Author |
|
NthDegree
Joined: 14 Mar 2006 Posts: 14
|
Posted: Thu 20 Apr '06 0:12 Post subject: Apache WebServer Optimisation For Windows |
|
|
Most people overlook these small things when setting up their webserver, but the following this guide will help reduce potential exploits and reduce the surface area of attack on your server (not to mention make it run quicker).
1. System Preparation
Choose a secure server OS:
Recommended: Windows Server 2003 Standard or Enterprise (RC2)
Very Minimum: Windows Server 2000 Final Release
Partitioning:
When installing your operating system partition a small area for your website.
The size of the partition should be enough to cater for your site files, apache http server and any extra software you may need (SQL Server, PHP, ASP etc.).
Install as light as possible:
When setting up the OS set it up lightly (don't put on unnecessary languages or codepages), and remember to remove unnecessary rubbish after installation.
Tweak The OS:
Harden the TCP/IP stack using the following tool http://sniffem.exaserve.net/Hardenit.exe
Then create special users for Apache and the other applications you may need to use (e.g. MySQL) with minimum permissions and zero-access to the main OS partition.
After making and setting the restrictions ensure the Apache has write permission for logs directory ONLY and for MySQL write access to the data directory only. |
|
Back to top |
|
NthDegree
Joined: 14 Mar 2006 Posts: 14
|
Posted: Thu 20 Apr '06 0:32 Post subject: Part 2 |
|
|
2. Actual Set-up of the Apache Server
Restrict apache filesystem access permissions:
Use the user created during Part 1 to run the Apache server!
Adjusting for minimum needed support:
This is a heavily overlooked idea, and a very useful method for reducing possible exploits on your server.
Only using the minimum amount of modules on your server helps to reduce the surface area of possible attacks and exploits on your server.
For example here's the module lines of a typical httpd.conf (without the #ed parts):
Code: | LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule userdir_module modules/mod_userdir.so |
NOW ISN'T THAT A LOT?
Here's the amount you really need under basic circumstances:
Code: | LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule dir_module modules/mod_dir.so
LoadModule mime_module modules/mod_mime.so
LoadModule setenvif_module modules/mod_setenvif.so |
Now to further reduce attack potential another idea is to lessen the support when compiling apache to only allow EXACTLY WHAT YOU NEED!!!
To be continued.....(in next post )
Last edited by NthDegree on Thu 20 Apr '06 1:26; edited 1 time in total |
|
Back to top |
|
NthDegree
Joined: 14 Mar 2006 Posts: 14
|
Posted: Thu 20 Apr '06 0:47 Post subject: Part 3 |
|
|
3. Set up of extra applications
This section is generic advice to help with the set up of extra additional bits, skip this bit if you only intend to use apache to serve up html!
Use only the minimums (MySQL example):
When setting up MySQL install using the "Essentials" package, that way you install less and still have what you need to cater for your server!
(http://dev.mysql.com/get/Downloads/MySQL-5.0/mysql-essential-5.0.20-win32.msi/from/http://mysql.belnet.be/ For Essentials)
Also when configuring the MySQL only use the amounts and resources you need, this can help lighten the load on things.
e.g. Developer Machine, MyISAM ONLY, 2 Persistent Connections, latin1 character set.
Disable Unnecessary Functions (PHP Example):
Disabling PHP functions your scripts don't use or that are considered dangerous or risky is an excellent way to harden against attack.
For Example:
Placing the following in your php.ini can help reduce the possibility of exploitation
Code: | disable_functions = "system,exec,shell_exec,passthru,escapeshellcmd,popen,pcntl_exec" |
Also if you are skilled at programming use the Hardened PHP Project's recommended patches to help further secure your PHP!
To be continued........ |
|
Back to top |
|
NthDegree
Joined: 14 Mar 2006 Posts: 14
|
Posted: Thu 20 Apr '06 1:04 Post subject: Part 4 |
|
|
4. Extra Security for Apache
Using mod_security:
If you intend to serve up dynamic content or use CGI/SSI/PHP/ASP/ASPX/JAVA or any other form of scripting then mod_security is an excellent way to block exploits!
Simply add the following to the httpd.conf!
Code: | LoadModule security_module modules/mod_security/mod_security.so |
Then add the following code to the very end of the httpd.conf to add some basic rules:
Code: |
<IfModule mod_security.c>
SecFilterEngine On
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding On
SecFilterForceByteRange 10 128
SecServerSignature "Microsoft-IIS/4.0"
SecAuditEngine RelevantOnly
SecAuditLog logs/sec.log
SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"
SecFilter "^GET (http|https|ftp)\:/"
SecFilter "^HEAD (http|https|ftp)\:/"
SecFilter "^POST (http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "^CONNECT "
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSignatureAction "log,deny,msg:'PHP attack'"
SecFilterSelective ARGS_NAMES "^php:/"
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"
SecFilterSignatureAction "log,deny,msg:'Awstats Attack'"
SecFilterSelective ARGS_NAMES "configdir"
SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[::space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data
SecFilterSelective ARGS "/\*.+\*/"
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
SecFilterSelective ARGS_VALUES "^(ls|id|pwd|wget)"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)" </IfModule> |
The next step to further reinforce mod_security is to get some nice rules off gotroot or another rules source. |
|
Back to top |
|
NthDegree
Joined: 14 Mar 2006 Posts: 14
|
Posted: Thu 20 Apr '06 1:25 Post subject: Extra Ideas: |
|
|
5. Final Hardening of Apache
Allow only "approved" user-agents:
Set up apache to only allow approved user agents to aid in blocking skiddies and lessen the load on mod_security.
User-Agents are the signatures left by browsers, hack-tools, web bots etc.
Here's some example code on how to allow specific User-Agents access to the site:
Code: | SetEnvIf User-Agent ^Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727) 102B
SetEnvIf User-Agent ^Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2 103B
<Directory "X:/htdocs">
Options None
AllowOverride None
Order allow,deny
Allow from env=102B
Allow from env=103B
</Directory> |
Firewalling:
Use a hardware firewall router & software firewall which has been set to allow httpd.exe inbound on port 80 (or 443 for mod_ssl) only and block all other communication.
Allow outbound to 3306 if you use MySQL and Outbound on 25 if you use your Apache to send e-mail (for example with PHP).
Intrusion Detection & Prevention:
Under normal circumstances Intrusion Detection & Prevention systems are quite useless to the average home user, but are worth considering if you want to further restrict things to the extreme.
If your system is set out correctly and protected at every level (Base OS, Kernel, Filesystem, Registry & Applications, Webserver, Software Firewall, Hardware Firewall Router) then IDS/IPS is virtually pointless unless you get a lot of traffic or are attacked often.
Snort http://www.snort.org - One example of an IDS/IPS system |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Sun 07 May '06 8:29 Post subject: |
|
|
Good guide with a lot tips. I think very usefull for a lot webmasters, so I put a link to this post on the mainpage here.
Steffen |
|
Back to top |
|
Brian
Joined: 21 Oct 2005 Posts: 209 Location: Puyallup, WA USA
|
Posted: Sun 07 May '06 17:48 Post subject: |
|
|
Yes, thank you for the series of suggestions. I love using WAMP servers, Steffen knows this about me. I am already utilizing some of what you brought up. |
|
Back to top |
|
Jorge
Joined: 12 Mar 2006 Posts: 376 Location: Belgium
|
Posted: Sun 07 May '06 19:25 Post subject: |
|
|
Code: | SetEnvIf User-Agent ^Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727) 102B
SetEnvIf User-Agent ^Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2 103B |
looks like a bad idea though
Somone with IE 5, 5.5 or 7.0 or an older version of Firefox (or the newsest 15.0.3) can't acces the server |
|
Back to top |
|
Jcink
Joined: 06 Mar 2006 Posts: 23
|
Posted: Sun 21 May '06 18:08 Post subject: |
|
|
Thanks for the tutorial, I found it really helpful.
But I have a question about Hardenit.exe - what do you pick in all of that? It says to simply not hit next->next->next-> and I dont want to make any mistakes.
Thanks. |
|
Back to top |
|
DeliriumServers
Joined: 17 Jun 2006 Posts: 54 Location: H Town
|
Posted: Sun 02 Jul '06 23:23 Post subject: hmm |
|
|
I'm on Windows Server 2003 Enterprise R2 and I'm having some confusion on limiting users to certain partitions, could someone give me some very detailed instructions? I really appreciate it, thanks guys!
correction! I'm retarded |
|
Back to top |
|
dke
Joined: 13 Jul 2007 Posts: 61 Location: sweden
|
Posted: Mon 27 Aug '07 22:14 Post subject: |
|
|
awesome post, bookmarked.
any tips regarding the optimization of the TCP/IP Stack would be great, i saw there were like 100 questions in the hardenit.exe file.
any tips for a windows machine trying to host a gallery with lots of thumbnails loading rapidly? |
|
Back to top |
|