install mod ssl

Install mod ssl:

# yum install mod ssl

3.16.4.1.2 Create an SSL Certificate

On your CA (if you are using your own) or on another physically secure system, generate a key pair for the web server:

# cd /etc/pki/tls/certs

# openssl genrsa -des3 -out httpserverkey.pem 2048

When prompted, enter a strong, unique passphrase to protect the web server key pair.

Next, generate a Certificate Signing Request (CSR) from the key for the CA:

# openssl req -new -key httpserverkey.pem -out httpserver.csr

Enter the passphrase for the web server key pair and then fill out the fields as completely as possible (or hit return to accept defaults); the Common Name field is especially important. It must match the fully-qualified domain name of your server exactly (e.g. www.example.com) or the certificate will not work.

The /etc/pki/tls/openssl.conf file will determine which other fields (e.g. Country Name, Organization Name, etc) must match between the server request and the CA. Leave the challenge password and an optional company name blank. Next, the web server CSR must be signed to create the web server certificate. You can either send the CSR to an established CA or sign it with your CA.

To sign httpserver.csr using your CA:

# openssl ca -in httpserver.csr -out httpservercert.pem

When prompted, enter the CA passphrase to continue and then complete the process. The httpservercert.

pem certificate needed to enable SSL on the web server is now in the directory.

Finally, the web server key and certificate file need to be moved to the web server. Use removable media if possible. Place the server key and certificate file in /etc/pki/tls/http/, naming them serverkey.pem and servercert.pem, respectively.

3.16.4.1.3 Install SSL Certificate

Add or modify the configuration file /etc/httpd/conf.d/ssl.conf to match the following:

# establish new listening port Listen 443

# seed appropriately

SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024

# Enable SSL SSLEngine On

# Path to server certificate + private key

SSLCertificateFile /etc/pki/tls/http/servercert.pem SSLCertificateKeyFile /etc/pki/tls/http/serverkey.pem SSLProtocol All -SSLv2

# Weak ciphers and null authentication should be denied unless absolutely necessary

# (and even then, such cipher weakening should occur within a Location enclosure) SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5

</VirtualHost>

Ensure that all directories that house SSL content are restricted to SSL access only in /etc/httpd/conf/

httpd.conf:

# require SSL for access SSLRequireSSL

SSLOptions +StrictRequire

# require domain to match certificate domain

SSLRequire %{HTTP HOST} eq "site-on-certificate.com"

# rather than reply with 403 error, redirect user to appropriate site

# this is OPTIONAL - uncomment to apply

# ErrorDocument 403 https://site-on-certificate.com

</Directory>

3.16.4.2 Deploy mod security

mod security provides an application level firewall for Apache. Following the installation of mod security with the base ruleset, specific configuration advice can be found athttp://www.modsecurity.org/to design a policy that best matches the security needs of the web applications.

3.16.4.2.1 Install mod security

Install mod security:

# yum install mod_security

3.16.4.2.2 Configure mod security Filtering

mod security supports a significant number of options, far too many to be fully covered in this guide.

However, the following list comprises a smaller subset of suggested filters to be added to /etc/httpd/conf/

httpd.conf:

# enable mod security SecFilterEngine On

# enable POST filtering SecFilterScanPost On

# Make sure that URL encoding is valid SecFilterCheckURLEncoding On

# Accept almost all byte values SecFilterForceByteRange 1 255

# Prevent directory traversal SecFilter "\.\./"

# Filter on specific system specific paths SecFilter /etc/passwd

SecFilter /bin/

# Prevent cross-site scripting SecFilter "<[[:space:]]* script"

# Prevent SQL injection

SecFilter "delete[[:space:]]+from"

SecFilter "insert[[:space:]]+into"

SecFilter "select.+from"

3.16.4.3 Use Denial-of-Service Protection Modules

Denial-of-service attacks are difficult to detect and prevent while maintaining acceptable access to authorized users. However, there are a number of traffic-shaping modules that attempt to address the problem. Well-known DoS protection modules include:

mod_throttle mod_bwshare mod_limitipconn mod_dosevasive

It is recommended that denial-of-service prevention be implemented for the web server. However, this guide leaves specific configuration details to the discretion of the reader.

3.16.4.4 Configure Supplemental Modules Appropriately

Any required functionality added to the web server via additional modules should be configured appropriately.

3.16.4.4.1 Configure PHP Securely

PHP is a widely used and often misconfigured server-side scripting language. It should be used with caution, but configured appropriately when needed.

Make the following changes to /etc/php.ini:

# Do not expose PHP error messages to external users display_errors = Off

# Enable safe mode safe_mode = On

# Only allow access to executables in isolated directory safe_mode_exec_dir = php-required-executables-path

# Limit external access to PHP environment safe_mode_allowed_env_vars = PHP_

# Restrict PHP information leakage expose_php = Off

# Log all errors log_errors = On

# Do not register globals for input data register_globals = Off

# Minimize allowable PHP post size post_max_size = 1K

# Ensure PHP redirects appropriately cgi.force_redirect = 0

# Disallow uploading unless necessary file_uploads = Off

# Disallow treatment of file requests as fopen calls allow_url_fopen = Off

# Enable SQL safe mode sql.safe_mode = On

In document Guide to the Secure Configuration of Red Hat Enterprise Linux 5 (Page 176-180)