Derek Neely

My buddy Huggins found this nice tutorial of some basic configurations for hardening Apache. As I’ve mentioned this blog is primarily for my own personal reference, so I’m reposting the contents here (in the event the original post goes away). We’ll of course append more here as we discover other additional configurations that can help. If you have something to share, please do so.

1) On all your vhosts, be sure to eliminate directory listing

<Directory /var/www/>
    Options -Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
</Directory>

2) Disable TRACE and TRACK

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* – [F]
</IfModule>

Be sure to have enabled the mod-rewrite module: ‘a2enmod rewrite‘

3) Avoid HTTP-DoS, DDoS, or Brute Force attack

apt-get install libapache2-mod-evasive

4) Screen out bad URL requests

apt-get install libapache-mod-security mod-security-common

5) Disallow Apache/Server information to be printed to the screen

vi /etc/apache2/conf.d/security

Change these lines:

ServerToken Prod
ServerSignature Off

6) PHP Hardening

vi /etc/php5/apache2/php.ini

Change these lines:

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

7) At this point you can reload/restart Apache and apply all the changes

8 ) Avoid SYN Attacks

vi /etc/sysctl.conf

#Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

Apply the change: ‘sysctl -p‘

 

Original source: http://secure-ubuntu-server.blogspot.com/2009/07/howto-hardening-your-apache-and-php-on_07.html

 

After some reading of consolidation options for Apache logs, I ran across mod_log_sql (we are hating spread) which will take Apache logs and log them off to a MySQL database. Sounded great! We could then run scripts to go through and parse the values and run statistics on. Twas perfect for our needs. RIGHT!!!

At my company we run about 12 vhosts over about 5-6 load balanced web servers. All of them were configured to log to our loganalysis server which is a pretty beefy machine. The logging all in all worked well with a few major exceptions listed below.

1) I used the directive:

LogSQLRequestIgnore .gif .jpg .css .ico .png .js

This directive is supposed to be used to ignore any pages ending with that extension. This did not work at all and I had to create a script to actually delete those before analyzing the logs. Bummer but not that big of a deal.

2) While working with the server to optimize the database, there were various times when I would need to restart the MySQL service and a few times I needed to reboot the server. During these periods of time, the web servers were unable to log to the database which brought them to their knees. The inability of the module to handle a database outage gracefully was a major deal breaker for us. I feel this issue is a result of intense disk IO when the database is down. The server is logging to its Apache logs, the the backup SQL logs, and to the Apache error logs for every failed request. This becomes emense with thousands of requests per second. Should this server die or needing maintenance would have ultimately brought our company to a hault.

Long story short, we’re scrapping mod_log_sql and going with an NFS mount out to all the web services which we can then parse and run statistics on using some custom scripts and/or AWStats or Splunk.

I feel as a big newb when it comes to the rewrite rules. Not sure where my head’s been but it hasn’t been here. I’m finally grasping the concept of them. Here are some of my notes and resources that help me maintain some sanity with it.

Shortened file path

RewriteCond %{HTTP_HOST}    (.*)
RewriteRule ^images/(.*) sites/%1/files/images/$1 [L]

I used this one with a multi-site Drupal setup where the image paths wound up being something such as http://[domain]/sites/[domain]/files/images/image.jpg. Afterwards the URL was: http://[domain]/images/image.jpg.

References and Resources:
Apache Rewrite Guide and Examples
mod_rewrite Cheat Sheet