This topic has not yet been written. The content below is from the topic description.
Securing your Environment Apache should be installed and configured only by a root user or with sudo permissions. The thread that apache httpd runs under is defined by the User and Group directives. This user / group combination should not have access to any other system resources. If you do nothing else, be sure to do this. User apache Group apache We can verify that the apache user is who the process is running under by looking at the httpd process (ps -ef | grep http) Illustration 23: Observing the thread that HTTPD runs in for user and group ownership Other items to do 1) Hide all sensitive information (version, build, etc). To do this, we use the ServerSignature and ServerTokens directives ## Turn off the signature of the server, as seen on default 404 pages ServerSignature Off ## Limit information in the HTTP response header ServerTokens Prod Before these values are set: Illustration 24: Exposing Server information After the values are set: Illustration 25: Error page once server information is removed NOTE – we could also do this test using curl or verify through various plugins in Firefox 2) To block traversal of files that were not meant to be accessible via the web, we need to have access to all files and directories removed by default. We then add back in only those as needed. We do this with the Order and Allow directives, applying them both at the default directory level and then in our VirtualHosts: ## Default deny all access Order Deny, Allow Deny from all Options None AllowOverride None ... ## Allow access only to ‘website’ directory and below Order Allow, Deny Allow from all 3) To avoid users of your website / application from being able to retrieve a listing of files in a directory, turn off the Indexes flag using the Option directive as follows: Option -Indexes Before the setting: Illustration 26: With index listings enabled After applying the setting: Illustration 27: After index listings are removed 4) Remove all unused modules. By default, JBoss EWS ships with quite a bit of modules enabled. Go through these modules and the ones that you aren’t using, remove its ‘LoadModule’ directive. This will not only limit your exposure to potential security holes / flaws in modules, but also increase your performance by minimizing the footprint of Apache HTTPD. 5) DoS (Denial of Service) attacks are still prevalent in the web. To reduce the impact any potential DoS / DSoS attack may have on your site, lower the timeout value. This will free up threads quicker and thereby reduce the impact of ‘long pull’ attacks like DoS / DdoS. NOTE – this does not remove your risk. You will still want monitoring around your services / requests, solid firewall rules, and possibly consider looking at mod_security – a module for apache that can dynamically apply rules and drop requests that have attack based signatures. ##Lower timeout value from default of 5 minutes to 30 seconds Timeout 30 6) If your website / web application allows uploads, be sure to limit the size of these uploads. From a security perspective, the last thing you want is to provide the ability for someone to easily consume a thread / threads as well as bandwidth. Because of these reasons, we need to limit the size of large requests to our site. If you allow file uploads, set this value to the maximum reasonable value for your uploads – for example a maximum size for a resume might be 200Kb. If your site does not allow uploads set this as low as you feel comfortable with. ##Limit Request Body to ~1Mb LimitRequestBody 1000000 7) Finally, as with all software, be sure to stay up to date with any security patches.