logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Some ways to secure apache web server under Windows

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips



View previous topic :: View next topic  
Author Message
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Thu 02 Aug '07 11:51    Post subject: Some ways to secure apache web server under Windows Reply with quote

install the lastet version
In older versions are bugs which could be used from attackers.


Hide the Apache Version number, and other sensitive information

here are two directives that you need to add, or edit in your httpd.conf file:
Code:

ServerSignature Off
ServerTokens Prod


The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting
it to Prod it sets the HTTP response header as follows:

Code:

Server: Apache


If you're super paranoid you could change this to something other than "Apache" by editing the source code, or by using mod_security

Ensure that files outside the web root are not served

We don't want apache to be able to access any files out side of its web root.
So assuming all your web sites are placed under one directory (we will call this
C:/apache2/htdocs), you would set it up as follows:

Code:

<Directory />
  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None
</Directory>
<Directory C:/apache2/htdocs>
  Order Allow,Deny
  Allow from all
</Directory>


Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server.
You now have to add them explicitly for each directory that requires an Option or Override

Turn off directory browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

Code:

Options -Indexes


Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Code:

Options -Includes


Turn off CGI execution

If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either [color=green]None or -ExecCGI

Code:

Options -ExecCGI


Turning off multiple Options

Now combine all stuff!

shortest

Code:

Options None


or

Code:

Options -ExecCGI -Includes -Indexes



Turn off support for .htaccess files

This is done in a Directory tag but with the AllowOverride directive. Set it to None.

Code:

AllowOverride None


Disable any unnecessary modules

Apache typically comes with several modules installed. Go through the apache module documentation and learn
what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.

Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line.


Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network:

Code:

Order Deny,Allow
Deny from all
Allow from 192.18.0.0/16


or by IP

Code:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168


Any comments?


Last edited by James Blond on Thu 06 Sep '07 10:03; edited 1 time in total
Back to top
flyingmonkey



Joined: 01 Aug 2007
Posts: 15

PostPosted: Wed 05 Sep '07 22:13    Post subject: Reply with quote

Great Post!

I think there may've been a typo in "Turn off directory browsing" code:
Code:

Options -Includes


seems like it should be:

Code:

Options -Indexes


Reducing the Timeout may also help prevent DoS attacks. I believe default is 300.

Code:

# wait up to 60 seconds for slow clients
TimeOut 60


Do you have any tips on setting up accounts / partitions / etc. for Apache on Windows? I would like to try and make my installation as secure as possible. I am relatively a newb to Apache.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Thu 06 Sep '07 10:04    Post subject: Reply with quote

Thanks! I corrected that typo Embarassed

The thing with TimeOut is a good hint!
Back to top
flyingmonkey



Joined: 01 Aug 2007
Posts: 15

PostPosted: Thu 06 Sep '07 22:33    Post subject: Reply with quote

No problem, if I am using Apache just as a reverse proxy without hosting anything directly on the server, do I still need the later section?

of "Ensure that files outside the web root are not served"

Code:

<Directory C:/apache2/htdocs>
  Order Allow,Deny
  Allow from all
</Directory>


My assumption is no, since I won't have any files stored. I just want to double check that I am not opening up a big no-no. Very Happy [/code]
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Fri 07 Sep '07 9:49    Post subject: Reply with quote

"Ensure that files outside the web root are not served" is this part.

Code:

<Directory />
  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None
</Directory>


the / will be interpreted from Windows as the root e.g. C:\ or D:\ ...
If you only run your server as a reverse proxy there is no security hole at all.

And yes you need the permission part for the doc root which is the doc root for the reverse proxy, if you did not set up a a vhost.
Back to top
iiigoiii



Joined: 14 Dec 2007
Posts: 1

PostPosted: Fri 14 Dec '07 23:41    Post subject: Re: Some ways to secure apache web server under Windows Reply with quote

just wanted to mention for those installing 2.x that the ServerSignature and ServerTokens directives are no longer in httpd.conf, but extra/httpd-default.conf.

and of course it goes without mentioning that the
#Include conf/extra/httpd-default.conf
line must be uncommented if changes are made to that file!

Quote:
Hide the Apache Version number, and other sensitive information

here are two directives that you need to add, or edit in your httpd.conf file:
Code:

ServerSignature Off
ServerTokens Prod


Back to top
Mitron



Joined: 04 Jan 2006
Posts: 64

PostPosted: Mon 17 Dec '07 8:59    Post subject: Re: Some ways to secure apache web server under Windows Reply with quote

James Blond wrote:

Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network:

Code:

Order Deny,Allow
Deny from all
Allow from 192.18.0.0/16



Don't want to be a stickler or anything, but should this be?
Code:

Order Deny,Allow
Deny from all
Allow from 192.168.0.0/16
Back to top


Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1