Server Limits for Apache Security - Preventing Information Leaks

(Page 2 of 4 )

By default, Apache provides several bits of information to anyone interested. Any information obtained by attackers helps them build a better view of the system and makes it easier for them to break into the system.

For example, the installation process automatically puts the email address of the user compiling Apache (or, rather, the email address it thinks is the correct email address) into the configuration file. This reveals the account to the public, which is undesirable. The following directive replaces the Apache-generated email address with a generic address:

  ServerAdmin webmaster@apachesecurity.net

By default, the email address defined with this directive appears on server-generated pages. Since this is probably not what you want, you can turn off this feature completely via the following directive:

  ServerSignature Off

The HTTP protocol defines a response header fieldServer, whose purpose is to identify the software responding to the request. By default, Apache populates this header with its name, version number, and names and version numbers of all its modules willing to identify themselves. You can see what this looks like by sending a test request to the newly installed server:

  $ telnet localhost 80
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  HEAD / HTTP/1.0

  HTTP/1.1 200 OK
  Date: Fri, 19 Mar 2004 22:05:35 GMT
  Server: Apache/1.3.29 (Unix)
  Content-Location: index.html.en
  Vary: negotiate,accept-language,accept-charset
  TCN: choice
  Last-Modified: Fri, 04 May 2001 00:00:38 GMT
  ETag: "4002c7-5b0-3af1f126;405a21d7"
  Accept-Ranges: bytes
  Content-Length: 1456
  Connection: close
  Content-Type: text/html
  Content-Language: en
  Expires: Fri, 19 Mar 2004 22:05:35 GMT

This header field reveals specific and valuable information to the attacker. You can’t hide it completely (this is not entirely true, as you will find in the next section), but you can tell Apache to disclose only the name of the server (“Apache”).

  ServerTokens ProductOnly

We turned off the directory indexing feature earlier when we set theOptions directive to have the valueNone. Having the feature off by default is a good approach. You can enable it later on a per-directory basis:

  <Directory /var/www/htdocs/download>
      Options +Indexes
  </Directory>

Automatic directory indexes are dangerous because programmers frequently create folders that have no default indexes. When that happens, Apache tries to be helpful and lists the contents of the folder, often showing the names of files that are publicly available (because of an error) but should not be seen by anyone, such as the following:

1. Files (usually archives) stored on the web server but not properly protected (e.g., with a password) because users thought the files could not be seen and thus were secure
   
2. Files that were uploaded “just for a second” but were never deleted
   
3. Source code backup files automatically created by text editors and uploaded to the production server by mistake
   
4. Backup files created as a result of direct modification of files on the production server

To fight the problem of unintentional file disclosure, you should turn off automatic indexing (as described in the “AllowOverride directive” section) and instruct Apache to reject all requests for files matching a series of regular expressions given below. Similar configuration code exists in the default httpd.conf file to deny access to . htaccess files (the per-directory configuration files I mentioned earlier). The following extends the regular expression to look for various file extensions that should normally not be present on the web server:

  <FilesMatch "(^\.ht|~$|\.bak$|\.BAK$)">
      Order Allow,Deny
      Deny from all
  </FilesMatch>

TheFilesMatchdirective only looks at the last part of the full filename (the basename), and thus,FilesMatch configuration specifications do not apply to directory names. To completely restrict access to a particular directory, for example to deny access to CVS administrative files (frequently found on web sites), use something like:

  <DirectoryMatch /CVS/>
      Order Allow,Deny
      Deny from all
  </DirectoryMatch>

Next: Changing Web Server Identity >>
 

More Apache Articles
More By O'Reilly Media

Comments On: Server Limits for Apache Security

· This article is an excerpt from the book "Apache Security," published by O'Reilly....   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Check it out today at your favorite bookstore. Buy this book now.