Howdy m8s
In the following article we’ll make our Apache web server a little bit more secured by adding few simple directives to it, in some well know files.
Let’s assume,that we haven’t install Apache server. Now we will install it together step by step:
apt-get install apache2
after procedure is complete successfully, check if the web server is working by opening the “localhost” or “ip-address” of machine that we use for installation. In my case it’s a Virtualbox’s VM with internal IP address 125.15.253.12
so i type in my browser:
http://125.15.253.12/
and i see this:
It works! This is the default web page for this server.
The web server is running, but no content has been added yet. So…what if I request from my apache server to show me file that does not exist ?
Type in browser:
http://125.15.253.12/no_file
and see:
Not Found The requested URL /no_file was not found on this server. Apache/2.2.16 (Debian) Server at 125.15.253.12 Port 80
“nothing unusual” you will say, but please look closer to this lines.
From this innocent act we found two major holes in Apache default configuration:
1. That server use Apache/2.2.16
2. Operation system is Debian
3. Port number, witch in this case is by default , but if web-server is behind NAT you should understand that too if there is port-forwarding 🙂
Why we should “hello world” that info? Really …why? In fact, no one care about our server configuration except those guys that came to hack.
Let’s hide that info !
Find Apache main configuration file and open it with my favorite editor 🙂
nano /etc/apache2/apache2.conf
locate the bottom of file and add these lines
ServerSignature Off
ServerTokens NothingToSee
TraceEnable off
“ServerSignature Off” tells my Apache not to show footer line under server-generated documents
“ServerTokens NothingToSee” make Apache to suppressing OS, major and minor version info.
“TraceEnable off” Normally you will have this enabled by default, if you want to check on your server just telnet on the port your web server is running and request for ”TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output look like this:
pavlin@pavlin:/home/pavlin# telnet 125.15.253.12 80 Trying 125.15.253.12... Connected to 125.15.253.12. Escape character is '^]'. TRACE / HTTP/1.0 Host: myhostname.com --------- hit enter twice --------- HTTP/1.1 200 OK --------- TRACE IS ENABLED !!! THAT IS BAAAAAD Date: Tue, 12 Feb 2013 22:09:31 GMT Server: Apache/2.2.16 (Debian) Connection: close Content-Type: message/http TRACE / HTTP/1.0 Host: myhostname.com Connection closed by foreign host.
when you disable trace, the same output will look a like that:
pavlin@pavlin:/home/pavlin# telnet 125.15.253.12 80 Trying 125.15.253.12... Connected to 125.15.253.12. Escape character is '^]'. TRACE / HTTP/1.0 Host: myhostname.com --------- hit enter twice --------- HTTP/1.1 405 Method Not Allowed Date: Tue, 12 Feb 2013 22:14:54 GMT Server: Apache/2.2.16 (Debian) Allow: Vary: Accept-Encoding Content-Length: 303 Connection: close Content-Type: text/html; charset=iso-8859-1 ....
Let’s test the other two directives that we’ve changed in Apache config file.
Open this URL in your browser:
http://125.15.253.12/no_file
Now the output looks a little bit less, then it was before 🙂
Not Found The requested URL /no_file was not found on this server.
Did you note the difference ? No version , no OS info.
Let’s test for what ‘-Indexes’ options is used.
Now lets create one directory in ours Apache’s “www” folder and few empty files:
mkdir /var/www/test_dir touch /var/www/test_dir/blah.txt touch /var/www/test_dir/blah02.txt touch /var/www/test_dir/blah03.txt
and open it in browser
http://125.15.253.12/test_dir/
You will see all content of our directory and that is not good at all!
Now open your default configuration file :
nano /etc/apache2/sites-enabled/000-default
Change settings to look like this:
Options -Indexes FollowSymLinks MultiViews -Includes AllowOverride all
save and reload the Apache
/etc/init.d/apache2 reload
and open it in browser
http://125.15.253.12/test_dir/
you should receive
Forbidden You don't have permission to access /test_dir/ on this server.
O.K -Indexes and -Includes work
Now it’s time to add some simple re-write rules in our default host file
First enable mod_rewrite by type:
a2enmod rewrite
and then let’s add the rewrite rules BEFORE close ” directive
RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.html [L]
save and reload the Apache server again.
Lets finally try Re-write rules
Those rules tell my apache to “forward” every document that is requested and can’t be found to index.html file. You can test it when you type anything you want after the backslash in address bar like this:
http://125.15.253.12/test_my_rewrite_rulez_and_i_hope_it_wor
That’s it, I hope that you got the idea 🙂
One more thing ! Here is one cool tool with you can do test to your apache server