Background

Securing web servers, in particular, hardening Apache to protect vulnerable websites or web applications with The Daily WTF quality code, is a main part of my job. I also mentor the Apache Configuration subforum of SitePoint. I first presented this article at SecureCon 2006 as a 40 min talk, then submitted it as a paper and presented it at the SAGE-AU 2006 conference in Canberra.

Abstract

Web servers are always among the most vulnerable due to their nature of being open to access from everyone. As companies and organizations take advantage of the considerable benefits that Internet technologies offer, the task of securing a web server to protect web services and sensitive data can become overwhelming for, in most cases, a lone web administrator. There are countless rogue bots and script kiddies wandering about ready to pounce on web servers hosting insecure and unpatched web applications.

The aim of this paper is to provide a comprehensive view of security enhancements made to the deployment and maintenance processes of websites through Apache configurations and modules, particularly mod_security. The examples are limited to the popular LAMP (Linux/Apache/MySQL/PHP), but the techniques introduced here can also be applied to other platforms. While there are more layers of security needed to provide complete protection for a web server, the one for discourse here will be the web server daemon (Apache) layer with a touch on web applications written in PHP.

In the first half, I will provide a walk-through for securely deploying websites with hardened Apache virtual host configurations. In the second half, I will present mod-security, the open source web application firewall, with its basic and enhanced rule sets, real examples of it in action against web exploits and how to manage a mod-security enabled web server.

Introduction

Web servers, due to their nature of being open to access from the whole Internet, need the most attention when it comes to security. There are many layers of security required to protect a web server, and this paper will address the web server daemon layer, in particular, Apache [HREF3] - the most popular web server on the Internet - and its accompanying modules.

The web server, Apache, has direct access to all web streams and requests that are sent to web applications that it hosts. There are many modules available for Apache that can intercept and analyze the requests before they are delivered to web applications. They allow web administrators to specify security-related rules that can filter out malicious requests that could compromise the web server through vulnerabilities in web applications.

As more and more services become web-based, the popularity of web applications has increased exponentially. Unfortunately, they also carry many vulnerabilities, such as: SQL injection, shell command execution, cross-site scripting, remote file inclusion, comment spams, etc. The consequences of these attacks can range from annoyances like comment spam on blogs, to sneakily inserted phishing scams on websites, unbeknownst to the owners and webmasters, to leaks of sensitive database information and totally compromised web servers that could be used for crimes.

Web administrators have to deal with these attacks hourly, on every single website they manage. Protecting a host of web applications, some of which may not receive timely patches and updates to counter those exploits, can be overwhelming for them. This paper will present solutions to security at web server daemon level to counter exploits, using a blackbox-like approach to web applications. It consists of two parts. The first part will show the hardening of Apache configuration for websites using its security-related modules. The second part will introduce mod_security, a module of Apache and a web application firewall, which is essentially an intrusion detection and prevention layer for websites.