Home arrow Apache arrow Page 2 - Server Limits for Apache Security

Preventing Information Leaks - Apache

In this fourth part of a six-part series on Apache installation and configuration, you will learn how to set server configuration limits, prevent information leaks, and more. This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Copyright © 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. Server Limits for Apache Security
  2. Preventing Information Leaks
  3. Changing Web Server Identity
  4. Changing the Server Header Field
By: O'Reilly Media
Rating: starstarstarstarstar / 8
January 17, 2008

print this article



By default, Apache provides several bits of information to anyone interested. Any information obtained by attackers helps them build a better view of the system and makes it easier for them to break into the system.

For example, the installation process automatically puts the email address of the user compiling Apache (or, rather, the email address it thinks is the correct email address) into the configuration file. This reveals the account to the public, which is undesirable. The following directive replaces the Apache-generated email address with a generic address:

  ServerAdmin webmaster@apachesecurity.net

By default, the email address defined with this directive appears on server-generated pages. Since this is probably not what you want, you can turn off this feature completely via the following directive:

  ServerSignature Off

The HTTP protocol defines a response header fieldServer, whose purpose is to identify the software responding to the request. By default, Apache populates this header with its name, version number, and names and version numbers of all its modules willing to identify themselves. You can see what this looks like by sending a test request to the newly installed server:

  $ telnet localhost 80
  Connected to localhost.
  Escape character is '^]'.
  HEAD / HTTP/1.0

  HTTP/1.1 200 OK
  Date: Fri, 19 Mar 2004 22:05:35 GMT
  Server: Apache/1.3.29 (Unix)
  Content-Location: index.html.en
  Vary: negotiate,accept-language,accept-charset
  TCN: choice
  Last-Modified: Fri, 04 May 2001 00:00:38 GMT
  ETag: "4002c7-5b0-3af1f126;405a21d7"
  Accept-Ranges: bytes
  Content-Length: 1456
  Connection: close
  Content-Type: text/html
  Content-Language: en
  Expires: Fri, 19 Mar 2004 22:05:35 GMT

This header field reveals specific and valuable information to the attacker. You can’t hide it completely (this is not entirely true, as you will find in the next section), but you can tell Apache to disclose only the name of the server (“Apache”).

  ServerTokens ProductOnly

We turned off the directory indexing feature earlier when we set theOptions directive to have the valueNone. Having the feature off by default is a good approach. You can enable it later on a per-directory basis:

  <Directory /var/www/htdocs/download>
      Options +Indexes

Automatic directory indexes are dangerous because programmers frequently create folders that have no default indexes. When that happens, Apache tries to be helpful and lists the contents of the folder, often showing the names of files that are publicly available (because of an error) but should not be seen by anyone, such as the following:

  1. Files (usually archives) stored on the web server but not properly protected (e.g., with a password) because users thought the files could not be seen and thus were secure
  2. Files that were uploaded “just for a second” but were never deleted
  3. Source code backup files automatically created by text editors and uploaded to the production server by mistake
  4. Backup files created as a result of direct modification of files on the production server

To fight the problem of unintentional file disclosure, you should turn off automatic indexing (as described in the “AllowOverride directive” section) and instruct Apache to reject all requests for files matching a series of regular expressions given below. Similar configuration code exists in the default httpd.conf file to deny access to . htaccess files (the per-directory configuration files I mentioned earlier). The following extends the regular expression to look for various file extensions that should normally not be present on the web server:

  <FilesMatch "(^\.ht|~$|\.bak$|\.BAK$)">
      Order Allow,Deny
      Deny from all

TheFilesMatchdirective only looks at the last part of the full filename (the basename), and thus,FilesMatch configuration specifications do not apply to directory names. To completely restrict access to a particular directory, for example to deny access to CVS administrative files (frequently found on web sites), use something like:

  <DirectoryMatch /CVS/>
      Order Allow,Deny
      Deny from all

>>> More Apache Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates


Dev Shed Tutorial Topics: