Project

General

Profile

Support #560

Hardening Apache 2.4 & PHP 5 on FreeBSD

Added by Daniel Curtis almost 10 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Web Server
Target version:
Start date:
02/13/2015
Due date:
% Done:

100%

Estimated time:
3.00 h
Spent time:

Description

This is a simple guide for hardening the default settings of Apache and PHP on FreeBSD 9.2. I use a combination of some or all of the following configurations in my production systems.

  • Update the system and ports tree:
    pkg update && pkg upgrade
    portsnap fetch extract
    
  • Install git:
    pkg install git
    

Harden Apache 2.4

Remove Server information on error page

  • Disallow server to print out any Apache information on error pages.
    vi /usr/local/etc/apache24/httpd.conf
    
    • Add/modify the following lines as following:
      ## Prevent apache from sending identifying information
      ServerTokens Prod
      ServerSignature Off
      

Disable Directory Listing

  • Edit the httpd.conf file
    vi /usr/local/etc/apache24/httpd.conf
    
    • Then add a minus "-" before the "Indexes" and it should be look like that after modification:
      <Directory /usr/local/www/apache24/data>
          ## Disable Indexes option
          Options -Indexes FollowSymLinks MultiViews
          AllowOverride None
          Order allow,deny
          allow from all
      </Directory>
      

Enhance security on Apache rewrite

  • In order to prevent Cross-Site-Tracing attacks, the following lines to be added within each <VirtualHost *:80> block
    ## Prevent Cross-Site-Tracing attacks
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
    </IfModule>
    
    • To test if it is working properly run:
      curl -X TRACE www.example.com
      
    • Example output:
      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      <html><head>
      <title>403 Forbidden</title>
      </head><body>
      <h1>Forbidden</h1>
      <p>You don't have permission to access /
      on this server.<br />
      </p>
      </body></html>
      

Install mod_security

ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP traffic and provides a power rules language and API to implement advanced protections.

  • Install mod_security
    pkg install ap24-mod_security
    
  • ModSecurity requires firewall rule definitions. Most people use the OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the OWASP CRS repository right now is to use Git. Let's make a directory for all our ModSecurity related stuff, and clone the CRS repository under it
    mkdir -p /usr/local/etc/modsecurity && cd /usr/local/etc/modsecurity
    git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs
    
  • Copy the default ModSecurity config file:
    cp /usr/local/etc/modsecurity.conf-example /usr/local/etc/modsecurity/modsecurity.conf
    
  • And fetch a necessary file which is currently not included in the port:
    fetch https://raw.github.com/SpiderLabs/ModSecurity/master/unicode.mapping
    
  • Copy the default ModSecurity CRS config file:
    cp crs/modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
    
  • Now create an Apache configuration snippet in Apache's httpd.conf file. It loads the ModSecurity module, and includes the configurations and CRS:
    vi /usr/local/etc/apache24/httpd.conf
    
    • And add/modify the following
      ## Load security module
      LoadModule security2_module libexec/apache22/mod_security2.so
      
      ## Configure security module
      <IfModule security2_module>
          # Include ModSecurity configuration
          Include /usr/local/etc/modsecurity/modsecurity.conf
      
          # Include OWASP Core Rule Set (CRS) configuration and base rules
          Include /usr/local/etc/modsecurity/modsecurity_crs_10_setup.conf
          Include /usr/local/etc/modsecurity/crs/base_rules/*.conf
      
          # Add custom configuration and CRS exceptions here. Example:
          # SecRuleRemoveById 960015
      </IfModule>
      
  • When the configuration is all set, simply restart Apache:
    service apache24 restart
    
    • Confirm that ModSecurity is loaded by checking Apache's log file:
      tail /var/log/httpd-error.log
      
    • Example output:
      ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/) configured.
      ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8" 
      ModSecurity: PCRE compiled version="8.34 "; loaded version="8.34 2013-12-15" 
      ModSecurity: LIBXML compiled version="2.8.0" 
      
  • Blocking mode can be enabled by editing modsecurity.conf and changing the following line:
    SecRuleEngine On
    
    • And restart apache to apply it:
      service apache24 restart
      
  • Keep the CRS updated from time to time:
    cd /usr/local/etc/modsecurity/crs
    git pull
    

Install mod_evasive

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

  • Edit the mod_evasive Makefile:
    cd /usr/ports/www/mod_evasive
    vi Makefile
    
    • And change the line USE_APACHE=22 to:
      USE_APACHE=     24
      
  • Begin compilation:
    make install clean
    
    • Currently the port will fail with output similar to the following:
      mod_evasive20.c: In function 'access_checker':
      mod_evasive20.c:142: error: 'conn_rec' has no member named 'remote_ip'
      mod_evasive20.c:146: error: 'conn_rec' has no member named 'remote_ip'
      mod_evasive20.c:158: error: 'conn_rec' has no member named 'remote_ip'
      mod_evasive20.c:165: error: 'conn_rec' has no member named 'remote_ip'
      mod_evasive20.c:180: error: 'conn_rec' has no member named 'remote_ip'
      mod_evasive20.c:187: error: 'conn_rec' has no member named 'remote_ip'
      mod_evasive20.c:208: error: 'conn_rec' has no member named 'remote_ip'
      mod_evasive20.c:212: warning: implicit declaration of function 'getpid'
      mod_evasive20.c:215: error: 'conn_rec' has no member named 'remote_ip'
      mod_evasive20.c:221: error: 'conn_rec' has no member named 'remote_ip'
      mod_evasive20.c:222: error: 'conn_rec' has no member named 'remote_ip'
      mod_evasive20.c:228: error: 'conn_rec' has no member named 'remote_ip'
      apxs:Error: Command failed with rc=65536
      .
      *** [do-build] Error code 1
      
      Stop in /usr/ports/www/mod_evasive.
      
  • Fix the working mod_evasive source code:
    sed -i '' -e 's/remote_ip/client_ip/g' work/mod_evasive/mod_evasive20.c
    
  • Then finish installing mod_evasive:
    make install clean
    
  • Edit the Apache httpd.conf file:
    vi /usr/local/etc/apache24/httpd.conf
    
    • And add the following:
      ## Load evasive module
      LoadModule evasive20_module   libexec/apache24/mod_evasive20.so
      
      ## Configure evasive module
      <IfModule evasive20_module>
      #increases size of hash table. Good, but uses more RAM.
      DOSHashTableSize    3097
      #Interval, in seconds, of the page interval.
      DOSPageInterval     1
      #Interval, in seconds, of the site interval.
      DOSSiteInterval     1
      #period, in seconds, a client is blocked.  The counter is reset to 0 with every access within this interval.
      DOSBlockingPeriod   10
      #threshold of requests per page, per page interval.  If hit == block.
      DOSPageCount        2
      #threshold of requests for any object by the same ip, on the same listener, per site interval.
      DOSSiteCount        50
      #locking mechanism prevents repeated calls.  email can be sent when host is blocked (leverages the following by default "/bin/mail -t %s")
      DOSEmailNotify      admin@example.com
      #locking mechanism prevents repeated calls.  A command can be executed when a host is blocked.  %s is the host IP.
      #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'" 
      #DOSLogDir           "/var/lock/mod_evasive" 
      #whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.*
      #DOSWhiteList 127.0.0.1
      </IfModule>
      
  • Restart apache24 to enable mod_evasive
    service apache24 restart
    

Harden PHP

Restrict PHP leakage

  • To restrict PHP information leakage disable expose_php. Edit the php.ini file and set the following directive:
    vi /usr/local/etc/php.ini
    
    • And modify the following parameter:
      expose_php=Off
      

Log All PHP Errors

  • Do not expose PHP error messages to all site visitors. Edit php.ini and set the following directive:
    display_errors=Off
    
  • Make sure you log all php errors to a log file:
    log_errors=On
    error_log=/var/log/php-error.log
    

Disable File Uploads

  • Edit php.ini and set the following directive to disable file uploads for security reasons:
    file_uploads=Off
    
  • If users of your application need to upload files, turn this feature on by setting upload_max_filesize limits the maximum size of files that PHP will accept through uploads:
    file_uploads=On
    # user can only upload upto 1MB via php
    upload_max_filesize=1M
    

Disabling Dangerous PHP Functions

  • PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive:
    disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
    

Resources

http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
http://www.cyberciti.biz/faq/freebsd-install-configure-mod_security/
https://lifeforms.nl/20140221/install-modsecurity-freebsd/
http://www.ansoncheunghk.info/article/7-simple-steps-harden-apache-and-php-linux
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
https://github.com/SpiderLabs/owasp-modsecurity-crs
https://forums.freebsd.org/threads/mod_evasiv.48806/
https://mbrownnyc.wordpress.com/technology-solutions/create-a-secure-linux-web-server/install-and-configure-mod_evasive-for-apache-2-4-x/


Related issues

Related to FreeBSD Administration - Support #562: Install mod_evasive for Apache 2.4 on FreeBSDClosedDaniel Curtis02/13/2015

Actions
Related to FreeBSD Administration - Support #561: Install mod_security for Apache 2.4 on FreeBSDClosedDaniel Curtis02/13/2015

Actions
#1

Updated by Daniel Curtis almost 10 years ago

  • Target version set to FreeBSD 9
#2

Updated by Daniel Curtis almost 10 years ago

  • Category set to Web Server
#3

Updated by Daniel Curtis almost 10 years ago

  • Description updated (diff)
#4

Updated by Daniel Curtis almost 10 years ago

  • Subject changed from Hardening Apache & PHP on FreeBSD to Hardening Apache 2.4 & PHP 5 on FreeBSD
  • Description updated (diff)
  • Status changed from New to In Progress
#5

Updated by Daniel Curtis almost 10 years ago

  • Description updated (diff)
  • % Done changed from 0 to 20
#6

Updated by Daniel Curtis almost 10 years ago

  • Description updated (diff)
#7

Updated by Daniel Curtis almost 10 years ago

  • % Done changed from 20 to 60
#8

Updated by Daniel Curtis almost 10 years ago

  • Description updated (diff)
#9

Updated by Daniel Curtis almost 10 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 60 to 100
#10

Updated by Daniel Curtis almost 10 years ago

  • Related to Support #562: Install mod_evasive for Apache 2.4 on FreeBSD added
#11

Updated by Daniel Curtis almost 10 years ago

  • Related to Support #561: Install mod_security for Apache 2.4 on FreeBSD added
#12

Updated by Daniel Curtis almost 10 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF