Securing Apache 2.2

Jacob Mathai

Core Modules for a Secure Apache Install

  • Install only the core modules that you need :
  • core (Apache base)
  • http_core (HTTP support)
  • mod_access (acls based on hostnames and IPs)
  • mod_auth (uer authentication)
  • prefork
  • mod_dir (serve up directory index files)
  • mod_log_config (access and error logging)
  • mod_mime (mime types, encoding)

    Apache Header Masking

    Attacks on HTTP servers typically exploit a bug or vulnerability . These vulnerabilites are specific to vendors. By removing the server versioning information from the headers, you make attacks on the HTTP server less vendor specific and generally less effective.

    The ServerTokens directive configures the Server HTTP response headers. This directive is some what of a security concern in that it can reveal the version and type of web server that you are running to the outside world. You can hide this detail by following these steps.

  • Set the following directive in your httpd.conf file : "ServerTokens Prod"
  • In th source tree, view the server/core.c and examine the source
  • Edit the include/ap_release.h file and find the line that reads "#define AP_SERVER_BASEPRODUCT "Apache" and replace "Apache" with some other value or leave it blank. This technique obscures your web server details from potential attacks by not revealing your web server details in the HTTP headers. It is no way a replacement for keeping up to date with security patches and disabling all unused modules.
  • To test what the header response are , try the following ... 
    bash-2.03$ telnet apache.org 80
Trying 209.237.227.195...
Connected to apache.org.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 29 Aug 2006 01:40:16 GMT
Server: Apache/2.2.3 (Unix)
Last-Modified: Thu, 27 Jul 2006 17:31:11 GMT
ETag: "998c34-3796-8fd795c0"
Accept-Ranges: bytes
Content-Length: 14230
Cache-Control: max-age=86400
Expires: Wed, 30 Aug 2006 01:40:16 GMT
Connection: close
Content-Type: text/html

Connection closed by foreign host.
bash-2.03$ telnet www.apache.org 80
Trying 192.87.106.226...
Connected to www.apache.org.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 29 Aug 2006 01:40:27 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g
Last-Modified: Thu, 27 Jul 2006 17:31:11 GMT
ETag: "203a4-3796-419938fd795c0"
Accept-Ranges: bytes
Content-Length: 14230
Cache-Control: max-age=86400
Expires: Wed, 30 Aug 2006 01:40:27 GMT
Connection: close
Content-Type: text/html

Connection closed by foreign host.
  • Notice the line that reads "Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7g" which is an HTTP header response revealing details about your web server version and modules.
  • Editing "AP_SERVER_BASEPRODUCT" in the source tree along with setting the the "ServerTokens Prod" directive in httpd.conf controls what is displayed here. Just a trick I thought you might like to try sometime ....Enjoy !

    mathai(at)dsm.fordham.edu