Apache Configuration Security Checklist
Apache is the most widely used HTTP daemon for *nix-based servers, this checklist will help you secure your install to restrict the potential of exploits being found within your install. Installations of Apache include a default configuration that is fairly secure already and this checklist covers some of the additional methods you can use to secure your installation.
httpd.conf - the Options directive
The options directive is potentially the most important flag that you could use to aid securing your Apache install, it allows a variety of abilities to be restricted on either a global or per-user basis. The most commonly used settings are below:
-
ExecCGI - prevents execution of CGI scripts. This can be used to prevent execution of, for example, uploaded Perl scripts which could be used to maliciously access other files on the file system.
-
Includes - prevents the use of Server Side Includes (SSI). This is a little known functionality of Apache which allows you to 'include' files in others (i.e. nesting) which very few people use. If this were linked with a CGI bug it would be possible to use XSS type attacks on the user.
-
Indexes - prevents the ability of Apache to use directory listing in directories where you do not have a home page (such as index.html). This, therefore, prevents any user from seeing your directory structure and files contained within each directory - if you have sensitive files that are not password protected (although, they should be!) it would work towards preventing any users of your site finding them.
-
FollowSymLinks - prevents the ability of Apache following symbolic links in your file system. A symbolic link could, for example, link from yourwebsite.com/etcdirectory/ to /etc (which contains configuration files as well as /etc/shadow and /etc/passwd).
Modules
By default, Apache comes with some built in modules aimed to supplement the default functionality within the daemon. There are a series of modules - some of which are designed to enhance functionality (such as mod_cgi) and some of which are to enhance security (such as mod_security). A summary of some of the most important ones is listed below:
-
mod_security is an Apache module primarily to supplement the default security features within Apache. The module is coded by Ivan Ristic who himself has authored books on security within Apache. It supplements the default (and primitive) security functionality by providing filtering (through regular expressions), implementing easy to use chroot support, identity masking and other similar configurable options.
-
mod_cgi is a module that allows CGI scripts to be executed by Apache. Very few sites use CGI scripts nowadays, in preference for languages that execute directly via other modules, such as mod_php (on the way out, in preference for FastCGI - not the same as CGI itself, etc) and mod_python.
-
mod_userdir is a module that allows you to use directory requests using tildes to see the contents of other users public_html directories. For instance, if you had users of bob, cat, mouse, tom, jerry - then if you went to jerryswebsite.com/~tom/ you would see the contents of tom's public_html directory if mod_userdir is enabled. While this doesn't cause a direct security risk, it can result in the potential of XSS.
-
mod_include is the module that permits the usage of Server Side Includes (SSI). As mentioned above, there's no point having it on your system if you don't use it so it is normally wise just to disable it.