www.bonsaiframework.com
Page tree

Versions Compared

Old Version 45

changes.mady.by.user Rinku Rathore

Saved on

compared with

New Version 46

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Install

...

With Ubuntu installing is very straightforward,

...

Info

What about Zero Footprint Apache? Definately Definitely doable, but practically with virtualization, and how rarely Apache actually changes right now I'm leaning towards just scripting configuration files only inside of a container.

Having said that, if time permits I might build a BonsaiFramework version.

Test

Verify that the Apache Web Server is running first by hitting your server's IP Address. If you do not know your ip address, at the console type,

...

You should see a default Apache webpage.

Stopping, Starting, Restarting and Reload

You should know the basic commands to running Apache 2. Go ahead and try them. Note ignore the warning message about "fully qualified domain name" as that is covered in the next section.

...

Code Block
languagebash
sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start
sudo /etc/init.d/apache2 restart
sudo /etc/init.d/apache2 reload

Provide Server Name

Apache is working fine, but during restart you will get the warning message, "apache2: Could not reliably determine the server's fully qualified domain name, using ...".

...

Note

As with any security notes, I will write a disclaimer that there are more advanced ways to secure Apache. You can go as far as compiling your own custom version but that's out of scope for now.

...

Disable Server Information

...

Banner

By default Apache provides extra information about your web server to the public.server when 403, 404, 502 or similar error pages are invoked. The information could be used to look up vulnerabilities on the particular version of Apache you are running.

If you visit a page that does not exist you will invoke a 404 error resulting in a page Not Found similar to below,

Panel

Not Found

The requested URL /invalidpage.html was not found on this server.

Apache/2.4.18 (Ubuntu) Server at www.bonsaiframework.com Port 80

Edit /etc/apache2/conf-available/security.conf,

set ServerTokens Prod - This turns off all the extra header information sent by Apache. Primarily, it would let a client know what version of Apache is being used. The information could be used to look up vulnerabilities on the particular version of Apache you are running.

set ServerSignatures Off - Removes footer information from default apache pages. For example, page not found.

...

Restart Apache to take effect and verify by invoking a 404 again.

Disabling Unnecessary Modules

...

Will flush this out some more ...

Testing Apache Server 

...

Disable Etag Header

Etag (entity tag) was introduced to help improve caching. However, besides not being very effective in an enterprise clusters environments), it also provides sensitive information like inode number, multipart MIME boundary and child processes. It allows hackers to uniquely identify a particular server.

Unless you have a compelling reason you may,

  1. Disable etag - rely on the default Expire or Cach-Control header information.
  2. Minimally disable INode

... to fill out

Turn off Default Website

...

Advanced Server Hardening

Building out a dedicated section to this.

 

Uninstall Apache

...

Completely

.. these instructions need to be improved, and there is nothing here about removing logs.

1. stop apache:

sudo service apache2 stop

sudo /etc/init.d/apache2 stop

 


2.  remove:

sudo apt-get remove apache2

...

http://cloudservers.mosso.com/index.php/Ubuntu_-_Apache_configuration#Security_Settings - Rackspace wiki on hardening Apache Web Server.

Apache Web Server Hardening Guide - https://geekflare.com/apache-web-server-hardening-security/