Skip to main content
Security & Cloud 24/7

Hardening guide for Apache 2.4.6 on CentOS 6.4 (64bit edition)

·1497 words·8 mins
Eyal Estrin
Author
Eyal Estrin
Author of Cloud Security Handbook & Security for Cloud Native Applications. Cloud Adoption & Cybersecurity expert.

This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack. Some of the features explained in this document are supported by only some of the Internet browsers:- X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0

  • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0

Pre-Requirements

  • policycoreutils-python-* package installed
  • setools-libs-* package installed
  • libcgroup-* package installed
  • audit-libs-python-* package installed
  • libsemanage-python-* package installed
  • setools-libs-python-* package installed
  • gcc* package installed
  • gcc-c++* package installed
  • autoconf* package installed
  • automake* package installed

Installation Phase1. Login to the server using Root account 2. Upgrade the Openssl build: rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm yum --enablerepo=axivo update openssl -y 3. Download Apache source file into /tmp, from: http://httpd.apache.org/download.cgi 4. Download APR and APR-Util source files into /tmp, from: https://apr.apache.org/download.cgi 5. Download PCRE source file into /tmp, from: http://sourceforge.net/projects/pcre/files/pcre/ 6. Compile PCRE from source file: tar zxvf /tmp/pcre-8.33.tar.gz -C /tmp mv /tmp/pcre-8.33 /usr/local/pcre cd /usr/local/pcre ./configure --prefix=/usr/local/pcre make make install 7. Extract Apache source files: cd /tmp tar zxvf httpd-2.4.6.tar.gz cd httpd-2.4.6/srclib/ tar zxvf ../../apr-1.4.8.tar.gz ln -s apr-1.4.8/ apr tar zxvf ../../apr-util-1.5.2.tar.gz ln -s apr-util-1.5.2/ apr-util 8. Compile the Apache from source files: cd /tmp/httpd-2.4.6 ./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre make make install 9. Remove the source files: rm -rf /tmp/apr-1.4.8.tar.gz rm -rf /tmp/apr-util-1.5.2.tar.gz rm -rf /tmp/httpd-2.4.6.tar.gz rm -rf /tmp/httpd-2.4.6 rm -rf /tmp/pcre-8.33.tar.gz 10. Remove Default Content: rm -rf /opt/httpd/cgi-bin rm -rf /opt/httpd/htdocs rm -rf /opt/httpd/icons rm -rf /opt/httpd/man rm -rf /opt/httpd/manual rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in rm -rf /opt/httpd/conf/extra/httpd-dav.conf rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in rm -rf /opt/httpd/conf/extra/httpd-default.conf rm -rf /opt/httpd/conf/extra/httpd-default.conf.in rm -rf /opt/httpd/conf/extra/httpd-info.conf rm -rf /opt/httpd/conf/extra/httpd-info.conf.in rm -rf /opt/httpd/conf/extra/httpd-languages.conf rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in rm -rf /opt/httpd/conf/extra/httpd-manual.conf rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in rm -rf /opt/httpd/conf/extra/httpd-mpm.conf rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in rm -rf /opt/httpd/conf/extra/httpd-userdir.conf rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in rm -rf /opt/httpd/conf/extra/proxy-html.conf rm -rf /opt/httpd/conf/extra/proxy-html.conf.in rm -rf /opt/httpd/conf/original 11. Updating Ownership and Permissions on Apache folders: chown root:root /opt/httpd/bin/apachectl chown root:root /opt/httpd/bin/httpd chmod 770 /opt/httpd/bin/apachectl chmod 770 /opt/httpd/bin/httpd chown -R root:root /opt/httpd chmod -R go-r /opt/httpd chown -R root:root /opt/httpd/logs chmod -R 700 /opt/httpd/logs 12. Create folder for the web content: mkdir -p /www 13. Updating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www 14. Fix the SELinux security context on the new web folder: semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?" restorecon -F -R -v /www 15. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings: From: LogLevel warnTo: LogLevel notice

 From: `DocumentRoot "/opt/httpd/htdocs"`To: `DocumentRoot "/www"`
 
 From: `Listen 80`To: `Listen Server_FQDN:80` Note: Replace Server\_FQDN with the actual DNS name.
 
 From: `ServerAdmin root@localhost`To: `ServerAdmin webmaster@mycompany.com` Note: Replace mycompany.com with the actual Company DNS name.
 
 From: `#ServerName www.example.com:80`To: `ServerName Server_FQDN` Note: Replace Server\_FQDN with the actual DNS name.
 
 From: `ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"`To: `# ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"`
 
 From: `<Directory /> Options FollowSymLinks AllowOverride None </Directory>`To: `<Directory /> Options None AllowOverride None Require all denied Order deny,allow deny from all <LimitExcept GET POST> deny from all </limitexcept> </Directory>`
 
 From: `<Directory "/opt/httpd/htdocs"> Options Indexes FollowSymLinks AllowOverride None </Directory>`To: `<Directory "/www"> Options None AllowOverride None Require all granted Order allow,deny Allow from all <LimitExcept GET POST> deny from all </limitexcept> </Directory>`

  1. Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with: ScriptAlias IndexOptions AddIconByEncoding AddIconByType AddIcon DefaultIcon ReadmeName HeaderName IndexIgnore LanguagePriority ForceLanguagePriority

  2. Comment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules: LoadModule cgi_module modules/mod_cgi.so LoadModule status_module modules/mod_status.so LoadModule info_module modules/mod_info.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule include_module modules/mod_include.so LoadModule userdir_module modules/mod_userdir.so LoadModule env_module modules/mod_env.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule actions_module modules/mod_actions.so

  3. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/httpd.conf

  4. Add the following sections to the end of the /opt/httpd/conf/httpd.conf file: # Configure custom error message: ErrorDocument 400 "The requested URL was not found on this server." ErrorDocument 401 "The requested URL was not found on this server." ErrorDocument 403 "The requested URL was not found on this server." ErrorDocument 404 "The requested URL was not found on this server." ErrorDocument 405 "The requested URL was not found on this server." ErrorDocument 408 "The requested URL was not found on this server." ErrorDocument 410 "The requested URL was not found on this server." ErrorDocument 411 "The requested URL was not found on this server." ErrorDocument 412 "The requested URL was not found on this server." ErrorDocument 413 "The requested URL was not found on this server." ErrorDocument 414 "The requested URL was not found on this server." ErrorDocument 415 "The requested URL was not found on this server." ErrorDocument 500 "The requested URL was not found on this server." # Configure Server Tokens ServerTokens Prod # Disable Server Signature ServerSignature Off # Disable Tracing TraceEnable Off # Maximum size of the request body. LimitRequestBody 25000 # Maximum number of request headers in a request. LimitRequestFields 40 # Maximum size of request header lines. LimitRequestFieldSize 4000 # Maximum size of the request line. LimitRequestLine 4000 MaxRequestsPerChild 10000 # Configure clickjacking protection Header always append X-Frame-Options SAMEORIGIN

  5. Edit using VI the file /opt/httpd/include/ap_release.h and replace the following strings: From: #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To: #define AP_SERVER_BASEVENDOR "Restricted server"

    From: #define AP_SERVER_BASEPROJECT "Apache HTTP Server"To: #define AP_SERVER_BASEPROJECT "Secure Web Server"

    From: #define AP_SERVER_BASEPRODUCT "Apache"To: #define AP_SERVER_BASEPRODUCT "Secure Web Server"

  6. Download the Apache boot script into /tmp from: http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2

  7. Extract and install the Apache boot script: cd /tmp/ tar xvjf blfs-bootscripts-20131023.tar.bz2 cd /tmp/blfs-bootscripts-20131023 make install-httpd

  8. Edit using VI, the file /etc/init.d/httpd, and replace the strings below: From: /usr/sbin/apachectlTo: /opt/httpd/bin/apachectl

    From: log_info_msgTo: echo

    From: evaluate_retvalTo: #evaluate_retval

  9. Configure the Apache to start automatically: chkconfig httpd on

  10. Configure IPTables: service iptables stop iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  11. Allow SSH access from Internal segment (i.e. 10.0.0.0/8) iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT Note: Replace 10.0.0.0/8 with the internal segment and subnet mask

  12. Allow HTTP access from the Internet on the public interface (i.e. eth0) iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT Note: Replace eth0 with the public interface name

  13. Save the IPTables settings: service iptables save

  14. Start the Apache daemon: service httpd start

SSL Configuration Phase1. Login to the server using Root account. 2. Create folder for the SSL certificate files: mkdir -p /opt/httpd/conf/ssl chmod 600 /opt/httpd/conf/ssl 3. Run the command bellow to generate a key pair: /usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048 Note: Specify a complex pass phrase for the private key (and document it) 4. Run the command bellow to generate the CSR: /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr Note: The command above should be written as one line. 5. Send the file /tmp/apache.csr to a Certificate Authority server. 6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt 7. Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded). 8. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings: From: Listen Server_FQDN:80To: Listen Server_FQDN:443 Note: Replace Server_FQDN with the actual DNS name.

From: `ServerName Server_FQDN`To: `ServerName Server_FQDN:443` Note: Replace Server\_FQDN with the actual DNS name.

From: `#Include conf/extra/httpd-ssl.conf`To: `Include conf/extra/httpd-ssl.conf`

From: `#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so`To: `LoadModule socache_shmcb_module modules/mod_socache_shmcb.so`

  1. Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings: From: SSLCertificateFile "/opt/httpd/conf/server.crt"To: SSLCertificateFile /opt/httpd/conf/ssl/server.crt

    From: SSLCertificateKeyFile "/opt/httpd/conf/server.key"To: SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key

    From: #SSLCertificateChainFile "/opt/httpd/conf/server-ca.crt"To: SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt

    From: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5To: SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

    From: #SSLHonorCipherOrder onTo: SSLHonorCipherOrder On

    From: Listen @@SSLPort@@To: Listen Server_FQDN:443 Note: Replace Server_FQDN with the actual DNS name.

    From: DocumentRoot "/opt/httpd/htdocs"To: DocumentRoot "/www"

    From: ServerName www.example.com:@@SSLPort@@To: #ServerName www.example.com:@@SSLPort@@ From: ServerAdmin you@example.comTo: ServerAdmin webmaster@mycompany.com Note: Replace mycompany.com with the actual Company DNS name.

    From: <VirtualHost _default_:@@SSLPort@@>To: <VirtualHost _default_:443>

  2. Add the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file: # Disable SSLv2 SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2 # Disable SSL Compression SSLCompression Off

  3. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/extra/httpd-ssl.conf

  4. Configure IPTables - Allow HTTPS access from the Internet on the public interface (i.e. eth0) iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT Note: Replace eth0 with the public interface name

  5. Remove HTTP access from the Internet on the public interface (i.e. eth0) iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT Note: Replace eth0 with the public interface name

  6. Save the IPTables settings: service iptables save

  7. Restart the Apache service: service httpd restart