Web Server Hardening - Apache
1. Secure Apache Configuration with .htaccess
1.1 OWASP A3:2017-Sensitive Data Exposure
Turn ETags OffFileETag None
The ETag value is used in cache management to save network bandwidth. *
e.g. ETag: "16793-106a-4e71be79cdd80"
File's i-node number: 16793 (Hex) = 92051 (Dec)
File size (Bytes): 106a (Hex) = 4202 (Dec)
File modification time: 4e71be79cdd80 (Hex) / 1380006942793088 (Dec or Epoch) / September 24, 2013 7:15:42 (GMT)
To print i-node number for a file
ls -i <filename>
Epoch & Unix Timestamp Conversion Tools: https://www.epochconverter.com
1.2 OWASP A5:2017-Broken Access Control
Brute Force Directories and Files names
Restrict Access to Directory
- Create passwords for .htpasswd files using Htpasswd Generator
- Copy the text generated into .htpasswd file
AuthName "Unauthorized access is prohibited."
AuthUserFile </home/yourdirectory/.htpasswd>
AuthGroupFile /dev/null
AuthType basic
require user <putyourusernamehere>
1.3 OWASP A6:2017 - Security Misconfiguration
Disable Directory ListingOptions -Indexes
Directory Listing |
Prevent Access to Certain File Types for Protected Directories
<FilesMatch "\.(inc)$">
Order Deny,Allow
Deny from all
</FilesMatch>
.inc file can be accessed before the implementation of code |
2. Secure Apache Configuration with httpd.conf
C:\xampp\apache\conf\httpd.conf |
2.1 OWASP A3:2017-Sensitive Data Exposure
2.1.1 Limiting Information provided by Apache Web ServerHTTP Response Header |
Server-generated Document |
Nmap result before the configuration in httpd.conf |
ServerTokens Prod #Product Only
ServerSignature Off #After version 2.0.44, the details of the server version number presented are controlled by the ServerTokens directive
Reference:
https://httpd.apache.org/docs/current/mod/core.html#servertokens
https://httpd.apache.org/docs/current/mod/core.html#serversignature
Nmap result after the configuration in httpd.conf |
Wappalyzer not able to retrieve the version of Apache after ServerTokens Prod is set |
Apache Server Information
Apache /server-info is enabled |
#LoadModule info_module modules/mod_info.so
2.1.2 Transport Layer Protection
Configuration File: C:\xampp\apache\conf\extra\httpd-ssl.conf
A) Redirect every page to HTTPS
Asking the client to fetch https:// URL |
<virtualhost>
Redirect permanent / https://192.168.24.2/ #Returns a permanent redirect status (301) indicating that the resource has moved permanently
</virtualhost>
Reference: https://httpd.apache.org/docs/current/mod/mod_alias.html#redirect
B) Server Protocol and Cipher Configuration
SSLProtocol -ALL +TLSv1.2 #Only TLSv1.2 will be accepted
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
sslscan result after the implementation of secure protocol and cipher |
Reference:
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite
2.2 OWASP A6:2017 - Security Misconfiguration
Disable TRACE MethodTraceEnable Off
TRACE enabled
We can try to make use of TRACE/TRACK method to read the cookie information in HTTP headers. To understand better with XST, please read the article Penetration Testing with OWASP Top 10 - 2017 A7 Cross-Site Scripting (XSS).
TRACE disabled
ModSecurity
Installation on Windows
1. Download mod_security from https://www.apachelounge.com/download/2. Extract mod_security.zip
3. Copy libcurl.dll and yajl.dll into C:\xampp\apache\bin folder
4. Copy mod_security2.so into C:\xampp\apache\modules folder
5. Enable security2_module in httpd.conf
LoadModule security2_module modules/mod_security2.so
6. Enable unique_id module in httpd.conf by uncommenting LoadModule unique_id_module modules/mod_unique_id.so
Write a Testing Ruleset
1. Write ruleset in in httpd.confMethod 1
<IfModule security2_module>
SecRuleEngine On
SecDefaultAction "deny,phase:2,status:403"
SecRule ARGS "\.\./" "t:normalizePathWin,id:50904,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Drive Access'"
SecServerSignature "Keepitsecret/6.0"
</IfModule>
Method 2
<IfModule security2_module>
Include modsecurity.d/modsecurity.conf
</IfModule>
In C:\xampp\apache\modsecurity.d\modsecurity.conf
SecRuleEngine On
SecDefaultAction "deny,phase:2,status:403"
SecRule ARGS "\.\./" "t:normalizePathWin,id:50904,severity:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,msg:'Drive Access'"
SecServerSignature "Keepitsecret/6.0"
2. Browse a local web page with file inclusion payload to test whether ModSecurity works
Access forbidden once the payload meet the rule set and server signature is changed |
3. Check error.log for more information