News:

Choose a design and let our professionals help you build a successful website   - ITAcumens

Main Menu

Checking for Leaks - Hardening Apache

Started by sukishan, Aug 22, 2009, 06:56 PM

Previous topic - Next topic

sukishan

As described on the Cirt site,

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 2600 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plug-ins are frequently updated and can be automatically updated (if desired).

It includes support for Unix systems (which would of course include Linux and Macintosh OS X) and Windows-based machines, and is the replacement for htmap from the same group.

This is an excellent starting point for those performing a thorough review of servers under their administration for security, vulnerability and the tightening of configurations.
Configuration

I particularly liked Mobily's review of configuring httpd.conf prior to the setup of virtual servers. It keeps the cart behind the horse, patiently ensuring that the system is ready to host those domains, with a run down on Apache modules from a security perspective, along with some tweaks.

These include excellent explanations for the use of third party modules like mod_security, mod_bandwidth, and mod_dosevasive to ramp up security.

Some of the author's tips include the modification of headers with 'ServerTokens Minimal' in httpd.conf -– this drops the Apache version number from a header sent as part of an HTTP request.

Another possibly controversial change is a suggestion for disabling HTTP TRACE either through a <Location /> container, or outside of all containers as a global directive using mod_rewrite. See the W3C's definition of HTTP TRACE if you need more information on it.

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .*  [F]
A good beginning makes a good ending

Quick Reply

Warning: this topic has not been posted in for at least 120 days.
Unless you're sure you want to reply, please consider starting a new topic.

Note: this post will not display until it has been approved by a moderator.

Name:
Email:
Verification:
Please leave this box empty:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:

Shortcuts: ALT+S post or ALT+P preview