SCG WS Apache

Summary
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.

Apache Global Server Configuration Files
Debian /etc/apache2/apache2.conf RHEL / Red Hat / CentOS / Fedora Linux /etc/httpd/conf/httpd.conf FreeBSD /usr/local/etc/apache2X/httpd.conf

Note:X represents the version number

Apache Module Files
Debian /etc/apache2/mods-enabled RHEL / Red Hat / CentOS / Fedora Linux /etc/httpd/conf/conf.d

Apache Port Configuration File
Debian /etc/apache2/ports.conf RHEL / Red Hat / CentOS / Fedora Linux /etc/httpd/conf/conf.d

Apache Error Files
Debian /var/log/apache2/error.log RHEL / Red Hat / CentOS / Fedora Linux var/log/httpd/error_log FreeBSD /var/log/httpd-error.log

Description
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.

Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5

This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.

How to test
In order to test for ServerToken configuration, one should check the Apache configuration file.

Misconfiguration
ServerTokens Full

Remediation
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.

ServerTokens Prod or ServerTokens ProductOnly

Description
This Apache directive allows the configuration of a trailing footer line under server-generated documents.

How to test
In order to test for ServerSignature configuration, one should check the Apache configuration file.

Misconfiguration
ServerSignature Off

Remediation
Configure the ServerSingature directive in the Apache configuration to value of "Off". This tell Apache not to display the server version on error pages, or other pages it generates.

ServerSignature On

Description
Apache typically is started with root privileges in order to listen on port 80 and 443. One of the best ways to reduce your exposure to attack when running a web server is to create a unique, unprivileged userid and group for the web daemon to execute. The “nobody” or “daemon” userid & group that come default on Unix variants should NOT be used to run the web server as these principals are commonly used by other daemon services. Instead, create a user and group that are exclusively used by the web service so as to not give unnecessary access to other services. The userid used for the apache user should be a unique value between 1 and 499 as these lower values are reserved for the special system accounts. A more secure alternative is to bind Apache web service to an unprivileged port so it is not necessary to start Apache as root.

How to test
Ensure the apache account is unique and has been created with a UID between1-499 with the apache group and configured in the Apache Configuration File.

Remediation
If the Apache user and group does exist, create the account and group as a unique system account.

Example:
 * 1) groupadd –r apache
 * 2) useradd apache -r -g apache -d /var/www -s /sbin/nologin

2. Configure the Apache user and group in the Apache configuration file. User apache Group apache

Description
The Apache account must not be used as a regular login account, and should be assigned an invalid or nologin shell to ensure that the account cannot be used to login.

Misconfiguration
Check the apache login shell in the /etc/password file for Linux Systems.
 * 1) grep apache /etc/passwd

Remediation
The below command will configure the apache user with "nologin" restrictions. chsh -s /sbin/nologin apache Expected Output /etc/passwd:apache:x:48:48:Apache:/var/www:/sbin/nologin

Description
The user account under which Apache runs, should not have a valid password, but should be locked.

Remediation

 * 1) passwd -l apache

Validate the Coonfiguration using the below command in linux. Expected Output apache LK 2010-01-28 0 99999 7 -1 (Password locked.)
 * 1) passwd -s apache

Description
All of the Apache Software directories and files installed should be owned by root user and root group.This will help in mitigate exploration severity and information disclosure.

Apache Web Document folders like "/var/www/html" need a designated group to allow web content to be updated.

How to test
Type the below command to check the User and Group associated with a file.The file varies in Between Debian,RHEL/CentOS/Fedora,FreeBSD.

Example:


 * 1) ls -l /usr/share/apache2

Misconfiguration
In the Below example the apache2 folder is owned by a user name "alice" and group "sysadmin" which can be considered as a misconfiguration.

drwxr-xr-x   6 alice sysadmin 4096 Sep  7 13:20 apache2

Remediation
The below command will set a Directory named "apache2" with root user and root group recursively.


 * 1) chown –R root:root /usr/local/apache2