This chapter provides Apache downloading steps and cautionary tips. Mobily recommends compiling most of the modules dynamically, and leaving the main server stripped to the bones. He covers the free tool Nikto and how to use it. Also see why he says to disable the TRACE method. (From the book Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)
When you install a piece of software, you can usually just follow the instructions provided by the README or the INSTALL file. In a way, Apache is no exception. However, Apache is a very complex program, and needs to be compiled and installed with particular care, to make sure that it’s reasonably secure in the short and in the long term.
In this chapter I will show you:
How to download Apache making sure that you have a “genuine” package; I will also take the opportunity to describe how encryption works.
The commands I used to install both Apache 1.3. x and Apache 2. x. I included this section mainly because I will use those installations throughout the book.
How to test your installation with an automatic testing tool.
How to configure Apache more securely.
How to block particular requests and IP addresses.
How to configure Apache 1.3. x and 2. x with Secure Sockets Layer (SSL).
Downloading the Right Apache
There are two major “branches” of Apache that are still fully supported: 1.3. x and 2.0. x (the latest ones at the time of writing are 1.3.29 and 2.0.48). Remember that by the time this book goes to print the versions will probably have been updated. You have two options for downloading Apache:
Downloading Apache is very straightforward. Unfortunately, there are dangerous conditions: the Apache web site (or, more possibly, one of its many mirror sites) might have been hacked, and a maliciously modified version of Apache might have replaced the real distribution file. This fake version could do exactly what it was supposed to do, plus open a back door on the server that was running it (and maybe somehow notify the person who originally wrote the code for the back door).
The Apache Software Foundation is well aware of this problem, so it signs its own packages. It is up to you to check that the signature of the package you downloaded is correct. In this section I will show you how to do that step by step.
Making Sure Your Apache Is Right Using GnuPG
Every official Apache package comes with a digital signature, aimed at ensuring that your package is genuine.
To sign a file, as well as verify the validity of an existing signature, you can use GnuPG (http://www.gnupg.org), a free clone of Pretty Good Privacy (PGP). If you are security-conscious, it’s probably worth your while to study how GnuPG works.
In the next section, I will introduce the basic concepts behind cryptography, while showing what commands you can use to verify your Apache package. I will refer to these concepts to make sure that you know exactly what each command does.
This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.