How and Why we need to SECURE our Web Server

Introduction: Over the year’s internet and the internet based applications had revolutioned our life. They had created many new global business opportunities for enterprises conducting online business. However, the security risks associated with conducting e-business have resulted in security becoming a major factor for online success or failure.

Any high-profile hacking attack has proven that web security still remains a serious issue for any business that’s running its operations online. Web servers are one of the most targeted public faces of an organization, because of the sensitive data they usually host.  Hence, securing web server is as important as securing the website or web application itself.  If we have a secure web application and an insecure web server, or vice versa, it still puts business at a huge risk. Therefore, it is important for us to have a secured web server.

 

What is a Web Server?? A Web Server can be defined as an HTTP protocol dependant server used for re-direction of the client requests to the appropriate application servers. Following is the pictorial representation of the purpose of a web server:

*Security Implementation in Apache Web Server: Below is the schematic representation of the communication with a secured web server.

The security implementation inside the web server is implemented in two different steps:-

1) Installation of SSL Certificate

2) By following the security guide lines

Installation of certificate:- The installation of the SSL certificates for apache servers involves the following stages:

1. Create a Certificate Signing Request (CSR)
2. Apply online
3. Installing your Certificate
4. Displaying your Secure Site Seal

 

  1. For a webserver generate a CSR and a private key, use the following command:                                                       openssl req -config openssl.cnf -new -out my-server.csr

 

2. Removes the pass phrase from the private key because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key using the command:

rsa -in privkey.pem -out my-server.key

3.  Use the below command to generate the self signed certificate (later replace this with the certificate from Certifying Authority)

x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365

 

4.  Create an Apache/conf/ssl directory and move my-server.key and cert into it

 

5.  Open the httpd.conf file and add the following lines:

LoadModule ssl_module modules/mod_ssl.so

 

6.   Add the following to the end of httpd.conf:

<code>        SSLMutex sem</code>
<code>        SSLRandomSeed startup builtin</code>
<code>        SSLSessionCache none</code>
<code> </code>
<code>        SSLLog logs/SSL.log</code>
<code>        SSLLogLevel info</code>
<code>        &lt;VirtualHost&gt;</code>
<code>        SSLEngine On</code>
<code>        SSLCertificateFile conf/ssl/my-server.cert</code>
<code>        SSLCertificateKeyFile conf/ssl/my-server.key</code>

</VirtualHost>

 

Restart the Apache server and access the applications with the SSL mode.

 

Following are some of the tips and guidelines implementing, will help our apache servers to be more and more secured:-

1)      Update the Apache Server with the latest security patched and fix pack. (stable version of Apache)

2)      Hide the Apache Version number, and other sensitive information as below inside httpd.conf:

                       ServerSignature Off
                       ServerTokens Prod
<strong><span style="text-decoration: underline">Note</span></strong>: ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.
ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.

3)      Many at times the apache installation run as anonyms or root, make sure that the apache is running under its own user account and group. You can check this information in httpd.conf:

        User apache
        Group apache

 

4)      Make sure that apache doesn’t use/access any of the files outside its web root directory (this is the location where we have all of apache files):

 

               <Directory />
                 Order Deny,Allow
                 Deny from all
                 Options None
                 AllowOverride None
                </Directory>
               <Directory /web>
                 Order Allow,Deny
                 Allow from all
                </Directory>

 

5)      In typical operation, Apache is started by the root user. Set the right permissions on ServerRoot Directories as follows:

 

mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs

 

6) **Server Side Includes (SSI) presents an administrator with several potential security risks like increased load on the server, etc. Hence, turn off server side includes by Options directive inside a Directory tag inside the httpd.conf file. Set Options to either None or –Includes.

 

7)      Allowing users to execute ***CGI scripts in any directory should only be considered if:

Ø      You trust your users not to write scripts which will deliberately or          accidentally expose your system to an attack.

Ø      You consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant.

Ø      You have no users, and nobody ever visits your server

 

8)      Watch logs to keep up-to-date about what is actually going on against your server you have to check the Log Files. They will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present.

chown -R root:root /usr/local/apache
               chmod -R o-rwx /usr/local/apache
<em><span style="text-decoration: underline">Note</span></em>: /usr/local/apache is Apache installation directory

9)      Lower the time out and restrict request body requests as follows:

               Timeout 45
               LimitRequestBody 1048576

10)   Restrict the accessing of resource by using the IP restriction:

               Order Deny,Allow
               Deny from all
               Allow from 127.0.0.1

 

Note: **Server Side Include page is typically an HTML page with embedded command(s) that are executed by the Web server.

 

***CGI program is any program designed to accept and return data that confirms to the CGI specification. The program could be written in any programming language, including C, Perl, Java, or Visual Basic. CGI programs are the most common way for Web servers to interact dynamically with users

 

References:

1)      http://httpd.apache.org/docs/2.0/misc/security_tips.html

2)      http://www.google.com

3)      http://www.modssl.org/docs/2.8/ssl_reference.html

6 comments

  1. self-sign certs are installed on webserver. it is working. but I have error message if url is:
    http://hostname.com:443

    Error message:
    Bad Request
    Your browser sent a request that this server could not understand.
    Reason: You’re speaking plain HTTP to an SSL-enabled server port.
    Instead use the HTTPS scheme to access this URL, please
    Hint:https://hostname.com:443

    I know that this is not right way but If url is hit in this manner “http://hostname.com:443”, it should be not showing this error message. Can you please help how will it resovle it?

    Virtual host on webservers:

    SSLEngine On
    SSLCertificateFile conf/ssl/my-server.cert
    SSLCertificateKeyFile conf/ssl/my-server.key

    1. Hi Raahi,

      When you configure SSl for your server, it would open two communication channels.

      1: HTTP, facilitated by a HTTP port (Default is port 80)
      2: HTTPS, facilitated by a HTTPS port (Default is port 443)

      So, it is obvious that it would throw an error message when you try to access the application as below

      http://hostname.com:443

      Since port 443 is configured for the SSl and does not process the normal HTTP request.

      You can try accessing the server on HTTP protocol by using the HTTP port configured.

      For example, the default HTTP port is 80

      http://hostname.com:80/ or http://hostname.com/

      Either should work fine. The latter would work only in case if the server’s HTTP port is the default value i.e. 80

      Regards,
      Anandraj

  2. Hi Anandraj,

    Thanks for your excellent post. I was able to implement the SSL configuration. Can you help me redirect the http link to https link ? We want the change transparent to the users and they already have the http link bookmarked.

    Thanks,
    Ras

  3. i need some help on Weblogic SAML (Security Assertion Markup Language), and how implement in weblogic server

Comments are closed.