Web Server Security (Apache or HTTPD) Part 3

0

On our previous article we discussed about the second four topics and this is the last part to discuss about how we can secure a web server.  Let’s begin with,

Limit request size

Usually apache server does not put any limitation on upload size. But this keeps the server vulnerable to DOS attack. So it may become a possible attack issue for any attacker. So it is a matter of security concern and we should put a limit to it.

So for that we need to configure as below and we have to limit this according to client’s requirement.

We can configure it on specific directory. We have to open the configuration file and find the directory section and put this limit in directory tags. Follow the below command to edit the configuration file.

#vim /etc/httpd/conf/httpd.conf

Then find the directory tag which is like below.

<Directory /path of the directory>

</Directory>

Now we have to add the below line in there to limit the upload size.

LimitRequestBody 449770

So the final result will be

<Directory /path of the directory>

LimitRequestBody 449770

</Directory>

How to disable ETag

ETag means entity tags. These tags maintain information like.

Inode

Mtime

Size

The pattern of the ETag may differ depending on configuration. But the basic information are these three.

Here we can keep one or two information to show in our browser, but for the proper security it is recommended not to show any information at all. So we need to edit the configuration file. We need to open the below file and edit it.

#vim /etc/httpd/conf/httpd.conf

Now add the below line and save and exit the file.

FileETag none

Now restart the apache server.

Secure server from XSS attack

XSS means cross site scripting. This is one of the most common attack styles for any attacker. Here an attacker usually injects a script into the server and by that an attacker tries to gain the server access.

It is required to get rid of this risk. So for that we need to add few lines in our configuration file. For that we need to edit the below configuration file.

#vim /etc/httpd/conf/httpd.conf

Now add the below lines at the end of the file.

<IfModule mod_headers.c>

Header set X-XSS-Protection “1; mode=block”

</IfModule>

Now save and exit the file and restart the apache server.

Secure server from ClickJacking attack

This is another kind of attacking method on web server. Also this is a common attacking style on web server. For that we need to protect our web server from this attack. Here we should add a simple line into our configuration file.

To complete this work we have to edit the configuration file. So let’s open this file using below command.

#vim /etc/httpd/conf/httpd.conf

Now add the below line.

Header always append X-Frame-Options SAMEORIGIN

Now save and exit the file and restart apache server.

Allow proper logging within the server

Another important issue for any system administrator is logging. In case of web server we can have customized logging to get more accurate log system. To have a web server log we can name different kind of log for web server.

Before having log for our web server we need to ensure that the mod_log_config module is installed and enabled in web server. This is usually installed and configured by default. So it is a relief for any system administrator in this case.

Now we just need to enable logging. For that we have to define the logging name and location in the virtual host section. If we define the virtual host in the main configuration file then we have to add the logging in the main configuration file otherwise we have to add those lines in the virtual host configuration files. Now suppose we have a configuration file in the conf.d directory so we will open our conf.d directory and suppose we have a virtual host configuration file named testvirtualhost.conf, so we have to edit that file. For this we need to open the file using below command.

#vim /etc/httpd/conf.d/testvirtualhost.conf

Now add the below lines in that file.

ErrorDocument 404 /story.php

ErrorLog /var/log/httpd/test.local_error_log

CustomLog /var/log/httpd/test.local_access_log combined

The final result of this configuration will be like shown below

<VirtualHost *:80>

DocumentRoot /var/www/html/test.local/

ServerName www.test.local

DirectoryIndex index.htm index.html index.php

ServerAlias test.localErrorDocument 404 /story.php

ErrorLog /var/log/httpd/test.local_error_log

CustomLog /var/log/httpd/test.local_access_log combined

</VirtualHost>

Now save and exit from the file and restart the server.

These are the most common and effective security aspects for a web server. There are few other ways we need to work on to provide more security on a web server. We will show those on future articles.

 

Leave A Reply

Your email address will not be published.