Apache 2 - Security
Here you'll find information about how to make your server more discreet and secure. By changing the UID you can also set your server to be less risky in case of being hack.
Contents
Be discreet!
PHP info
Check the current server status using a simple PHP info file.
vim /var/www/myServer/phpinfo.php
Put the following:
<?php
// Show all information, defaults to INFO_ALL
phpinfo();
?>
Adjust rights and ownership:
chown -R www-data:www-data /var/www/myServer
chmod -R 755 /var/www/myServer
Adjust verbose level
Do not give details about your configuration to outsiders.
vim /etc/apache2/conf-available/security.conf
Set the following settings
#### Ask your server to be more discret!
# ServerTokens
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Restart Apache2
service apache2 restart
Re-run PHP info, you should have less information.
PHP5 security
PHP Security Info
If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org/projects/phpsecinfo/index.html
Installation
cd /tmp
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip
mv phpsecinfo-Version phpsecinfo
mv phpsecinfo/ /var/www
cd /var/www
chown -R www-data:www-data phpsecinfo
Virtual host configuration
Edit your V.Host configuration
vim /etc/apache2/sites-available/myServer
!! For security reason: DO NOT use 'phpsecinfo' as alias. It's too easy to guess.
<VirtualHost _default_:443>
# PHPSecInfo
Alias /phpsec /var/www/phpsecinfo
<Location /phpsec >
Require all granted
ProxyPass !
order deny,allow
# allow from 127.0.0.1 192.168.1.0/24
allow from all
</Location>
</VirtualHost>
Reload your configuration
/etc/init.d/apache2 reload
Run the test
To asset your current installation you can run the test: https://myServer/phpsec
Improve security
PHP5 sessions and temp files
Create specific directory to store the sessions and temp files:
mkdir -p /etc/php5/temp
mkdir -p /etc/php5/session
chown -R www-data:root /etc/php5/temp
chown -R www-data:root /etc/php5/session
chmod -R 770 /etc/php5/session
chmod -R 770 /etc/php5/temp
Edit the configuration file
vim /etc/php5/apache2/php.ini
Adjust:
- line 801 → upload_tmp_dir = /etc/php5/temp
- line 1357 → session.save_path = "/etc/php5/session"
PHP5 tweak
Edit the configuration file
vim /etc/php5/apache2/php.ini
Adjust:
- line 376 → expose_php = Off
- line 406 → memory_limit = 8M
- line 480 → display_errors=Off
- line 675 → post_max_size=256K
- line 805 → upload_max_filesize=256K
- line 814 → allow_url_fopen=Off
DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)
Restart your server to load the changes:
service apache2 restart
Re-run the test, then:
- Ignore the open_basedir and upload_tmp_dir alerts, if any.
- You can enable some specific options with a .htaccess file
Change Apache 2 UID
IMPORTANT: Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...
This security trick is not crucial, it's just a "nice to have".
Change the Apache UID
vim /etc/group
Change www-data UID
www-data:x:10033:
Change the Apache GID
vim /etc/passwd
Change the group settings
www-data:x:10033:10033:www-data:/var/www:/bin/false
Apply modifications
chown -R www-data:www-data /var/www/*
chown -R www-data:root /etc/php5/*
To take on the modifications you have to reboot your server - and not just the service. You must reboot the server with "reboot" command.
Avoid DOS attacks
Source: Linux mag’ – Hors serie Apache2
You can protect your server from Denial Of Service (DOS) attacks through mod_evasive
Installation
apt-get install libapache2-mod-evasive
Prepare log directory
mkdir /var/log/apache2/mod_evasive
chown -R www-data:www-data /var/log/apache2/mod_evasive
Enable module
a2enmod evasive
Configuration
Update / create the configuration file
vim /etc/apache2/mods-available/evasive.conf
Put:
# Mod evasive configuration
# Based upon Linux Mag
<IfModule mod_evasive20.c>
# Size of the hash table.
# The greater, the more memory is required but the faster it is! The value must be a prime number
DOSHashTableSize 3097
# Limit user to 5 pages per 2 seconds
DOSPageCount 5
DOSPageInterval 2
# No more than 100 HTTP request per second (HTML, CSS, images, …)
DOSSiteCount 100
DOSSiteInterval 1
# Block client for 300 seconds
DOSBlockingPeriod 300
# Send email alert
#DOSEmailNotify "admin@myDomain"
# Log directory
DOSLogDir "/var/log/apache2/mod_evasive"
# Command to execute on ban
#DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"
# Ignore following IP and networks
DOSWhiteList 127.0.0.1
#DOSWhitelist 66.249.65.*
<IfModule mod_evasive20.c>
Apply changes
service apache2 restart
Change Apache2 ports number
You can change the Apache2 server ports. Except if you're a security paranoid person: you should NOT change the default ports.
vim /etc/apache2/ports.conf
Edit
# HTTP
Listen 80
# HTTPS
Listen 443
Don't forget to adjust your IPTABLES script as well.