logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> How-to's & Documentation & Tips View previous topic :: View next topic
Reply to topic   Topic: Some ways to secure apache web server under Windows
Author
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Thu 02 Aug '07 11:51    Post subject: Some ways to secure apache web server under Windows Reply with quote

install the lastet version
In older versions are bugs which could be used from attackers.


Hide the Apache Version number, and other sensitive information

here are two directives that you need to add, or edit in your httpd.conf file:
Code:

ServerSignature Off
ServerTokens Prod


The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting
it to Prod it sets the HTTP response header as follows:

Code:

Server: Apache


If you're super paranoid you could change this to something other than "Apache" by editing the source code, or by using mod_security

Ensure that files outside the web root are not served

We don't want apache to be able to access any files out side of its web root.
So assuming all your web sites are placed under one directory (we will call this
C:/apache2/htdocs), you would set it up as follows:

Code:

<Directory />
  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None
</Directory>
<Directory C:/apache2/htdocs>
  Order Allow,Deny
  Allow from all
</Directory>


Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server.
You now have to add them explicitly for each directory that requires an Option or Override

Turn off directory browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

Code:

Options -Indexes


Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Code:

Options -Includes


Turn off CGI execution

If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either [color=green]None or -ExecCGI

Code:

Options -ExecCGI


Turning off multiple Options

Now combine all stuff!

shortest

Code:

Options None


or

Code:

Options -ExecCGI -Includes -Indexes



Turn off support for .htaccess files

This is done in a Directory tag but with the AllowOverride directive. Set it to None.

Code:

AllowOverride None


Disable any unnecessary modules

Apache typically comes with several modules installed. Go through the apache module documentation and learn
what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.

Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line.


Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network:

Code:

Order Deny,Allow
Deny from all
Allow from 192.18.0.0/16


or by IP

Code:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168


Any comments?


Last edited by James Blond on Thu 06 Sep '07 10:03; edited 1 time in total
Back to top
flyingmonkey



Joined: 01 Aug 2007
Posts: 15

PostPosted: Wed 05 Sep '07 22:13    Post subject: Reply with quote

Great Post!

I think there may've been a typo in "Turn off directory browsing" code:
Code:

Options -Includes


seems like it should be:

Code:

Options -Indexes


Reducing the Timeout may also help prevent DoS attacks. I believe default is 300.

Code:

# wait up to 60 seconds for slow clients
TimeOut 60


Do you have any tips on setting up accounts / partitions / etc. for Apache on Windows? I would like to try and make my installation as secure as possible. I am relatively a newb to Apache.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Thu 06 Sep '07 10:04    Post subject: Reply with quote

Thanks! I corrected that typo Embarassed

The thing with TimeOut is a good hint!
Back to top
flyingmonkey



Joined: 01 Aug 2007
Posts: 15

PostPosted: Thu 06 Sep '07 22:33    Post subject: Reply with quote

No problem, if I am using Apache just as a reverse proxy without hosting anything directly on the server, do I still need the later section?

of "Ensure that files outside the web root are not served"

Code:

<Directory C:/apache2/htdocs>
  Order Allow,Deny
  Allow from all
</Directory>


My assumption is no, since I won't have any files stored. I just want to double check that I am not opening up a big no-no. Very Happy [/code]
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 07 Sep '07 9:49    Post subject: Reply with quote

"Ensure that files outside the web root are not served" is this part.

Code:

<Directory />
  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None
</Directory>


the / will be interpreted from Windows as the root e.g. C:\ or D:\ ...
If you only run your server as a reverse proxy there is no security hole at all.

And yes you need the permission part for the doc root which is the doc root for the reverse proxy, if you did not set up a a vhost.
Back to top
iiigoiii



Joined: 14 Dec 2007
Posts: 1

PostPosted: Fri 14 Dec '07 23:41    Post subject: Re: Some ways to secure apache web server under Windows Reply with quote

just wanted to mention for those installing 2.x that the ServerSignature and ServerTokens directives are no longer in httpd.conf, but extra/httpd-default.conf.

and of course it goes without mentioning that the
#Include conf/extra/httpd-default.conf
line must be uncommented if changes are made to that file!

Quote:
Hide the Apache Version number, and other sensitive information

here are two directives that you need to add, or edit in your httpd.conf file:
Code:

ServerSignature Off
ServerTokens Prod


Back to top
Mitron



Joined: 04 Jan 2006
Posts: 63

PostPosted: Mon 17 Dec '07 8:59    Post subject: Re: Some ways to secure apache web server under Windows Reply with quote

James Blond wrote:

Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network:

Code:

Order Deny,Allow
Deny from all
Allow from 192.18.0.0/16



Don't want to be a stickler or anything, but should this be?
Code:

Order Deny,Allow
Deny from all
Allow from 192.168.0.0/16
Back to top
ndricim



Joined: 19 Mar 2018
Posts: 4
Location: Kosovo, Ferizaj

PostPosted: Wed 20 Mar '19 14:37    Post subject: Reply with quote

How to i disable from browesing all System files with an filemanager like phpFileManager
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Wed 20 Mar '19 16:41    Post subject: Reply with quote

Open base dir in php.ini see http://www.php.net/manual/en/ini.core.php#ini.open-basedir
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Wed 20 Mar '19 23:25    Post subject: Reply with quote

If people should always be using the latest version, should this thread not be modified to follow suit (Require vs. Allow/Deny/Order/Satisfy)?

Problems can occur when mixing the two. This is why at Apache Haus mod_access_compat is not loaded by default (in contrast to how it's configured out of compiler).

Quite frankly, once you have wrapped your head around it (which will take time), you will probably like it better.

If you are using the old 2.2 style and have not wrapped your head around Order, you could easily shoot yourself in the foot. Probable? In most circumstances no. Still possible? Yes.
Back to top


Reply to topic   Topic: Some ways to secure apache web server under Windows View previous topic :: View next topic
Post new topic   Forum Index -> How-to's & Documentation & Tips