Securing Web servers

Dragos Acostachioaie
Magic Pinguin - Iasi, Romania
dragos[at]biosfarm[dot]ro

The most used HTTP server under UNIX operating systems is Apache. In concordance to the latest statistics made by Netcraft, Inc. (http://www.netcraft.com/survey), in April 2002, for about 38 millions of sites, the most used Web server is Apache, ocuppying 53,76% of the market.

In this paper we will refer to methods to secure the Apache web server.

The Apache web server can be configured using the graphical interface apacheconf. The main configuration file is httpd.conf, usually located in /etc/httpd directory. The are also two configuration files, access.conf and srm.conf, but they were removed starting with version 1.3.4.

The configuration file is structured on several lines, containing one directive per line. A directive may be continued on the next line appending the "\" character at the end of the line. Comments begins with "#". The directives are refering to the global server configurations. To apply several aspects of the server only to a specific zone of the server (for example, a directory), the directives must be included inside the <Directory>, <DirectoryMatch>, <Files>, <FilesMatch>, <Location> or <LocationMatch>. This can be done also by creating a file called .htaccess in the directory for that you wish to change the server behaviour, containing the necessary directives.

1. Directives for zones definition

The <Directory> directive

The <Directory> and </Directory> directives may be used to group several directives which applies only for a specific directory. Inside the directory name, wildcard characters "?" and "*" may be used.

The <DirectoryMatch> directive

Similar to <Directory>, except that accepts regular expressions.

The <Files> directive

The <Files> and </Files> directives may be used to group several directives which applies only for a specific file. Inside the file name, wildcard characters "?" and "*" may be used.

The <FilesMatch> directive

Similar to <Files>, except that accepts regular expressions.

The <Location> directive

This directive offers the possibility to control the access by URL. It is similar to <Files>. Wildcard characters may be used.

2. Directives for access control

Allow from

Specifies which hosts may access a zone. Can be a host name, an ending part of a host name (for example, infoiasi.ro), a IP address or an address begin part (for example, 192.71.30), or a IP address/netmask pair. It can take the all value, which means any host.

Deny

Specifies which hosts are not allowed to access a zone. The all value means "none host".

Order

Specifies the order the Allow and Deny directives are estimated.

AuthUserFile

Specifies the file name containing the user list and passwords, used for authentication (for example, /etc/httpd/users). If it don't begin with "/", it is considered to be relative to ServerRoot. Each line contains the user name followed by the ":" character, then the crypted password. The passwords may be modified using htpasswd.

AuthGroupFile

Specifies the file name containing the list of groups used for authentication. Each line contains the group name, followed by the ":" character, then the list of users members of the group, separated by spaces.

AuthName

Describes the zone being authenticated.

AuthType

Specifies the authentication type. In the current implementation the only valid value is Basic.

Require

Specifies which users can access a zone. Three syntaxes are possible:

3. Advices on how to secure an Apache server

Apache daemon execution

The HTTP daemon must not be executed as root, but as an special user and group, respectively. Generally, this is the user, respectively the group apache. The user shouldn't have the possibility to access important files or to execute binaries which have no link to the httpd server. Also, this special user shouldn't have an associated shell. This user and group, respectively, may be set using the User and Group directive, respectively.

Configuration files access mode

A special attention must be taken for configuration files, located generally in /etc/httpd/conf directory, so as malevolent persons have no possibility to view or modify them. It is recommended that /etc/httpd/conf/httpd.conf file to have 640 access mode.

Log files acces mode

Malevolent users should not have the possibility to access the log files generated by Apache, or to change them. From these files a cracker may find some weak parts of the server configuration and then try to attack the system. It is recommended that /var/log/httpd directory to have 700 access mode.

CGI scripts

"Trojan horses" are malevolent programs, that masquerades as normal executable files. Such a program could be a CGI script, badly written, in most of the cases intentionally.

The CGI scripts should not be executed as root. These scripts should be located in only one directory, with no users access, and every changes of the scripts should be watched by the system administrator. Also, these scripts should not have the possibility to access confidential informations stored on the machine.

The HTTP server inside an Intranet

If Apache is used inside an Intranet (a local network), it may be necessarry to limit the client access. The ports and the network interfaces on which the HTTP server listen for conection requests can be configured using the BindAddress, Port and Listen directives.

References

  1. Dragos Acostachioaie, Administrarea si configurarea sistemelor Linux, Polirom, Iasi, 2002: http://www.unixinside.org/admin
  2. Sabin Corneliu Buraga, Tehnologii Web, Matrix Rom, Bucuresti, 2001: http://www.infoiasi.ro/~busaco/books/web.html
  3. ***, Apache HTTP Server Version 1.3 Documentation, Apache HTTP Server Documentation Project: http://httpd.apache.org/docs