How-To: Apache web server basic security measures
While running a HTTP server such as Apache, there is a few step an administrator have to take in order not to get easily hacked. The very basic one is to hide from the outside which software version and operating system version are running.
1. Introduction
While keeping software up to date is already a good start to avoid your server being hacked because of known exploit, there is other few actions you can take to minimize the possibilities of being hacked.
A good start is to avoid displaying the software versions you are using.
Let me explain. When somebody request a page to a HTTP server, this one respond with headers such as Content-Type
, Content-Length
… as well as Server
.
People don’t usually see those headers, but if someone wants to hack your box, they might be looking for it. Why? Because known exploits usually work on specific software version.
Lets look at default HTTP headers on my ubuntu dapper box:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 25 Jul 2006 10:47:13 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.4-1.dotdeb.2
Last-Modified: Mon, 20 Mar 2006 09:51:25 GMT
ETag: "3057-1f8-1a0f4140"
Accept-Ranges: bytes
Content-Length: 504
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Connection closed by foreign host.
As you can see from this excerpt, my box is running Apache 2.0.55 on an Ubuntu box and php-5.1.4 is used. This is perfect, if I want to hack that box, I simply have to look for known exploit for apache 2.0.55 or php 5.1.4 or even ubuntu.
The idea is to avoid telling too much, so we are going to make apache be less verbose.
2. Apache Configuration File
In Apache, the ServerTokens directive allow the system administrator to set different type of Server HTTP response header:
- ServerTokens Prod[uctOnly] : this is the most restrictive, in our example, apache will respond: Server: Apache
- ServerTokens Major response -> Server: Apache/2
- ServerTokens Minor response -> Server: Apache/2.0
- ServerTokens Min[imal] response -> Server: Apache/2.0.55
- ServerTokens Os response -> Server: Apache/2.0.55 (Ubuntu)
- ServerTokens Full response -> Server: Apache/2.0.55 (Ubuntu) PHP/5.1.4-1.dotdeb.2 mymod1/X.Y mymod2/W.Z
By default, ServerTokens is set to Full, on my dapper box at least. To change that value, edit /etc/apache2/apache2.conf and look for the line containing ServerTokens.
WARNING:: On my ubuntu dapper box, ServerTokens was not set and was therefore taking the default value (Full), in that case, simply add this directive to apache2.conf.
I would recommend setting ServerTokens to Prod by adding this to apache2.conf:
ServerTokens Prod
Reload apache:
sudo /etc/init.d/apache2 reload
and check for the new headers. Here are the headers sent back by my local server after setting ServerTokens to Prod:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 25 Jul 2006 11:33:09 GMT
Server: Apache
Last-Modified: Mon, 20 Mar 2006 09:51:25 GMT
ETag: "3057-1f8-1a0f4140"
Accept-Ranges: bytes
Content-Length: 504
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Connection closed by foreign host.
As you can see, apache does not tell anymore which version and modules are running :).
Now let’s check how we can apply similar changes to PHP in part 2.