Securing Apache2 – Ubuntu 18.04

Apache being one of the most popular options for creating a quick and simple web server, let us take you through on how you can secure your own web server from some basic attacks. Of course, there are many types of attacks, bugs, 0days and so on. So we will only really be covering the basic things to do rather than going in-depth, which we may do on a later time. For this guide we will be using Ubuntu 18.04, so for the users using something else, it may be very different for you.

The Apache HTTP Server, colloquially called Apache, is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation. 

Wikipedia

If you have not yet installed Apache, you can visit our Installing LAMP – Ubuntu 18.04 post to get your server up and running.

Cloud Flare

CloudFlare is one of the best options out there for protecting your site from DDoS attacks. They offer both a free plan and a paid plan. However, if you are just a small business, you should be able to get their free plan which should be more than enough to get you protected. For setting up, it differs from where you bought your domain from. However, if you bought it from sites such as GoDaddy, you will be able to change your DNS nameservers to Cloudflare pretty easily. After doing this, you will be needing to use Cloudflare to configure your DNS in the future

Cloudflare is a free CDN type product that protects against threats such as SQL injection and identity theft. Cloudflare also improves site performance and speeds up loading times by using their multiple data centers that are located around the world. The Cloudflare network acts like a giant VPN.

WestHost

By using Cloudflare, they also allow you to use their SSL and force HTTPS, which gets rid of needing to buy your own SSL certificate. For smaller websites and businesses, this can be a huge plus as using SSL allows your site performance to increase, providing a trust layer to your users and encrypting traffic which increases your overall security. Your website’s SEO would also increase as most search engines favor websites using HTTPS rather than HTTP

Without SSL
Using SSL

Directory Listing

Directory listing allows users to view every content which is in the directory. Attackers can use this to their advantage by being able to discover and view any files in the directory. Knowing what content is in a directory can be risk as they would be able to view files which are not intended for public.

Directory Listing Example
Removing listing

To simply disallow directory listing, you first need to find your Apache configuration file. Once you have located it, you can disable directory listing by setting Options like so

<Directory /var/www/your_domain>
    Options -Indexes
</Directory>

Server Token/Signature

The ServerToken and ServerSignature although not being a real vulnerability, it does allow attackers to be able to view what OS and versions of Apache is running on. This can allow attackers to form a plan of attack or use exploits which could be version specific.

Signature Shown
Disabled

To disable Apache from showing this sensitive information, you can add these lines to your Apache configuration file

ServerSignature Off
ServerTokens Prod

Separate User/Group

Running Apache in a different user and group which is non-root would limit what damages attackers can do if they ever break into your system using an Apache vulnerability. It also would contain issues from different processes. Let’s say if MySQL and Apache are running the same user group, then having a exploit on one would lead to the other. It’s best practice to run Apache under a non-privileged account.

Let’s create a new group and assign a new user to is

groupadd http-web
useradd -d /var/www/ -g http-web -s /bin/nologin http-web

Once we have created a new user, let us give him permissions to the web page folders

chown -R http-web:http-web /var/www/

After this is done, we can then simply head over to our Apache configuration file and modify the User and Group variables to our new user and group we created. Make sure to restart Apache’s service for it to take effect

User http-web
Group http-web

Using ModSecurity

ModSecurity is a popular firewall application that many developers use to protect their web server. The application can be used for other web servers as well, such as Nginx and ISS. Due to it’s configurable rule engine, it allows for complex and simple operations.

ModSecurity, sometimes called Modsec, is an open-source web application firewall. Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer…

Wikipedia

We won’t be diving into how to use ModSecurity in this thread, however we may make a separate post for it. You can do the install the package running the following command

sudo apt-get install libapache2-mod-security2

After installing the package, restart apache

sudo service apache2 restart

Then to check if the module is running or not, you can use the following command

sudo apachectl -M | grep security

If everything is done properly, you should see the following output security2_module (shared)

You then need to configurate it properly. We will not be covering that in this post, however, we may have a post dedicated to ModSecurity.

Keeping Logs

Apache allows you to be able to log errors and details on your web server which can come in handy down the line. We will be using the mod_log_config module as it provides many features which can come in useful for detailed analysis. You can also use the CustomLog to change the location of the log file. By default, Apache usually writes logs to /var/logs/apache2. You can also modify the LogFormat, to your liking.

LogFormat "%v:%p %h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" logs_combined
CustomLog /var/log/apache2/customlog.log logs_combined

Updating Apache2

This may be obvious, but most owners of websites usually discard this and leave their apache outdated which may lead to your web server having exploits.

sudo apt install apache2
sudo apt update
sudo apt upgrade
Using PPA

This method isn’t recommended however, it does allow you to update to the latest versions. You will be using PPA ( Personal Package Achieve ) , which in it itself can be a security risk.

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:ondrej/apache2
sudo apt-get update

Let us backup out current apache configuration file just in-case if anything goes wrong

cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.bak1

After we backup, we can then finally upgrade apache to the latest version

apt-get update
apt-get upgrade

If it prompts you to replace or use an updated version, just type N and ENTER

Restricting Access

IP Address

You can implement IP restriction to certain areas such as your admin panel or other private files or pages. Of course if you restrict it by IP, you will not be able to access those pages if you are outside at a café, or at work, so keep this in mind.

<Directory /var/www/website/wp-admin>
    # allow access from one IP and an additional IP range,
    # and block everything else
    Require ip 183.294.92.1
    Require ip 192.168.0.0/24
</Directory>
Password Protected

If you don’t want to implement the IP restriction, you can go for a more useable method. Which password protects the page itself. This is a much better method than using the IP restrict, if you are often not using the same network. This method will create a sign in prompt like this

Sign in prompt

First create a .htpasswd file, you can store this anywhere you want. Remember to take note of the directory you are saving it to

htpasswd -c /home/website/blah/.htpasswd contionmig

After we are done creating a .htpasswd user named contionmig, we then need to create a .htaccess on the folder you would like to protect.

sudo nano /var/www/website/wp-admin/.htaccess

We than can use this configuration

Protect Directory
AuthType Basic
AuthName "Password Required"
Require valid-user
AuthUserFile /home/website/blah/.htpasswd
Protect File
<Files admin.php>
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/website/blah/.htpasswd
Require valid-user
</Files>
Protect Files
<FilesMatch "^(admin|staff).php$">
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/website/blah/.htpasswd
Require valid-user
</FilesMatch>

Timeout

This is usually meant to protect your website from Slow Loris attack and other similar forms of DoS. You can try to mitigate this by lowering the timeout variable in your apache configuration file to something like 60 or 30. However, Cloudflare or ModSecurity should be able to mitigate these types of attacks.

Timeout 60

Trace HTTP Request

By default, Apache enables Trace method. Leaving it on can allow XST ( Cross Site Tracing ) attacks and can sometimes allow attackers to steal cookie information. We can disable this pretty easily by heading onto our Apache configuration file and adding a line

TraceEnable off

Modifying Headers

First let us enable the header module that we will be using.

sudo a2enmod headers

Restart the server once done, then you can run the following command to check if its running

apachectl -M | headers

If everything is working as expected, you should then get a output like this headers_module (shared).

XSS Protection Header

One of the most common vulnerability found in web applications is cross-site scripting (XSS). With X-XSS-Protection header, you can prevent a few level of XSS (cross-site-scripting) attacks. Add the following entry to your Apache configuration to enable XSS Protection Header.

Header set X-XSS-Protection "1; mode=block"
Hide ETag Header

This isn’t really important, however, like the signature that we disabled above, it can help in providing lesser information for attackers. As the ETag header involves quite a bit of sensitive details about your server like inode number, multipart MIME boundary and so on, it is recommended to hide the ETag header. You can do so by adding the following line to your Apache configuration

FileETag None
Set Cookie

The common Cross Site Scripting attack can be avoided by using HttpOnly and Secure flag in a cookie, without it the possibility that your web can be stolen or manipulate web application session and cookies increases.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Clickjacking 

Clickjacking is a noxious strategy of fooling a client into tapping on something other than what’s expected from what the client sees, accordingly possibly uncovering private data or permitting others to assume responsibility for their PC while tapping on apparently harmless articles, including website pages.

Header always append X-Frame-Options SAMEORIGIN
X-Content-Type

The XContentType-Options header is used to protect against MIME sniffing vulnerabilities. However, this security header helps prevent these types of attacks by disabling the MIME sniffing functionality of IE and Chrome browsers so that the browser is required to use the MIME type sent via the origin server.

KeyCDN
Header set X-Content-Type-Options nosniff

Conclusion

There are many other ways of further securing your web server. We might do another post on a more in-depth, but for now, we covered all the basic things to do before running a proper web server.

We like to thank these websites as they guided us on some of the information and provided us reference material

One thought on “Securing Apache2 – Ubuntu 18.04

Leave a Reply