News:

GinGly.com - Used by 85,000 Members - SMS Backed up 7,35,000 - Contacts Stored  28,850 !!

Main Menu

Checking for Leaks - Hardening Apache

Started by sukishan, Aug 22, 2009, 06:56 PM

Previous topic - Next topic

sukishan

As described on the Cirt site,

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 2600 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plug-ins are frequently updated and can be automatically updated (if desired).

It includes support for Unix systems (which would of course include Linux and Macintosh OS X) and Windows-based machines, and is the replacement for htmap from the same group.

This is an excellent starting point for those performing a thorough review of servers under their administration for security, vulnerability and the tightening of configurations.
Configuration

I particularly liked Mobily's review of configuring httpd.conf prior to the setup of virtual servers. It keeps the cart behind the horse, patiently ensuring that the system is ready to host those domains, with a run down on Apache modules from a security perspective, along with some tweaks.

These include excellent explanations for the use of third party modules like mod_security, mod_bandwidth, and mod_dosevasive to ramp up security.

Some of the author's tips include the modification of headers with 'ServerTokens Minimal' in httpd.conf -– this drops the Apache version number from a header sent as part of an HTTP request.

Another possibly controversial change is a suggestion for disabling HTTP TRACE either through a <Location /> container, or outside of all containers as a global directive using mod_rewrite. See the W3C's definition of HTTP TRACE if you need more information on it.

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .*  [F]
A good beginning makes a good ending