Securing the web server

By OK -

Securing the web server

In this recipe, we will learn some steps for securing web server installation.

Getting ready

You will need access to a root account or an account with sudo privileges.
You may need to have a web server stack installed and running.

How to do it…

Follow these steps to secure the web server:
  1. Disable any unwanted modules. You can check all enabled modules with the following command:
    $ a2query -m
  2. Disable modules with the following command:
    $ sudo a2dismod status
  3. Hide the web server's identity. For Apache, edit /etc/apache2/conf-available/security.conf and set the following values:
    ServerSignature Off
ServerTokens Prod
  4. You may want to check other options under security.conf.
  5. Next, disable the Apache server status page:
    $ sudo a2dismod status
  6. For Nginx, edit /etc/nginx/nginx.conf and uncomment the following line:
    # server_tokens off;
  7. In production environments, minimize the detail shown on error pages. You can enable the PHP Suhosin module and strict mode.
  8. Disable directory listing. On Apache, add the following line to the virtual host configuration:
    <Directory /var/www/example.com>
  Options -Indexes
</Directory>
  9. You can also disable directory listing globally by setting Options -Indexes in /etc/apache2/apache2.conf.
  10. Restrict access to the following directories:
    <Directory /var/www/ >
  Order deny,allow   # order of Deny and Allow
  Deny from all   # Deny web root for all
</Directory>
  11. Disable directory level settings and the use of .htaccess. This also helps improve performance:
    <Directory />
  AllowOverride None   # disable use of .htaccess
</Directory>
  12. Disable the following symbolic links:
    <Directory />
  Options -FollowSymLinks
</Directory>
  13. You can also install mod_security and mod_evasive for added security. mod_security acts as a firewall by monitoring traffic in real time, whereas mod_evasive provides protection against Denial of Service attacks by monitoring request data and requester IP.
  14. For Apache, you can install mod_security as a plugin module as follows:
    $ sudo apt-get install libapache2-modsecurity
$ sudo a2enmod mod-security
  15. On Nginx, you need to first compile mod_security and then compile Nginx with mod_securityenabled.
  16. Turn of server side includes and CGI scripts:
    <Directory />
  Options -ExecCGI -Includes
</Directory>
  17. Limit request body, headers, request fields, and max concurrent connections; this will help against DOS attacks.
  18. Set the following variables on Apache:
    TimeOut
KeepAliveTimeout
RequestReadTimeout
LimitRequestBody
LimitRequestFields
LimitRequestFieldSize
LimitRequestLine
MaxRequestWorkers
  19. For Nginx, configure the following variables to control buffer overflow attacks:
    client_body_buffer_size
client_header_buffer_size
client_max_body_size
large_client_header_buffers
  20. Enable logging and periodically monitor logs for any new or unrecognized events:
    <VirtualHost *:80>
  
ErrorLog /var/log/httpd/example.com/error_log
  CustomLog /var/log/httpd/example.com/access_log combined
</VirtualHost>
  21. Set up HTTPs and set it to use modern ciphers. You can also disable the use of SSL and enforce TLS.

How it works…

In this recipe, I have listed the various options available to make your web server more secure. It is not necessary to set all these settings. Disabling some of these settings, especially FollowSymlinks and AllowOverride, may not suit your requirements or your environment. You can always choose the settings that apply to your setup.
Various settings listed here are available in their respective configuration files, mostly under /etc/apache2 for the Apache web server and /etc/nginx for the Nginx server.
Also, do not forget to reload or restart your server after setting these options.
You should also set your Ubuntu environment to be more secure. You can find more details on securing Ubuntu in Chapter 2Networking.

See also

Comments

Post a Comment

Popular posts from this blog

HAproxy logging

By OK -
ubuntu@ubuntu:/etc/haproxy$ cat /etc/rsyslog.d/haproxy.conf # Create an additional socket in haproxy's chroot in order to allow logging via # /dev/log to chroot'ed HAProxy processes $ModLoad imudp $UDPServerRun 514 local0.* -/var/log/haproxy-0.log local1.* -/var/log/haproxy-1.log ### keep logs in localhost ## $AddUnixListenSocket /var/lib/haproxy/dev/log ------------------- ubuntu@ubuntu:/etc/haproxy$ cat /etc/haproxy/haproxy.cfg global chroot /var/lib/haproxy user haproxy group haproxy log 127.0.0.1   local0         log 127.0.0.1   local1 notice daemon frontend www     bind 192.168.40.128:8282    # haproxy public IP     default_backend as-backend    # backend used backend as-backend    balance leastconn    mode http  server as1 192.168.40.128:8082 check    # application srv 1 defaults log global mode http option httplog option dontlognull         contimeout 5000    
Read more

tomcat catalina coyote jasper cluster

By OK -
Tomcat Component are Catalina Coyote Jasper Cluster Catalina :  Catalina is the name of the servlet container of Apache Tomcat since version 4.x. Tomcat implements Sun Microsystems' specifications for servlet and JavaServer Pages (JSP), which are important Java-based Web technologies. Tomcat's servlet container was redesigned as Catalina in Tomcat version 4.x. other components of the Tomcat engine are: Tomcat Jasper which converts the code portions within JavaServer Pages into servlets and pass them to Catalina to process. Tomcat Coyote which is an HTTP connector based on HTTP/1.1 specifications that receives and transmits web requests to the Tomcat engine by listening to a TCP/IP port and returns requests back to the requesting client. Coyote :  The Coyote JK Connector element represents a Connector component that communicates with a web connector via the JK protocol (also known as the AJP protocol). This is used for cases where you wish to invisibly integr
Read more

NFS mount add in fstab _netdev instead of default | firewall-cmd --list-all

By OK -
Redhat recommends us to add  _netdev  option for NFS file system in /etc/fstab. So that they can be mounted after starting the networking service. Alternative ways to refer to partitions: Label : LABEL=label Network ID Samba : //server/share NFS : server:/share SSHFS : sshfs#user@server:/share Device : /dev/sdxy (not recommended) Example #1 //192.168.1.134/share_name /mnt/share_name cifs username=server_user,password=server_password,_netdev 0 0 ^ Path to your share ^ Mountpoint ^ Username ^ Password ^ See note A Note A: The  _netdev  options makes sure the mount is only attempted AFTER a network connection has been established. Example #2 10.10.10.1:/vol1/fs1 /data nfs defaults,_netdev 0 0 ============================ [root@localhost ~]# firewall-cmd --list-all public   target: default   icmp-block-inversion: no   interfaces:   sources:   services: dhcpv6-client high-availability ssh   ports:   protocols:   masquera
Read more