Introduction: Over the year’s internet and the internet based applications had revolutioned our life. They had created many new global business opportunities for enterprises conducting online business. However, the security risks associated with conducting e-business have resulted in security becoming a major factor for online success or failure.
Any high-profile hacking attack has proven that web security still remains a serious issue for any business that’s running its operations online. Web servers are one of the most targeted public faces of an organization, because of the sensitive data they usually host. Hence, securing web server is as important as securing the website or web application itself. If we have a secure web application and an insecure web server, or vice versa, it still puts business at a huge risk. Therefore, it is important for us to have a secured web server.
What is a Web Server?? A Web Server can be defined as an HTTP protocol dependant server used for re-direction of the client requests to the appropriate application servers. Following is the pictorial representation of the purpose of a web server:
*Security Implementation in Apache Web Server: Below is the schematic representation of the communication with a secured web server.
The security implementation inside the web server is implemented in two different steps:-
1) Installation of SSL Certificate
2) By following the security guide lines
Installation of certificate:- The installation of the SSL certificates for apache servers involves the following stages:
1. Create a Certificate Signing Request (CSR)
2. Apply online
3. Installing your Certificate
4. Displaying your Secure Site Seal
- For a webserver generate a CSR and a private key, use the following command:
openssl req -config openssl.cnf -new -out my-server.csr
2. Removes the pass phrase from the private key because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key using the command:
rsa -in privkey.pem -out my-server.key
3. Use the below command to generate the self signed certificate (later replace this with the certificate from Certifying Authority)
x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
4. Create an Apache/conf/ssl directory and move my-server.key and cert into it
5. Open the httpd.conf file and add the following lines:
LoadModule ssl_module modules/mod_ssl.so
6. Add the following to the end of httpd.conf:
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none
SSLLog logs/SSL.log
SSLLogLevel info
<VirtualHost>
SSLEngine On
SSLCertificateFile conf/ssl/my-server.cert
SSLCertificateKeyFile conf/ssl/my-server.key
</VirtualHost>
Restart the Apache server and access the applications with the SSL mode.
Following are some of the tips and guidelines implementing, will help our apache servers to be more and more secured:-
1) Update the Apache Server with the latest security patched and fix pack. (stable version of Apache)
2) Hide the Apache Version number, and other sensitive information as below inside httpd.conf:
ServerSignature Off
ServerTokens Prod
Note: ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.
ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.
3) Many at times the apache installation run as anonyms or root, make sure that the apache is running under its own user account and group. You can check this information in httpd.conf:
User apache
Group apache
4) Make sure that apache doesn’t use/access any of the files outside its web root directory (this is the location where we have all of apache files):
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /web>
Order Allow,Deny
Allow from all
</Directory>
5) In typical operation, Apache is started by the root user. Set the right permissions on ServerRoot Directories as follows:
mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs
6) **Server Side Includes (SSI) presents an administrator with several potential security risks like increased load on the server, etc. Hence, turn off server side includes by Options directive inside a Directory tag inside the httpd.conf file. Set Options to either None or –Includes.
7) Allowing users to execute ***CGI scripts in any directory should only be considered if:
Ø You trust your users not to write scripts which will deliberately or accidentally expose your system to an attack.
Ø You consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant.
Ø You have no users, and nobody ever visits your server
8) Watch logs to keep up-to-date about what is actually going on against your server you have to check the Log Files. They will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present.
chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache
Note: /usr/local/apache is Apache installation directory
9) Lower the time out and restrict request body requests as follows:
Timeout 45
LimitRequestBody 1048576
10) Restrict the accessing of resource by using the IP restriction:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Note: **Server Side Include page is typically an HTML page with embedded command(s) that are executed by the Web server.
***CGI program is any program designed to accept and return data that confirms to the CGI specification. The program could be written in any programming language, including C, Perl, Java, or Visual Basic. CGI programs are the most common way for Web servers to interact dynamically with users
References:
1) http://httpd.apache.org/docs/2.0/misc/security_tips.html
2) http://www.google.com
3) http://www.modssl.org/docs/2.8/ssl_reference.html
