Skip navigation.

Securing Apache on Linux

These are my notes for creating a secure Apache web server using Redhat Linux. This article does not cover protection against denial-of-service attacks.

I am assuming that this is a dedicated web server where only HTTP and SSH requests are accepted by the web server. SSH is an encrypted protocol for terminal emulation and allows secure tunnelling of other protocols such as FTP, so all maintenance of the server is encrypted. Outgoing traffic will be DNS requests, mail and HTTP responses; there might be some queries to a database also.

The simplest way to implement security is to reduce the number of doors to your server. This means we should remove all unneeded network access points, especially background processes (deamons) that listen on various TCP/IP ports, leaving behind the following services:

  • sshd: This is for secure VPN's and encrypted terminal connections to the server. Do not use telnet. An example configuration using MindTerm's SSH Client. We use TeraTerm's SSH client ourselves.
  • httpd: this is the apache deamon.

    Turn off viewing of directories and refrain from using CGI. It is important to be familiar with your scripting languages vulnerabilities (here's a good PHP article), and sanitize all GET and POST inputs. If possible, set all your web directories to read-only. Place all your code outside the web directory paths, and have only skeleton files that call the code within the web directories.

    Avoid symbolic links to areas outside the web directories.

    It is also important that the web server is run under a different user than the one supervising the pages. In this way an attacker who manages to leak through the web will not be able to change the pages.

    How to install private key certificates for SSL.

  • database deamons: If your database is on another server, make sure that server is only accessible from authorized machines of course.

  • Sendmail will still be configured, but only for sending out-going mail using /etc/sysconfig/sendmail to deny incoming mail.

  • Optional tcpwrappers: Controls and controls which hosts can access the server. This is optional if you have a minimal install like what is recommended here.

    In the /etc/hosts.deny file add the following line:

    ALL : ALL
    
    
    and in the /etc/hosts.allow file:
     sshd : ALL
     httpd : ALL
     in.ftpd : 127.0.0.1
    
    note: above does not support sendmail

  • Optional ftpd: makes file transfers work with standard ftp clients. Alternatively, you can use scp or WinSCP. You can control who has access by modifying the /etc/ftphosts file. I recommend you set it to allow only localhost - in other words we will use SSH tunnels to connect.

Choose good passwords for your user id's. Best are phrases which are not vulnerable to a dictionary search, and are reasonably long.

You can audit your TCP/IP ports for exposures by running netstat -a | grep LISTEN to scan your ports. A secure site should have only ports 22 (SSH), 80 (HTTP) and 443 (SSL) exposed. This works on NT also!

Log files are another useful tool for monitoring attacks on your server. Some people suggesting the logging should be to a central secure log server, so hackers will not be able to remove traces of their intrusion so easily.

It is possible to install more sophisticated security checking with ipchains and similar technology. However there is some overhead involved in all this, and it is possible that there are bugs in these software also. Instead i prefer removing as many potential vulnerabilities as possible, and then verifying (to the best of our ability) that the remaining software is secure.

Just before your web server goes live, use TripWire to generate checksums of all files.

Potential Vulnerabilities

The remaining vulnerabilities should be software bugs. Regularly check with your Linux and software vendors for the latest security updates on your kernel, SSH, httpd, ftp etc.

Intrusion Management

You can check which ports are used by which applications using netstat:

$ netstat -ap

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:netbios-ssn           *:*                     LISTEN      925/smbd
tcp        0      0 *:webcache              *:*                     LISTEN      1119/httpd
tcp        0      0 *:x11                   *:*                     LISTEN      990/X
tcp        0      0 *:http                  *:*                     LISTEN      811/squid
tcp        0      0 *:ssh                   *:*                     LISTEN      702/sshd
tcp        0      0 *:https                 *:*                     LISTEN      1119/httpd

IP Tables

You can block specific inbound or outbound ports using iptables and packet filtering. For example, to block destination port 25, use:

iptables -A OUTPUT -p tcp --dport 25 -j DROP

To display iptables rules after above change:

$iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere           tcp dpt:smtp

This is useful if your server has been hacked and used as a spam server, but you don't know (yet) which program is sending the spam. To confirm emails have been blocked, you can see with netstat (SYN_SENT indicates that the socket is actively attempting to establish a connection):

$ netstat -p | grep smtp

tcp        0      1 10.1.101.53:55878       195.110.126.136:smtp    SYN_SENT  -
tcp        0      1 10.1.101.53:55904       195.110.126.136:smtp    SYN_SENT  -
tcp        0      1 10.1.101.53:55845       195.110.126.136:smtp    SYN_SENT  -
tcp        0      1 10.1.101.53:55871       195.110.126.136:smtp    SYN_SENT  -

To block receiving smtp packets on port 25:

iptables -A INPUT -p tcp --dport 25 -j DROP

Rules created with the iptables command are stored in RAM. For rules to persist through reboot, you need to save them to the /etc/sysconfig/iptables file. To do this, as root, enter

/sbin/service iptables save 

Useful Info on Linux

tri: TCP/IP configuration files.
tri: The bootup process on Red Hat.
tri: Disabling root access. Securing Apache on Linux tri: Tuning Apache for PHP.
tri: Installation of a secure web server from SuSE's perspective.
tri: Another Security How-To for Redhat.

Some PHP Security Resources

http://www.cgisecurity.com/papers/fingerprint-port80.txt http://www.securereality.com.au/studyinscarlet.txt http://www.php.net/manual/en/security.php

Configuration Advice

Partitioning advice

Comment viewing options

Select your preferred way to display the comments and click 'Save settings' to activate your changes.

regarding your support

hello all,

actualy i wont some information with you can u please help me
i ahve only one qustion i like linux os and i am install linux on my pc and right now i wont some information with your company i know what is a iis in windows but what is Apache in red hat linux can you please tell me it's urjent. as soon as possible.

thanks & regards
honey:-)

(

(