Apache 2 - Security
Apache 2 and PHP5: Secure your installation!
PHP Security Info
If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org/projects/phpsecinfo/index.html
Installation
cd /tmp
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip
mv phpsecinfo-Version phpsecinfo
mv phpsecinfo/ /var/www
cd /var/www
chown -R www-data:www-data phpsecinfo
Virtual host configuration
Edit your V.Host configuration
vim /etc/apache2/sites-available/myServer!! For security reason: DO NOT use 'phpsecinfo' as alias. It's too easy to guess.
<VirtualHost _default_:443>
# PHPSecInfo
Alias /phpsec /var/www/phpsecinfo
<Location /phpsec >
Require all granted
ProxyPass !
order deny,allow
# allow from 127.0.0.1 192.168.1.0/24
allow from all
</Location>
</VirtualHost>
Reload your configuration
/etc/init.d/apache2 reload
Run the test
To asset your current installation you can run the test: https://myServer/phpsec
Improve security
PHP5 sessions and temp files
Create specific directory to store the sessions and temp files:
mkdir -p /etc/php5/temp
mkdir -p /etc/php5/session
chown -R www-data:root /etc/php5/temp
chown -R www-data:root /etc/php5/session
chmod -R 770 /etc/php5/session
chmod -R 770 /etc/php5/temp
Edit the configuration file
vim /etc/php5/apache2/php.ini
Adjust:
- line 801 → upload_tmp_dir = /etc/php5/temp
- line 1357 → session.save_path = "/etc/php5/session"
PHP5 tweak
Edit the configuration file
vim /etc/php5/apache2/php.ini
Adjust:
- line 376 → expose_php = Off
- line 406 → memory_limit = 8M
- line 480 → display_errors=Off
- line 675 → post_max_size=256K
- line 805 → upload_max_filesize=256K
- line 814 → allow_url_fopen=Off
DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)
Restart your server to load the changes:
service apache2 restart
Re-run the test, then:
- Ignore the open_basedir and upload_tmp_dir alerts, if any.
- You can enable some specific options with a .htaccess file
Change Apache 2 UID
IMPORTANT: Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...
This security trick is not crucial, it's just a "nice to have".
Change the Apache UID
vim /etc/group
Change www-data UID
www-data:x:10033:
Change the Apache GID
vim /etc/passwd
Change the group settings
www-data:x:10033:10033:www-data:/var/www:/bin/false
Apply modifications
chown -R www-data:www-data /var/www/*
chown -R www-data:root /etc/php5/*
To take on the modifications you have to reboot your server - and not just the service. You must reboot the server with "reboot" command.
Avoid DOS attacks
Source: Linux mag’ – Hors serie Apache2
You can protect your server from Denial Of Service (DOS) attacks through mod_evasive
Installation
apt-get install libapache2-mod-evasive
Prepare log directory
mkdir /var/log/apache2/mod_evasive
chown -R www-data:www-data /var/log/apache2/mod_evasive
Enable module
a2enmod evasive
Configuration
Update / create the configuration file
vim /etc/apache2/mods-available/evasive.conf
Put:
# Mod evasive configuration
# Based upon Linux Mag
<IfModule mod_evasive20.c>
# Size of the hash table.
# The greater, the more memory is required but the faster it is! The value must be a prime number
DOSHashTableSize 3097
# Limit user to 5 pages per 2 seconds
DOSPageCount 5
DOSPageInterval 2
# No more than 100 HTTP request per second (HTML, CSS, images, …)
DOSSiteCount 100
DOSSiteInterval 1
# Block client for 300 seconds
DOSBlockingPeriod 300
# Send email alert
#DOSEmailNotify "admin@myDomain"
# Log directory
DOSLogDir "/var/log/apache2/mod_evasive"
# Command to execute on ban
#DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"
# Ignore following IP and networks
DOSWhiteList 127.0.0.1
#DOSWhitelist 66.249.65.*
<IfModule mod_evasive20.c>
Apply changes
service apache2 restart
