Checking for Leaks - Hardening Apache

Started by sukishan, Aug 23, 2009, 12:26 AM

previous topic - next topic
Go Down

sukishan

As described on the Cirt site,

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 2600 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plug-ins are frequently updated and can be automatically updated (if desired).

It includes support for Unix systems (which would of course include Linux and Macintosh OS X) and Windows-based machines, and is the replacement for htmap from the same group.

This is an excellent starting point for those performing a thorough review of servers under their administration for security, vulnerability and the tightening of configurations.
Configuration

I particularly liked Mobily's review of configuring httpd.conf prior to the setup of virtual servers. It keeps the cart behind the horse, patiently ensuring that the system is ready to host those domains, with a run down on Apache modules from a security perspective, along with some tweaks.

These include excellent explanations for the use of third party modules like mod_security, mod_bandwidth, and mod_dosevasive to ramp up security.

Some of the author's tips include the modification of headers with 'ServerTokens Minimal' in httpd.conf -- this drops the Apache version number from a header sent as part of an HTTP request.

Another possibly controversial change is a suggestion for disabling HTTP TRACE either through a <Location /> container, or outside of all containers as a global directive using mod_rewrite. See the W3C's definition of HTTP TRACE if you need more information on it.

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .*  [F]
A good beginning makes a good ending

Go Up
 

Quick Reply

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Warning: this topic has not been posted in for at least 120 days.
Unless you're sure you want to reply, please consider starting a new topic.

Note: this post will not display until it's been approved by a moderator.
Name:
Email:
Verification:
Please leave this box empty:

Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:

shortcuts: alt+s submit/post or alt+p preview
IT Acumens Web Designing Chennai | GinGly :: Build your Personal Website | CineBuzz :: Cinema News | My Kids Diary :: Kids Memories Writing :: Book Website @ 349 Rs monthly
Copyright 2005 - 2020 :: IT Acumens :: All Rights Reserved. :: Sitemap
ITAcumens Discussion Forum with 2 lakhs post running for 15 years - Powered by IT Acumens Dedicated Server