Project

General

Profile

Support #560

Updated by Daniel Curtis almost 10 years ago

{{>toc}} 

 This is a simple guide for hardening the default settings of Apache and PHP on FreeBSD 9.2. I use a combination of some or all of the following configurations in my production systems. 

 * Update the system and ports tree: 
 <pre> 
 pkg update && pkg upgrade 
 portsnap fetch extract 
 </pre> 

 * Install git: 
 <pre> 
 pkg install git 
 </pre> 

 --- 

 h1. Harden Apache 2.4 

 h2. Remove Server information on error page 

 * Disallow server to print out any Linux and Apache information on error pages. 
 <pre> 
 vi /usr/local/etc/apache24/httpd.conf 
 </pre> 
 

 #* Add/modify the following lines as following: 
 <pre> 
 ServerToken Prod 
 ServerSignature Off 
 </pre> 

 h2. Disable Directory Listing 

 * Edit the httpd.conf file 
 <pre> 
 vi /usr/local/etc/apache24/httpd.conf 
 </pre> 
 #* Then add a minus "-" before the "Indexes" and it should be look like that after modification: 
 <pre> 
 <Directory /usr/local/www/apache24/data> 
     Options -Indexes FollowSymLinks MultiViews 
     AllowOverride None 
     Order allow,deny 
     allow from all 
 </Directory> 
 </pre> 

 h2. Enhance security on Apache rewrite 

 * In order to prevent Cross-Site-Tracing attack, the following lines to be added within each @<VirtualHost *:80>@ block  
 <pre> 
 <IfModule mod_rewrite.c> 
     RewriteEngine On 
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) 
     RewriteRule .* - [F] 
 </IfModule> 
 </pre> 

 h2. Install mod_security 

 * Install mod_security 
 <pre> 
 pkg install ap24-mod_security 
 </pre> 

 * ModSecurity requires firewall rule definitions. Most people use the OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the OWASP CRS repository right now is to use Git. Let's make a directory for all our ModSecurity related stuff, and clone the CRS repository under it 
 <pre> 
 mkdir -p /usr/local/etc/modsecurity && cd /usr/local/etc/modsecurity 
 git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs 
 </pre> 

 * Copy the default ModSecurity config file: 
 <pre> 
 cp /usr/local/etc/modsecurity.conf-example /usr/local/etc/modsecurity/modsecurity.conf 
 </pre> 

 * And fetch a necessary file which is currently not included in the port: 
 <pre> 
 fetch https://raw.github.com/SpiderLabs/ModSecurity/master/unicode.mapping 
 </pre> 

 * Copy the default ModSecurity CRS config file: 
 <pre> 
 cp crs/modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf 
 </pre> 

 * Now create an Apache configuration snippet in Apache's @httpd.conf@ file. It loads the ModSecurity module, and includes the configurations and CRS: 
 <pre> 
 vi /usr/local/etc/apache24/httpd.conf 
 </pre> 
 #* And add/modify the following 
 <pre> 
 LoadModule security2_module libexec/apache22/mod_security2.so 

 <IfModule security2_module> 
     # Include ModSecurity configuration 
     Include /usr/local/etc/modsecurity/modsecurity.conf 

     # Include OWASP Core Rule Set (CRS) configuration and base rules 
     Include /usr/local/etc/modsecurity/modsecurity_crs_10_setup.conf 
     Include /usr/local/etc/modsecurity/crs/base_rules/*.conf 

     # Add custom configuration and CRS exceptions here. Example: 
     # SecRuleRemoveById 960015 
 </IfModule> 
 </pre> 

 * When the configuration is all set, simply restart Apache:  
 <pre> 
 service apache24 restart 
 </pre> 
 #* Confirm that ModSecurity is loaded by checking Apache's log file: 
 <pre> 
 tail /var/log/httpd-error.log 
 </pre> 
 #* _Example output_: 
 <pre> 
 ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/) configured. 
 ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8" 
 ModSecurity: PCRE compiled version="8.34 "; loaded version="8.34 2013-12-15" 
 ModSecurity: LIBXML compiled version="2.8.0" 
 </pre> 

 * Blocking mode can be enabled by editing @modsecurity.conf@ and changing the following line: 
 <pre> 
 SecRuleEngine On 
 </pre> 
 #* And restart apache to apply it: 
 <pre> 
 service apache24 restart 
 </pre> 

 * Keep the CRS updated from time to time: 
 <pre> 
 cd /usr/local/etc/modsecurity/crs 
 git pull 
 </pre> 

 h2. Install mod_evasive 

 * Edit the mod_evasive Makefile: 
 <pre> 
 cd /usr/ports/www/mod_evasive 
 vi Makefile 
 </pre> 
 #* And change the line *USE_APACHE=22* to: 
 <pre> 
 USE_APACHE=       24 
 </pre> 

 * Begin compilation: 
 <pre> 
 make install clean 
 </pre> 
 #* Currently the port will fail with output similar to the following: 
 <pre> 
 mod_evasive20.c: In function 'access_checker': 
 mod_evasive20.c:142: error: 'conn_rec' has no member named 'remote_ip' 
 mod_evasive20.c:146: error: 'conn_rec' has no member named 'remote_ip' 
 mod_evasive20.c:158: error: 'conn_rec' has no member named 'remote_ip' 
 mod_evasive20.c:165: error: 'conn_rec' has no member named 'remote_ip' 
 mod_evasive20.c:180: error: 'conn_rec' has no member named 'remote_ip' 
 mod_evasive20.c:187: error: 'conn_rec' has no member named 'remote_ip' 
 mod_evasive20.c:208: error: 'conn_rec' has no member named 'remote_ip' 
 mod_evasive20.c:212: warning: implicit declaration of function 'getpid' 
 mod_evasive20.c:215: error: 'conn_rec' has no member named 'remote_ip' 
 mod_evasive20.c:221: error: 'conn_rec' has no member named 'remote_ip' 
 mod_evasive20.c:222: error: 'conn_rec' has no member named 'remote_ip' 
 mod_evasive20.c:228: error: 'conn_rec' has no member named 'remote_ip' 
 apxs:Error: Command failed with rc=65536 
 . 
 *** [do-build] Error code 1 

 Stop in /usr/ports/www/mod_evasive. 
 </pre> 

 * Fix the working mod_evasive source code: 
 <pre> 
 sed -i '' -e 's/remote_ip/client_ip/g' work/mod_evasive/mod_evasive20.c 
 </pre> 

 * Then finish installing mod_evasive: 
 <pre> 
 make install clean 
 </pre> 

 * Edit the Apache httpd.conf file: 
 <pre> 
 vi /usr/local/etc/apache24/httpd.conf 
 </pre> 
 #* And add the following: 
 <pre> 
 LoadModule evasive20_module     libexec/apache24/mod_evasive20.so 

 <IfModule evasive20_module> 
 #increases size of hash table. Good, but uses more RAM. 
 DOSHashTableSize      3097 
 #Interval, in seconds, of the page interval. 
 DOSPageInterval       1 
 #Interval, in seconds, of the site interval. 
 DOSSiteInterval       1 
 #period, in seconds, a client is blocked.    The counter is reset to 0 with every access within this interval. 
 DOSBlockingPeriod     10 
 #threshold of requests per page, per page interval.    If hit == block. 
 DOSPageCount          2 
 #threshold of requests for any object by the same ip, on the same listener, per site interval. 
 DOSSiteCount          50 
 #locking mechanism prevents repeated calls.    email can be sent when host is blocked (leverages the following by default "/bin/mail -t %s") 
 DOSEmailNotify        admin@example.com 
 #locking mechanism prevents repeated calls.    A command can be executed when a host is blocked.    %s is the host IP. 
 #DOSSystemCommand      "su - someuser -c '/sbin/... %s ...'" 
 #DOSLogDir             "/var/lock/mod_evasive" 
 #whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.* 
 #DOSWhiteList 127.0.0.1 
 </IfModule> 
 </pre> 

 * Restart apache24 to enable mod_evasive 
 <pre> 
 service apache24 restart 
 </pre> 

 --- 

 h1. Harden PHP 

 h2. Restrict PHP leakage 

 * To restrict PHP information leakage disable expose_php. Edit the @php.ini@ file and set the following directive: 
 <pre> 
 vi /usr/local/etc/php.ini 
 </pre> 
 #* And modify the following parameter: 
 <pre> 
 expose_php=Off 
 </pre> 

 h2. Log All PHP Errors 

 * Do not expose PHP error messages to all site visitors. Edit @php.ini@ and set the following directive: 
 <pre> 
 display_errors=Off 
 </pre> 

 * Make sure you log all php errors to a log file: 
 <pre> 
 log_errors=On 
 error_log=/var/log/php-error.log 
 </pre> 

 h2. Disable File Uploads 

 * Edit @php.ini@ and set the following directive to disable file uploads for security reasons: 
 <pre> 
 file_uploads=Off 
 </pre> 

 * If users of your application need to upload files, turn this feature on by setting @upload_max_filesize@ limits the maximum size of files that PHP will accept through uploads: 
 <pre> 
 file_uploads=On 
 # user can only upload upto 1MB via php 
 upload_max_filesize=1M 
 </pre> 

 h2. Disabling Dangerous PHP Functions 

 * PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in @php.ini@ using @disable_functions@ directive:  
 <pre> 
 disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source 
 </pre> 

 h1. Resources 

 http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html 
 http://www.cyberciti.biz/faq/freebsd-install-configure-mod_security/ 
 https://lifeforms.nl/20140221/install-modsecurity-freebsd/ 
 http://www.ansoncheunghk.info/article/7-simple-steps-harden-apache-and-php-linux 
 https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual 
 https://github.com/SpiderLabs/owasp-modsecurity-crs 
 https://forums.freebsd.org/threads/mod_evasiv.48806/ 
 https://mbrownnyc.wordpress.com/technology-solutions/create-a-secure-linux-web-server/install-and-configure-mod_evasive-for-apache-2-4-x/

Back