Support #560
Hardening Apache 2.4 & PHP 5 on FreeBSD
Description
- Table of contents
- Harden Apache 2.4
- Harden PHP
- Resources
This is a simple guide for hardening the default settings of Apache and PHP on FreeBSD 9.2. I use a combination of some or all of the following configurations in my production systems.
- Update the system and ports tree:
pkg update && pkg upgrade portsnap fetch extract
- Install git:
pkg install git
Harden Apache 2.4¶
Remove Server information on error page¶
- Disallow server to print out any Apache information on error pages.
vi /usr/local/etc/apache24/httpd.conf
- Add/modify the following lines as following:
## Prevent apache from sending identifying information ServerTokens Prod ServerSignature Off
- Add/modify the following lines as following:
Disable Directory Listing¶
- Edit the httpd.conf file
vi /usr/local/etc/apache24/httpd.conf
- Then add a minus "-" before the "Indexes" and it should be look like that after modification:
<Directory /usr/local/www/apache24/data> ## Disable Indexes option Options -Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory>
- Then add a minus "-" before the "Indexes" and it should be look like that after modification:
Enhance security on Apache rewrite¶
- In order to prevent Cross-Site-Tracing attacks, the following lines to be added within each
<VirtualHost *:80>
block## Prevent Cross-Site-Tracing attacks <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] </IfModule>
- To test if it is working properly run:
curl -X TRACE www.example.com
- Example output:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access / on this server.<br /> </p> </body></html>
- To test if it is working properly run:
Install mod_security¶
ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP traffic and provides a power rules language and API to implement advanced protections.
- Install mod_security
pkg install ap24-mod_security
- ModSecurity requires firewall rule definitions. Most people use the OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the OWASP CRS repository right now is to use Git. Let's make a directory for all our ModSecurity related stuff, and clone the CRS repository under it
mkdir -p /usr/local/etc/modsecurity && cd /usr/local/etc/modsecurity git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs
- Copy the default ModSecurity config file:
cp /usr/local/etc/modsecurity.conf-example /usr/local/etc/modsecurity/modsecurity.conf
- And fetch a necessary file which is currently not included in the port:
fetch https://raw.github.com/SpiderLabs/ModSecurity/master/unicode.mapping
- Copy the default ModSecurity CRS config file:
cp crs/modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
- Now create an Apache configuration snippet in Apache's
httpd.conf
file. It loads the ModSecurity module, and includes the configurations and CRS:vi /usr/local/etc/apache24/httpd.conf
- And add/modify the following
## Load security module LoadModule security2_module libexec/apache22/mod_security2.so ## Configure security module <IfModule security2_module> # Include ModSecurity configuration Include /usr/local/etc/modsecurity/modsecurity.conf # Include OWASP Core Rule Set (CRS) configuration and base rules Include /usr/local/etc/modsecurity/modsecurity_crs_10_setup.conf Include /usr/local/etc/modsecurity/crs/base_rules/*.conf # Add custom configuration and CRS exceptions here. Example: # SecRuleRemoveById 960015 </IfModule>
- And add/modify the following
- When the configuration is all set, simply restart Apache:
service apache24 restart
- Confirm that ModSecurity is loaded by checking Apache's log file:
tail /var/log/httpd-error.log
- Example output:
ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/) configured. ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8" ModSecurity: PCRE compiled version="8.34 "; loaded version="8.34 2013-12-15" ModSecurity: LIBXML compiled version="2.8.0"
- Confirm that ModSecurity is loaded by checking Apache's log file:
- Blocking mode can be enabled by editing
modsecurity.conf
and changing the following line:SecRuleEngine On
- And restart apache to apply it:
service apache24 restart
- And restart apache to apply it:
- Keep the CRS updated from time to time:
cd /usr/local/etc/modsecurity/crs git pull
Install mod_evasive¶
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
- Edit the mod_evasive Makefile:
cd /usr/ports/www/mod_evasive vi Makefile
- And change the line USE_APACHE=22 to:
USE_APACHE= 24
- And change the line USE_APACHE=22 to:
- Begin compilation:
make install clean
- Currently the port will fail with output similar to the following:
mod_evasive20.c: In function 'access_checker': mod_evasive20.c:142: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:146: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:158: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:165: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:180: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:187: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:208: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:212: warning: implicit declaration of function 'getpid' mod_evasive20.c:215: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:221: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:222: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:228: error: 'conn_rec' has no member named 'remote_ip' apxs:Error: Command failed with rc=65536 . *** [do-build] Error code 1 Stop in /usr/ports/www/mod_evasive.
- Currently the port will fail with output similar to the following:
- Fix the working mod_evasive source code:
sed -i '' -e 's/remote_ip/client_ip/g' work/mod_evasive/mod_evasive20.c
- Then finish installing mod_evasive:
make install clean
- Edit the Apache httpd.conf file:
vi /usr/local/etc/apache24/httpd.conf
- And add the following:
## Load evasive module LoadModule evasive20_module libexec/apache24/mod_evasive20.so ## Configure evasive module <IfModule evasive20_module> #increases size of hash table. Good, but uses more RAM. DOSHashTableSize 3097 #Interval, in seconds, of the page interval. DOSPageInterval 1 #Interval, in seconds, of the site interval. DOSSiteInterval 1 #period, in seconds, a client is blocked. The counter is reset to 0 with every access within this interval. DOSBlockingPeriod 10 #threshold of requests per page, per page interval. If hit == block. DOSPageCount 2 #threshold of requests for any object by the same ip, on the same listener, per site interval. DOSSiteCount 50 #locking mechanism prevents repeated calls. email can be sent when host is blocked (leverages the following by default "/bin/mail -t %s") DOSEmailNotify admin@example.com #locking mechanism prevents repeated calls. A command can be executed when a host is blocked. %s is the host IP. #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" #DOSLogDir "/var/lock/mod_evasive" #whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.* #DOSWhiteList 127.0.0.1 </IfModule>
- And add the following:
- Restart apache24 to enable mod_evasive
service apache24 restart
Harden PHP¶
Restrict PHP leakage¶
- To restrict PHP information leakage disable expose_php. Edit the
php.ini
file and set the following directive:vi /usr/local/etc/php.ini
- And modify the following parameter:
expose_php=Off
- And modify the following parameter:
Log All PHP Errors¶
- Do not expose PHP error messages to all site visitors. Edit
php.ini
and set the following directive:display_errors=Off
- Make sure you log all php errors to a log file:
log_errors=On error_log=/var/log/php-error.log
Disable File Uploads¶
- Edit
php.ini
and set the following directive to disable file uploads for security reasons:file_uploads=Off
- If users of your application need to upload files, turn this feature on by setting
upload_max_filesize
limits the maximum size of files that PHP will accept through uploads:file_uploads=On # user can only upload upto 1MB via php upload_max_filesize=1M
Disabling Dangerous PHP Functions¶
- PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in
php.ini
usingdisable_functions
directive:disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Resources¶
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
http://www.cyberciti.biz/faq/freebsd-install-configure-mod_security/
https://lifeforms.nl/20140221/install-modsecurity-freebsd/
http://www.ansoncheunghk.info/article/7-simple-steps-harden-apache-and-php-linux
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
https://github.com/SpiderLabs/owasp-modsecurity-crs
https://forums.freebsd.org/threads/mod_evasiv.48806/
https://mbrownnyc.wordpress.com/technology-solutions/create-a-secure-linux-web-server/install-and-configure-mod_evasive-for-apache-2-4-x/
Related issues