This article goes through some of the things you can do to protect your web server from certain types of attacks and to keep the disclosure of information down to a minimum. It will show you how to help prevent clickjacking, SSL cipher or mime-based attacks. It will show you how to avoid error messages and other methods giving away more information than is needed.
These can mostly be prevented at a server level so that they apply to all websites that you publish on the server. A brief description of what is being prevented and the resolution is included with each of the step by step examples.
The examples in this article are performed on an Ubuntu LAMP environment but can be applied to any Apache server with a little tweaking for the Linux distribution. I am using the Nano text editor from the PuTTY Command Line Interface but any text editor can perform the same actions.
All of the changes in this article, occur by making modifications to files and restarting Apache. I’ve organised them by the vulnerability/resolution.
Backup before beginning
Before following the examples in this article it is a good idea to make backups of the files we will be modifying before continuing.
sudo cp /etc/apache2/apache2.conf /etc/apache2/apache2.orig
sudo cp /etc/apache2/conf-available/security.conf /etc/apache2/conf-available/security.orig
sudo cp /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-available/ssl.orig
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.orig
Help avoid clickjacking attacks, by ensuring that your content is not embedded into other sites
A malicious person could trick a web user into thinking they are on your site when in fact the user is on their site and is hosting a copy of your site in a frame. This could allow them to steal confidential information or take control of the user’s computer.
This occurs because by default the server doesn’t have a frame option configured. Sites (or servers) can define this to help avoid clickjacking attacks, by ensuring that their content is not embedded into other sites (or other external sites). In this example I will set it so the sites or pages on this server can only be hosted within their self (same origin).
This can be prevented across all sites on a server by setting a header in Apache’s security.conf file.
sudo nano /etc/apache2/conf-available/security.conf
ALTER the line: #Header set X-Frame-Options: “sameorigin”
TO: Header always append X-Frame-Options: SAMEORIGIN
BEFORE
AFTER
Help prevent “mime” based attacks by IE/Chrome
MIME-sniffing capabilities can lead to security problems for servers hosting untrusted content such as user file uploads and these can be exploited by a malicious person using the right browser.
Like the last change this can be prevented across all sites on a server by setting a header in Apache’s security.conf file.
sudo nano /etc/apache2/conf-available/security.conf
ALTER the line: #Header set X-Content-Type-Options: “nosniff”
TO: Header always append X-Content-Type-Options: NOSNIFF
Then SAVE Ctrl+O and quit Ctrl+X nano (or move onto the next change as it’s in the same file).
BEFORE
AFTER
Help avoid giving away more information than is needed through error messages or directory listing
A malicious person could request a page that doesn’t exist and get a 404 page not found message returned. Unless you do something about it, by default, the page will return details of the web server version number and a list of modules enabled on this server.
Any of these things can provide a malicious person with information that can be used to conduct further attacks.
Limiting information returned
Let’s start with error messages giving away server information. This can be solved by making changes to Apache’s security.conf file.
sudo nano /etc/apache2/conf-available/security.conf
REMOVE # in front of “ServerSignature Off“.
ADD # to the front of “ServerSignature On“.
BEFORE
AFTER
Next, we need to reduce the amount of information in request responses so not even the operating system is shown by setting the server to production.
CHANGE “OS” to “Prod” on the ServerToken line that doesn’t have the # in front.
ServerToken Prod
BEFORE
AFTER
Then SAVE Ctrl+O and quit Ctrl+X nano.
Preventing directory listings
To stop any directory that doesn’t return a default “index” web page from returning a directory listing you need to remove “Indexes” from the Apache configuration file. I make sure that I keep FollowSymLinks as certain website installations might need to use shortcut links and I really can’t think of an exploit of it providing that all other protections are in place.
sudo nano /etc/apache2/apache2.conf
In the <Directory /var/www/> section on the “Options” line, add a minus in front of the word “Indexes” (and a plus in front of FollowSymLinks if like me you are keeping that option available).
BEFORE
AFTER
Then SAVE Ctrl+O and quit Ctrl+X nano.
Help prevent BREAST, POODLE and other SSL Cipher attacks
Design vulnerabilities are often found in the way the secure socket layer works on web servers. There have been several successful demonstrations of how an attacker can exploit vulnerabilities to decrypt and extract information from inside an encrypted transaction. Some famous attacking techniques have names like BREAST or POODLE.
It is a hard exploit to perform but nevertheless you can prevent the use of the weaker Cipher Suites or Protocols by editing Apache’s ssl.conf file.
sudo nano /etc/apache2/mods-available/ssl.conf
ADD “:!RC4” to the end of SSLCipherSuite (in the secure cipher section).
REMOVE # in front of SSLHonorCipherOrder and make sure SSLHonorCipherOrder is “On”.
ADD “-SSLv3” to SSLProtocol
BEFORE
AFTER
Then SAVE Ctrl+O and quit Ctrl+X nano.
Limiting HTTP methods
By default, all of the HTTP methods are available and the index method is enabled for Apache websites. The Options HTTP method provides a list of the methods that are supported by the web server whereas the Indexes method allows a list of files and folders to be displayed for a website.
In most cases you will only need to have HTTP GET and POST methods available so you are not allowing other methods of HTTP requests and even a list of the available HTTP methods (OPTIONS).
This can be solved by restricting the HTTP methods to just GET and POST by adding a rewrite rule to the website’s configuration file. I base all my website configurations from the default website so early on I add the rule to the default site and then copy it for all. If you have multiple sites setup then adjust them all.
sudo nano /etc/apache2/sites-available/000-default.conf
ADD the following code before the closing </VirtualHost> tag.
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST)
RewriteRule .* – [F]
BEFORE
AFTER
Then SAVE Ctrl+O and quit Ctrl+X nano.
This method requires that Apache has rewrite enabled so it is worth checking that or enabling it using the following command.
sudo a2enmod rewrite
Restart Apache
If you have followed any of the examples above you will need to restart Apache for them to come into effect.
sudo service apache2 restart
Related articles
This is part of a series of short articles covering setting up and maintaining a multiple domain web hosting environment using an Ubuntu Linux server. You can find an up-to-date list of those from the Hosting – Ubuntu category.
At the time of writing, I added -SSLv2 but didn’t need to as it was no longer supported in apache. Now-a-days you might want to restrict earlier versions of TLS by adding -TLSv1 and -TLSv1.1 as they are no longer universally supported.