| Author |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
 Posted: Thu 02 Aug '07 11:51 Post subject: Some ways to secure apache web server under Windows |
 |
|
install the lastet version
In older versions are bugs which could be used from attackers.
Hide the Apache Version number, and other sensitive information
here are two directives that you need to add, or edit in your httpd.conf file:
| Code: |
ServerSignature Off
ServerTokens Prod
|
The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.
The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting
it to Prod it sets the HTTP response header as follows:
If you're super paranoid you could change this to something other than "Apache" by editing the source code, or by using mod_security
Ensure that files outside the web root are not served
We don't want apache to be able to access any files out side of its web root.
So assuming all your web sites are placed under one directory (we will call this
C:/apache2/htdocs), you would set it up as follows:
| Code: |
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory C:/apache2/htdocs>
Order Allow,Deny
Allow from all
</Directory>
|
Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server.
You now have to add them explicitly for each directory that requires an Option or Override
Turn off directory browsing
You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes
Turn off server side includes
This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes
Turn off CGI execution
If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either [color=green]None or -ExecCGI
Turning off multiple Options
Now combine all stuff!
shortest
or
| Code: |
Options -ExecCGI -Includes -Indexes
|
Turn off support for .htaccess files
This is done in a Directory tag but with the AllowOverride directive. Set it to None.
Disable any unnecessary modules
Apache typically comes with several modules installed. Go through the apache module documentation and learn
what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.
Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line.
Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network:
| Code: |
Order Deny,Allow
Deny from all
Allow from 192.18.0.0/16
|
or by IP
| Code: |
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168
|
Any comments?
Last edited by James Blond on Thu 06 Sep '07 10:03; edited 1 time in total |
|
| Back to top |
|
flyingmonkey
Joined: 01 Aug 2007
Posts: 15
|
| Posted: Wed 05 Sep '07 22:13 Post subject: |
|
|
Great Post!
I think there may've been a typo in "Turn off directory browsing" code:
seems like it should be:
Reducing the Timeout may also help prevent DoS attacks. I believe default is 300.
| Code: |
# wait up to 60 seconds for slow clients
TimeOut 60
|
Do you have any tips on setting up accounts / partitions / etc. for Apache on Windows? I would like to try and make my installation as secure as possible. I am relatively a newb to Apache. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 06 Sep '07 10:04 Post subject: |
|
|
Thanks! I corrected that typo 
The thing with TimeOut is a good hint! |
|
| Back to top |
|
flyingmonkey
Joined: 01 Aug 2007
Posts: 15
|
| Posted: Thu 06 Sep '07 22:33 Post subject: |
|
|
No problem, if I am using Apache just as a reverse proxy without hosting anything directly on the server, do I still need the later section?
of "Ensure that files outside the web root are not served"
| Code: |
<Directory C:/apache2/htdocs>
Order Allow,Deny
Allow from all
</Directory>
|
My assumption is no, since I won't have any files stored. I just want to double check that I am not opening up a big no-no.  [/code] |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Fri 07 Sep '07 9:49 Post subject: |
|
|
"Ensure that files outside the web root are not served" is this part.
| Code: |
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
|
the / will be interpreted from Windows as the root e.g. C:\ or D:\ ...
If you only run your server as a reverse proxy there is no security hole at all.
And yes you need the permission part for the doc root which is the doc root for the reverse proxy, if you did not set up a a vhost. |
|
| Back to top |
|
iiigoiii
Joined: 14 Dec 2007
Posts: 1
|
| Posted: Fri 14 Dec '07 23:41 Post subject: Re: Some ways to secure apache web server under Windows |
|
|
just wanted to mention for those installing 2.x that the ServerSignature and ServerTokens directives are no longer in httpd.conf, but extra/httpd-default.conf.
and of course it goes without mentioning that the
#Include conf/extra/httpd-default.conf
line must be uncommented if changes are made to that file!
| Quote: | Hide the Apache Version number, and other sensitive information
here are two directives that you need to add, or edit in your httpd.conf file:
| Code: |
ServerSignature Off
ServerTokens Prod
|
|
|
|
| Back to top |
|
Mitron
Joined: 04 Jan 2006
Posts: 63
|
| Posted: Mon 17 Dec '07 8:59 Post subject: Re: Some ways to secure apache web server under Windows |
|
|
| James Blond wrote: |
Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network:
| Code: |
Order Deny,Allow
Deny from all
Allow from 192.18.0.0/16
|
|
Don't want to be a stickler or anything, but should this be?
| Code: |
Order Deny,Allow
Deny from all
Allow from 192.168.0.0/16
|
|
|
| Back to top |
|
ndricim
Joined: 19 Mar 2018
Posts: 4
Location: Kosovo, Ferizaj
|
| Posted: Wed 20 Mar '19 14:37 Post subject: |
|
|
| How to i disable from browesing all System files with an filemanager like phpFileManager |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 20 Mar '19 23:25 Post subject: |
|
|
If people should always be using the latest version, should this thread not be modified to follow suit (Require vs. Allow/Deny/Order/Satisfy)?
Problems can occur when mixing the two. This is why at Apache Haus mod_access_compat is not loaded by default (in contrast to how it's configured out of compiler).
Quite frankly, once you have wrapped your head around it (which will take time), you will probably like it better.
If you are using the old 2.2 style and have not wrapped your head around Order, you could easily shoot yourself in the foot. Probable? In most circumstances no. Still possible? Yes. |
|
| Back to top |
|
