The Apache web server is a crucial part of the website infrastructure. It has a number of built in features that can improve your website resistance to attacks. The following document covers a number of steps that will help you to achieve this goal. This document is largely based on the knowledge gathered by our security team and by statistics information revealed by our
security scanner.
Tip No. 1: Disable Apache Signature and/or Apache Banner
Apache Signature or Apache Banner is basically the same thing. It is an application name together with version name that is printed when performing a web request. Nobody actually needs this information at all, but it is enabled by default. You need to alter the Apache configuration file to disable it.
In Ubuntu, you need to change the following file: /etc/apache2/apache2.conf
Double check that ServerSignature and ServerTokens configuration settings are not enabled in some other parts of the configuration file.
Tip No. 2: The Trace HTTP Request
HTTP TRACE request is used to echo back all received information. It can be tricked to print HTTP cookies and as a result steal HTTP session. Basically this request can be used as part of the Cross Site Scripting attack, or XSS. It is recommended to disable it as a security precaution.
Add the following to the web-server's configuration file. For example alter the following file in Ubuntu: /etc/apache2/apache2.conf .
Tip 3: Remove PHP scripts that print debug info using phpinfo()
The built-in PHP function phpinfo() prints a lot of interesting internal information about the PHP environment. It can include list of which PHP modules are enabled, and the location of various files on the web-server and other sensitive information. Our web security scanner finds a lot of such files. It is recommended to remove these test files from a production website.
Here is a tip hpw to find such files. Look for the files with the following name: test.php,info.php, i.php and phpinfo.php in your website directory and remove them.
Tip 4: Disable directory indexing
Directory indexing is a features found in every web-server by default. When directory indexing is enabled, the web-site prints a list of files found in the website directories when the default page does not exists (for example index.php). Directories reported can be viewed by any visitor. It is vulnerable in the sense that these directories can contain configuration, private and backup files which can be used by the attackers to take your server under control.
You can fix this problem by disabling the Apache autoindex module. In some Apache installations it is called mod_autoindex.so. In Ubuntu, you just need to remove the following files:
So you can do it running the following commands:
Tip 5: Disable WebDAV
WebDAV is a file access protocol created over HTTP protocol. It allows you to upload and download files, and change file contents from the website. This service is required only in very rare cases. From our experience, this feature was only required to run SVN server (link). Make sure that WebDAV is disabled in production websites. When WebDAV is enabled, the following commands are supported by Apache: OPTIONS, PROPFIND, etc. These commands are sensitive from computer security point of view.
You can fix this problem by disabling Apache dav, dav_fs and dav_lock modules. In Ubuntu you just need to remove the following files:
So you can do it running the following commands:
Tip 6: Create a chroot'ed Apache environment
Chroot is a kind of virtual environment supported operating systems such as Linux and FreeBSD. When an application is executed in chrooted environment it has no access to the parent disk and to other recources.
This is a good solution if you want to protect your website from malicious users. The action steps required to create chroot Apache was already covered in a number of websites. For example:
http://www.linux.com/archive/feed/36331The main hidden issue with chrooted environment is that this environment protects the websites from accessing the operating system's files. It does not protect one site from another. In other words, if a malicious script located in one site it can access files located on other site because they are located on the same chrooted environment.
A solution to this problem is the following. Create a number of apache instances, each one hosting one website running each one if different chrooted directory. These apache instances will not be able to share IP addresses. You will have to configure different IP for each Apache instance you run.
Tip 7: Enable PHP basedir
PHP has built in a kind of chroot environment. It is called "basedir". You can configure PHP scripts to access files only in specific directory similar to chroot. Basically you can configure each site to access only files located in that site directory which is a very good idea from the security point of view.
You can add the following lines to the website configuration file or to .htaccess file to enable PHP basedir:
This will specify that your PHP scripts can access only specified directories.
Tip 8: Web Stats
Some webmasters install open source tools on their website that analyze web requests and create statistical reports. Access to these webstat scrips is almost never secured with a password. So any visitor can basically view such reports. For example some webmasters install in in the
/stats directory accessible by
http://www.my-site.com/stats .
Statistical reports contain a lot of sensitive information. For example it can contain hidden file names and directory names, full web requests, search engine keywords, etc... All this information can be used by the malicious users and/or your competitors.
Instead of running a statistics script on your website we recommend that you use Google Analytics. It is a free-of-charge and quality service.
Tip 9: Use Google
Most of the webmasters use common web scripts and CMS or blog software. We recommend you to frequently search for security updates using Google and register for security news at your blog/CMS website.
Tip 10: Additional Steps
If your webserver runs together with MySQL server it brings additional potential security problem. MySQL can read any files located on you server including the one located in different chrooted environments. It happens because of the FILE permission. By default only MySQL root has it. For more info about MySQL security take a look at this article ( link to GreenSQL) .
Install a Database FirewallDownload GreenSQL Express which is a free version of the GreenSQL database firewall.
Install a Web FirewallMod_security is a good open source product.
Additional links
HTML5 Boilerplate is the professional badass's base HTML/CSS/JS template for a fast, robust and future-safe site.
This website and its sample code creates a template of sorts, absent of design or layout, that will help you avoid some of the major rendering problems with the most common email clients out there — Gmail, Outlook, Yahoo Mail, etc. This is a good stuff, I use it in my work and it contains a lot of tips and tricks which save you heaps of times to fix it yourself.
Mobile Boilerplate is your trusted template made custom for creating rich and performant mobile web apps. You get cross-browser consistency among A-grade smartphones, and fallback support for legacy Blackberry, Symbian, and IE Mobile.
Simple and flexible HTML, CSS, and Javascript for popular user interface components and interactions. Not really a boilerplate, but it has a lot of reusable component for fast prototyping or development.
Zend Framework (ZF) Boilerplate is an all-in-one platform for development of enterprise grade PHP applications based on the Zend Framework.
Skeleton is a small collection of CSS & JS files that can help you rapidly develop sites that look beautiful at any size, be it a 17" laptop screen or an iPhone. Skeleton is built on three core principles: Responsive Grid Down to Mobile, Fast to Start and Style Agnostic.
Quick snippet for CSS Media Query setup.
YAMP is a small set of tools and best practices that allow web designers to build responsive websites faster.
This project won't seek to provide a perfect solution to every possible pattern, but will attempt to cover a simple template for beginners and above.
A boilerplate for jump-starting jQuery plugins development.
A javascript pattern for jQuery plugin development. But while well-known JavaScript patterns are useful, another side of development could benefit from its own set of design patterns: jQuery plugins. The officialjQuery plugin authoring guide offers a great starting point for getting into writing plugins and widgets, but let's take it further.
An organized, maintainable boilerplate for building WordPress widgets.
Roots is a starting WordPress theme based on HTML5 Boilerplate & Bootstrap from Twitter.
Bones is a boilerplate for WordPress theme development. It contains classic (fixed grid) and responsive layout to choose from.
Starkers is a bare-bones WordPress theme created to act as a starting point for the theme designer.
Bringing HTML5 to WordPress, you can use this TwentyTen Five WordPress template to build your won HTML themes.
