logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Apache WebServer Optimisation For Windows

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips



View previous topic :: View next topic  
Author Message
NthDegree



Joined: 14 Mar 2006
Posts: 14

PostPosted: Thu 20 Apr '06 0:12    Post subject: Apache WebServer Optimisation For Windows Reply with quote

Most people overlook these small things when setting up their webserver, but the following this guide will help reduce potential exploits and reduce the surface area of attack on your server (not to mention make it run quicker).

1. System Preparation

Choose a secure server OS:
Recommended: Windows Server 2003 Standard or Enterprise (RC2)
Very Minimum: Windows Server 2000 Final Release

Partitioning:
When installing your operating system partition a small area for your website.

The size of the partition should be enough to cater for your site files, apache http server and any extra software you may need (SQL Server, PHP, ASP etc.).

Install as light as possible:
When setting up the OS set it up lightly (don't put on unnecessary languages or codepages), and remember to remove unnecessary rubbish after installation.

Tweak The OS:
Harden the TCP/IP stack using the following tool http://sniffem.exaserve.net/Hardenit.exe

Then create special users for Apache and the other applications you may need to use (e.g. MySQL) with minimum permissions and zero-access to the main OS partition.

After making and setting the restrictions ensure the Apache has write permission for logs directory ONLY and for MySQL write access to the data directory only.
Back to top
NthDegree



Joined: 14 Mar 2006
Posts: 14

PostPosted: Thu 20 Apr '06 0:32    Post subject: Part 2 Reply with quote

2. Actual Set-up of the Apache Server

Restrict apache filesystem access permissions:

Use the user created during Part 1 to run the Apache server!

Adjusting for minimum needed support:

This is a heavily overlooked idea, and a very useful method for reducing possible exploits on your server.

Only using the minimum amount of modules on your server helps to reduce the surface area of possible attacks and exploits on your server.

For example here's the module lines of a typical httpd.conf (without the #ed parts):

Code:
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule userdir_module modules/mod_userdir.so


NOW ISN'T THAT A LOT?

Here's the amount you really need under basic circumstances:

Code:
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule dir_module modules/mod_dir.so
LoadModule mime_module modules/mod_mime.so
LoadModule setenvif_module modules/mod_setenvif.so


Now to further reduce attack potential another idea is to lessen the support when compiling apache to only allow EXACTLY WHAT YOU NEED!!!

To be continued.....(in next post Smile)


Last edited by NthDegree on Thu 20 Apr '06 1:26; edited 1 time in total
Back to top
NthDegree



Joined: 14 Mar 2006
Posts: 14

PostPosted: Thu 20 Apr '06 0:47    Post subject: Part 3 Reply with quote

3. Set up of extra applications

This section is generic advice to help with the set up of extra additional bits, skip this bit if you only intend to use apache to serve up html!

Use only the minimums (MySQL example):

When setting up MySQL install using the "Essentials" package, that way you install less and still have what you need to cater for your server!

(http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-essential-5.0.20-win32.msi/from/http://mysql.belnet.be/ For Essentials)

Also when configuring the MySQL only use the amounts and resources you need, this can help lighten the load on things.

e.g. Developer Machine, MyISAM ONLY, 2 Persistent Connections, latin1 character set.

Disable Unnecessary Functions (PHP Example):

Disabling PHP functions your scripts don't use or that are considered dangerous or risky is an excellent way to harden against attack.

For Example:

Placing the following in your php.ini can help reduce the possibility of exploitation

Code:
 disable_functions = "system,exec,shell_exec,passthru,escapeshellcmd,popen,pcntl_exec"


Also if you are skilled at programming use the Hardened PHP Project's recommended patches to help further secure your PHP!

To be continued........
Back to top
NthDegree



Joined: 14 Mar 2006
Posts: 14

PostPosted: Thu 20 Apr '06 1:04    Post subject: Part 4 Reply with quote

4. Extra Security for Apache

Using mod_security:

If you intend to serve up dynamic content or use CGI/SSI/PHP/ASP/ASPX/JAVA or any other form of scripting then mod_security is an excellent way to block exploits!

Simply add the following to the httpd.conf!

Code:
LoadModule security_module modules/mod_security/mod_security.so


Then add the following code to the very end of the httpd.conf to add some basic rules:

Code:

<IfModule mod_security.c>
SecFilterEngine On
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding On
SecFilterForceByteRange 10 128
SecServerSignature "Microsoft-IIS/4.0"
SecAuditEngine RelevantOnly
SecAuditLog logs/sec.log
SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"
SecFilter "^GET (http|https|ftp)\:/"
SecFilter "^HEAD (http|https|ftp)\:/"
SecFilter "^POST (http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "^CONNECT "
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSignatureAction "log,deny,msg:'PHP attack'"
SecFilterSelective ARGS_NAMES "^php:/"
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"
SecFilterSignatureAction "log,deny,msg:'Awstats Attack'"
SecFilterSelective ARGS_NAMES "configdir"
SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[::space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data
SecFilterSelective ARGS "/\*.+\*/"
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
SecFilterSelective ARGS_VALUES "^(ls|id|pwd|wget)"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)" </IfModule>


The next step to further reinforce mod_security is to get some nice rules off gotroot or another rules source.
Back to top
NthDegree



Joined: 14 Mar 2006
Posts: 14

PostPosted: Thu 20 Apr '06 1:25    Post subject: Extra Ideas: Reply with quote

5. Final Hardening of Apache

Allow only "approved" user-agents:

Set up apache to only allow approved user agents to aid in blocking skiddies and lessen the load on mod_security.

User-Agents are the signatures left by browsers, hack-tools, web bots etc.

Here's some example code on how to allow specific User-Agents access to the site:

Code:
SetEnvIf User-Agent ^Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727) 102B
SetEnvIf User-Agent ^Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2 103B

<Directory "X:/htdocs">
Options None
AllowOverride None
Order allow,deny
Allow from env=102B
Allow from env=103B
</Directory>


Firewalling:

Use a hardware firewall router & software firewall which has been set to allow httpd.exe inbound on port 80 (or 443 for mod_ssl) only and block all other communication.

Allow outbound to 3306 if you use MySQL and Outbound on 25 if you use your Apache to send e-mail (for example with PHP).

Intrusion Detection & Prevention:

Under normal circumstances Intrusion Detection & Prevention systems are quite useless to the average home user, but are worth considering if you want to further restrict things to the extreme.

If your system is set out correctly and protected at every level (Base OS, Kernel, Filesystem, Registry & Applications, Webserver, Software Firewall, Hardware Firewall Router) then IDS/IPS is virtually pointless unless you get a lot of traffic or are attacked often.

Snort http://www.snort.org - One example of an IDS/IPS system
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2581
Location: Hilversum, NL, EU

PostPosted: Sun 07 May '06 8:29    Post subject: Reply with quote

Good guide with a lot tips. I think very usefull for a lot webmasters, so I put a link to this post on the mainpage here.

Steffen
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Sun 07 May '06 17:48    Post subject: Reply with quote

Yes, thank you for the series of suggestions. I love using WAMP servers, Steffen knows this about me. I am already utilizing some of what you brought up.
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Sun 07 May '06 19:25    Post subject: Reply with quote

Code:
SetEnvIf User-Agent ^Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727) 102B
SetEnvIf User-Agent ^Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2 103B


looks like a bad idea though

Somone with IE 5, 5.5 or 7.0 or an older version of Firefox (or the newsest 15.0.3) can't acces the server
Back to top
Jcink



Joined: 06 Mar 2006
Posts: 23

PostPosted: Sun 21 May '06 18:08    Post subject: Reply with quote

Thanks for the tutorial, I found it really helpful.

But I have a question about Hardenit.exe - what do you pick in all of that? It says to simply not hit next->next->next-> and I dont want to make any mistakes. Confused

Thanks.
Back to top
DeliriumServers



Joined: 17 Jun 2006
Posts: 54
Location: H Town

PostPosted: Sun 02 Jul '06 23:23    Post subject: hmm Reply with quote

I'm on Windows Server 2003 Enterprise R2 and I'm having some confusion on limiting users to certain partitions, could someone give me some very detailed instructions? I really appreciate it, thanks guys!

correction! I'm retarded
Back to top
dke



Joined: 13 Jul 2007
Posts: 61
Location: sweden

PostPosted: Mon 27 Aug '07 22:14    Post subject: Reply with quote

awesome post, bookmarked.

any tips regarding the optimization of the TCP/IP Stack would be great, i saw there were like 100 questions in the hardenit.exe file.

any tips for a windows machine trying to host a gallery with lots of thumbnails loading rapidly?
Back to top


Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1