How-To: Apache web server basic security measures
While running a HTTP server such as Apache, there is a few step an administrator have to take in order not to get easily hacked. The very basic one is to hide from the outside which software version and operating system version are running.
While keeping software up to date is already a good start to avoid your server being hacked because of known exploit, there is other few actions you can take to minimize the possibilities of being hacked.
A good start is to avoid displaying the software versions you are using.
Let me explain. When somebody request a page to a HTTP server, this one respond with headers such as
Content-Length… as well as
People don’t usually see those headers, but if someone wants to hack your box, they might be looking for it. Why? Because known exploits usually work on specific software version.
Lets look at default HTTP headers on my ubuntu dapper box:
$ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 25 Jul 2006 10:47:13 GMT Server: Apache/2.0.55 (Ubuntu) PHP/5.1.4-1.dotdeb.2 Last-Modified: Mon, 20 Mar 2006 09:51:25 GMT ETag: "3057-1f8-1a0f4140" Accept-Ranges: bytes Content-Length: 504 Connection: close Content-Type: text/html; charset=ISO-8859-1 Connection closed by foreign host.
As you can see from this excerpt, my box is running Apache 2.0.55 on an Ubuntu box and php-5.1.4 is used. This is perfect, if I want to hack that box, I simply have to look for known exploit for apache 2.0.55 or php 5.1.4 or even ubuntu.
The idea is to avoid telling too much, so we are going to make apache be less verbose.
2. Apache Configuration File
In Apache, the ServerTokens directive allow the system administrator to set different type of Server HTTP response header:
- ServerTokens Prod[uctOnly] : this is the most restrictive, in our example, apache will respond: Server: Apache
- ServerTokens Major response -> Server: Apache/2
- ServerTokens Minor response -> Server: Apache/2.0
- ServerTokens Min[imal] response -> Server: Apache/2.0.55
- ServerTokens Os response -> Server: Apache/2.0.55 (Ubuntu)
- ServerTokens Full response -> Server: Apache/2.0.55 (Ubuntu) PHP/5.1.4-1.dotdeb.2 mymod1/X.Y mymod2/W.Z
By default, ServerTokens is set to Full, on my dapper box at least. To change that value, edit /etc/apache2/apache2.conf and look for the line containing ServerTokens.
WARNING:: On my ubuntu dapper box, ServerTokens was not set and was therefore taking the default value (Full), in that case, simply add this directive to apache2.conf.
I would recommend setting ServerTokens to Prod by adding this to apache2.conf:
sudo /etc/init.d/apache2 reload
and check for the new headers. Here are the headers sent back by my local server after setting ServerTokens to Prod:
$ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 25 Jul 2006 11:33:09 GMT Server: Apache Last-Modified: Mon, 20 Mar 2006 09:51:25 GMT ETag: "3057-1f8-1a0f4140" Accept-Ranges: bytes Content-Length: 504 Connection: close Content-Type: text/html; charset=ISO-8859-1 Connection closed by foreign host.
As you can see, apache does not tell anymore which version and modules are running :).
Now let’s check how we can apply similar changes to PHP in part 2.