Table of Contents |
---|
Install
...
With Ubuntu installing is very straightforward,
...
Info |
---|
What about Zero Footprint Apache? Definately Definitely doable, but practically with virtualization, and how rarely Apache actually changes right now I'm leaning towards just scripting configuration files only inside of a container. Having said that, if time permits I might build a BonsaiFramework version. |
Test
Verify that the Apache Web Server is running first by hitting your server's IP Address. If you do not know your ip address, at the console type,
...
You should see a default Apache webpage.
Stopping, Starting, Restarting and Reload
You should know the basic commands to running Apache 2. Go ahead and try them. Note ignore the warning message about "fully qualified domain name" as that is covered in the next section.
...
Code Block | ||
---|---|---|
| ||
sudo /etc/init.d/apache2 stop sudo /etc/init.d/apache2 start sudo /etc/init.d/apache2 restart sudo /etc/init.d/apache2 reload |
Provide Server Name
Apache is working fine, but during restart you will get the warning message, "apache2: Could not reliably determine the server's fully qualified domain name, using ...".
...
Note |
---|
As with any security notes, I will write a disclaimer that there are more advanced ways to secure Apache. You can go as far as compiling your own custom version but that's out of scope for now. |
...
Disable Server Information
...
Banner
By default Apache provides extra information about your web server to the public.server when 403, 404, 502 or similar error pages are invoked. The information could be used to look up vulnerabilities on the particular version of Apache you are running.
If you visit a page that does not exist you will invoke a 404 error resulting in a page Not Found similar to below,
Panel |
---|
Not Found The requested URL /invalidpage.html was not found on this server. Apache/2.4.18 (Ubuntu) Server at www.bonsaiframework.com Port 80 |
Edit /etc/apache2/conf-available/security.conf,
set ServerTokens Prod - This turns off all the extra header information sent by Apache. Primarily, it would let a client know what version of Apache is being used. The information could be used to look up vulnerabilities on the particular version of Apache you are running.
set ServerSignatures Off - Removes footer information from default apache pages. For example, page not found.
...
Restart Apache to take effect and verify by invoking a 404 again.
Disabling Unnecessary Modules
...
Will flush this out some more ...
Testing Apache Server
...
Disable Etag Header
Etag (entity tag) was introduced to help improve caching. However, besides not being very effective in an enterprise clusters environments), it also provides sensitive information like inode number, multipart MIME boundary and child processes. It allows hackers to uniquely identify a particular server.
Unless you have a compelling reason you may,
- Disable etag - rely on the default Expire or Cach-Control header information.
- Minimally disable INode
... to fill out
Turn off Default Website
...
Advanced Server Hardening
Building out a dedicated section to this.
Uninstall Apache
...
Completely
.. these instructions need to be improved, and there is nothing here about removing logs.
1. stop apache:
sudo service apache2 stop
sudo /etc/init.d/apache2 stop
2. remove:
sudo apt-get remove apache2
...
http://cloudservers.mosso.com/index.php/Ubuntu_-_Apache_configuration#Security_Settings - Rackspace wiki on hardening Apache Web Server.
Apache Web Server Hardening Guide - https://geekflare.com/apache-web-server-hardening-security/