Support #560
Updated by Daniel Curtis almost 10 years ago
{{>toc}} This is a simple guide for hardening the default settings of Apache and PHP on FreeBSD 9.2. I use a combination of some or all of the following configurations in my production systems. * Update the system and ports tree: <pre> pkg update && pkg upgrade portsnap fetch extract </pre> * Install git: <pre> pkg install git </pre> --- h1. Harden Apache 2.4 h2. Remove Server information on error page * Disallow server to print out any Linux and Apache information on error pages. <pre> vi /usr/local/etc/apache24/httpd.conf </pre> #* Add/modify the following lines as following: <pre> ## Prevent apache from sending identifying information ServerToken Prod ServerSignature Off </pre> h2. Disable Directory Listing * Edit the httpd.conf file <pre> vi /usr/local/etc/apache24/httpd.conf </pre> #* Then add a minus "-" before the "Indexes" and it should be look like that after modification: <pre> <Directory /usr/local/www/apache24/data> ## Disable Indexes option Options -Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> </pre> h2. Enhance security on Apache rewrite * In order to prevent Cross-Site-Tracing attacks, attack, the following lines to be added within each @<VirtualHost *:80>@ block <pre> ## Prevent Cross-Site-Tracing attacks <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] </IfModule> </pre> h2. Install mod_security > ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. * Install mod_security <pre> pkg install ap24-mod_security </pre> * ModSecurity requires firewall rule definitions. Most people use the OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the OWASP CRS repository right now is to use Git. Let's make a directory for all our ModSecurity related stuff, and clone the CRS repository under it <pre> mkdir -p /usr/local/etc/modsecurity && cd /usr/local/etc/modsecurity git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs </pre> * Copy the default ModSecurity config file: <pre> cp /usr/local/etc/modsecurity.conf-example /usr/local/etc/modsecurity/modsecurity.conf </pre> * And fetch a necessary file which is currently not included in the port: <pre> fetch https://raw.github.com/SpiderLabs/ModSecurity/master/unicode.mapping </pre> * Copy the default ModSecurity CRS config file: <pre> cp crs/modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf </pre> * Now create an Apache configuration snippet in Apache's @httpd.conf@ file. It loads the ModSecurity module, and includes the configurations and CRS: <pre> vi /usr/local/etc/apache24/httpd.conf </pre> #* And add/modify the following <pre> ## Load security module LoadModule security2_module libexec/apache22/mod_security2.so ## Configure security module <IfModule security2_module> # Include ModSecurity configuration Include /usr/local/etc/modsecurity/modsecurity.conf # Include OWASP Core Rule Set (CRS) configuration and base rules Include /usr/local/etc/modsecurity/modsecurity_crs_10_setup.conf Include /usr/local/etc/modsecurity/crs/base_rules/*.conf # Add custom configuration and CRS exceptions here. Example: # SecRuleRemoveById 960015 </IfModule> </pre> * When the configuration is all set, simply restart Apache: <pre> service apache24 restart </pre> #* Confirm that ModSecurity is loaded by checking Apache's log file: <pre> tail /var/log/httpd-error.log </pre> #* _Example output_: <pre> ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/) configured. ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8" ModSecurity: PCRE compiled version="8.34 "; loaded version="8.34 2013-12-15" ModSecurity: LIBXML compiled version="2.8.0" </pre> * Blocking mode can be enabled by editing @modsecurity.conf@ and changing the following line: <pre> SecRuleEngine On </pre> #* And restart apache to apply it: <pre> service apache24 restart </pre> * Keep the CRS updated from time to time: <pre> cd /usr/local/etc/modsecurity/crs git pull </pre> h2. Install mod_evasive > mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities. * Edit the mod_evasive Makefile: <pre> cd /usr/ports/www/mod_evasive vi Makefile </pre> #* And change the line *USE_APACHE=22* to: <pre> USE_APACHE= 24 </pre> * Begin compilation: <pre> make install clean </pre> #* Currently the port will fail with output similar to the following: <pre> mod_evasive20.c: In function 'access_checker': mod_evasive20.c:142: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:146: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:158: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:165: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:180: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:187: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:208: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:212: warning: implicit declaration of function 'getpid' mod_evasive20.c:215: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:221: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:222: error: 'conn_rec' has no member named 'remote_ip' mod_evasive20.c:228: error: 'conn_rec' has no member named 'remote_ip' apxs:Error: Command failed with rc=65536 . *** [do-build] Error code 1 Stop in /usr/ports/www/mod_evasive. </pre> * Fix the working mod_evasive source code: <pre> sed -i '' -e 's/remote_ip/client_ip/g' work/mod_evasive/mod_evasive20.c </pre> * Then finish installing mod_evasive: <pre> make install clean </pre> * Edit the Apache httpd.conf file: <pre> vi /usr/local/etc/apache24/httpd.conf </pre> #* And add the following: <pre> ## Load evasive module LoadModule evasive20_module libexec/apache24/mod_evasive20.so ## Configure evasive module <IfModule evasive20_module> #increases size of hash table. Good, but uses more RAM. DOSHashTableSize 3097 #Interval, in seconds, of the page interval. DOSPageInterval 1 #Interval, in seconds, of the site interval. DOSSiteInterval 1 #period, in seconds, a client is blocked. The counter is reset to 0 with every access within this interval. DOSBlockingPeriod 10 #threshold of requests per page, per page interval. If hit == block. DOSPageCount 2 #threshold of requests for any object by the same ip, on the same listener, per site interval. DOSSiteCount 50 #locking mechanism prevents repeated calls. email can be sent when host is blocked (leverages the following by default "/bin/mail -t %s") DOSEmailNotify admin@example.com #locking mechanism prevents repeated calls. A command can be executed when a host is blocked. %s is the host IP. #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" #DOSLogDir "/var/lock/mod_evasive" #whitelist an IP., leverage wildcards, not CIDR, like 127.0.0.* #DOSWhiteList 127.0.0.1 </IfModule> </pre> * Restart apache24 to enable mod_evasive <pre> service apache24 restart </pre> --- h1. Harden PHP h2. Restrict PHP leakage * To restrict PHP information leakage disable expose_php. Edit the @php.ini@ file and set the following directive: <pre> vi /usr/local/etc/php.ini </pre> #* And modify the following parameter: <pre> expose_php=Off </pre> h2. Log All PHP Errors * Do not expose PHP error messages to all site visitors. Edit @php.ini@ and set the following directive: <pre> display_errors=Off </pre> * Make sure you log all php errors to a log file: <pre> log_errors=On error_log=/var/log/php-error.log </pre> h2. Disable File Uploads * Edit @php.ini@ and set the following directive to disable file uploads for security reasons: <pre> file_uploads=Off </pre> * If users of your application need to upload files, turn this feature on by setting @upload_max_filesize@ limits the maximum size of files that PHP will accept through uploads: <pre> file_uploads=On # user can only upload upto 1MB via php upload_max_filesize=1M </pre> h2. Disabling Dangerous PHP Functions * PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in @php.ini@ using @disable_functions@ directive: <pre> disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source </pre> h1. Resources http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html http://www.cyberciti.biz/faq/freebsd-install-configure-mod_security/ https://lifeforms.nl/20140221/install-modsecurity-freebsd/ http://www.ansoncheunghk.info/article/7-simple-steps-harden-apache-and-php-linux https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual https://github.com/SpiderLabs/owasp-modsecurity-crs https://forums.freebsd.org/threads/mod_evasiv.48806/ https://mbrownnyc.wordpress.com/technology-solutions/create-a-secure-linux-web-server/install-and-configure-mod_evasive-for-apache-2-4-x/