Secure Apache Web Server

30-04-2021
 |  [RAND-100] - Comments



  1. How To Secure Apache Web Server
  2. Apache Web Server Vulnerabilities
  3. How To Secure Apache Web Server
  4. How To Secure Your Apache Web Server
  5. Apache Hardening
  • Welcome to Workspace email. Enter your user name and password to sign in.
  • Apache Web Server on Cloud Apache is the most extensively used web server software. It is developed and preserved by Apache Software Foundation; Apache is an open source software available for free. It is debauched, consistent, and secure.

Access control is an important part of security and is its most visible aspect, leading people to assume it is security. You may need to introduce access control to your system for a few reasons. The first and or most obvious reason is to allow some people to see (or do) what you want them to see/do while keeping the others out. However, you must also know who did what and when, so that they can be held accountable for their actions.

This chapter covers the following:

Even in the web server space, there are many brands (Apache, Microsoft IIS, Java-based web servers) and SSO must work across all of them. A decent SSO strategy is to use a Lightweight Directory Access Protocol (LDAP) server to store user accounts. Jun 06, 2019 A practical guide to secure and harden Apache HTTP Server. The Web Server is a crucial part of web-based applications. Apache Web Server is often placed at the edge of the network hence it becomes one of the most vulnerable services to attack.

  • Access control concepts

  • HTTP authentication protocols

  • Form-based authentication as an alternative to HTTP-based authentication

  • Access control mechanisms built into Apache

  • Single sign-on

Identification
Authentication
Authorization
Accountability
Apache

How To Secure Apache Web Server

Something you know (Type 1)
Something you have (Type 2)
Something you are (Type 3)

Mar 16, 2020 The Apache web server is one of the most popular web servers available for both Windows and Linux/UNIX. At the moment, it is used to host approximately 40% of websites.It is also often described as one of the most secure web servers.

Engaging in secure, authenticated communication when using an unencrypted channel is impossible. Once you add SSL to the server (see Chapter 4), it corrects most of the problems people have had with Basic authentication. If using SSL is not an option, then deployment of Digest authentication is highly recommended. There are many freely available tools that allow almost anyone (since no technical knowledge is required) to automatically collect Basic authentication passwords from the traffic flowing on the network. But I haven’t seen any tools that automate the process of performing a replay attack when Digest authentication is used. The use of Digest authentication at least raises the bar to require technical skills on the part of the attacker.

There is one Digest authentication feature that is very interesting: server authentication. As of RFC 2617 (which obsoletes RFC 2609), clients can use Digest authentication to verify that the server does know their password. Sounds like a widespread use of Digest authentication could help the fight against numerous phishing attacks that take place on the Internet today (see Chapter 10).

Note

Warning

Apache Web Server Vulnerabilities

Chapter 4 discusses cryptography, SSL, and client certificates. Here, I bring a couple of authentication-related points to your attention. Only two directives are needed to start asking clients to present their private certificates provided everything else SSL-related has been configured:

Warning

192.168.254.125
192.168.254
192.168.254.0/24
192.168.254.0/255.255.255.0
ivanr.apachesecurity.net
.apachesecurity.net

Note

In Apache 1, proxy access control is done through a specially named directory (proxy:), using network access control (as discussed in the Section 7.3.5):

In Apache 2, the equivalent <Proxy> directive is used. (Apache 2 also provides the <ProxyMatch> directive, which allows the supplied URL to be an arbitrary regular expression.)

Proxying SSL requests requires use of a special CONNECT method, which is designed to allow arbitrary TCP/IP connection tunneling. (See Chapter 11 for examples.) Apache will allow connection tunneling to target only ports 443 (SSL) and 563 (SNEWS) by default. You should not allow other ports to be used (using the AllowCONNECT directive) since that would allow forward proxy users to connect to other services through the proxy.

One consequence of using a proxy server is transfer of trust. Instead of users on the internal network, the target server (or application) is seeing the proxy as the party initiating communication. Because of this, the target may give more access to its services than it would normally do. One common example of this problem is using a forward proxy server to send email. Assuming an email server is running on the same machine as the proxy server, this is how a spammer would trick the proxy into sending email:

This works because SMTP servers are error tolerant. When receiving the above request, the proxy opens a connection to port 25 on the same machine (that is, to the SMTP server) and forwards the request to that server. The SMTP server ignores errors incurred by the HTTP request line and the header that follows and processes the request body normally. Since the body contains a valid SMTP communication, an email message is created and accepted.

Unlike for the CONNECT method, Apache does not offer directives to control target ports for normal forward proxy requests. However, Apache Cookbook (Recipe 10.2) provides a solution for the proxy-sending-email problem in the form of a couple of mod_rewrite rules:

I will mention more Apache directives related to access control. Prior to presenting that information, I would like to point out one more thing: many modules other than the ones described in this chapter can also be used to perform access control, even if that isn’t their primary purpose. I have used one such module, mod_rewrite, many times in this book to perform things that would be impossible otherwise. Some modules are designed to perform advanced access control. This is the case with mod_dosevasive (mentioned in Chapter 5) and mod_security (described in detail in Chapter 12).

GET
HEAD
POST
PUT
DELETE
CONNECT
OPTIONS
TRACE
PROPFIND
PROPPATCH
MKCOL
COPY
MOVE
LOCK
UNLOCK
ApacheSecure Apache Web Server
Any
All

How To Secure Apache Web Server

Apache Security: Apache Web Server SecuritySecure

How To Secure Your Apache Web Server

If you have a situation where the authentication server is not on a trusted network, you could use the Stunnel universal SSL driver (as described in the Appendix A) to secure communication between mod_auth_remote and the authentication server. However, if you recall the discussion from Chapter 4, establishing an SSL communication channel is the most expensive part of SSL communication. Without proper SSL support built into mod_auth_remote (enabling session reuse), performance will be inadequate.

Apache Hardening

Credential caching (actually the absence of it) is a frequent problem with authentication modules. The new authentication backend (the one from the 2.1 branch) includes a module mod_authn_cache (http://mod-auth.sourceforge.net/docs/mod_authn_cache/) to enable caching. For Apache 1, similar functionality is provided by mod_auth_cache (http://mod-auth-cache.sourceforge.net).