Installation and Hardening guide for Apache 2.4 on RHEL 7

1. Installation of Apache 2.4 on RHEL 7

[root@WebServer oracle$yum install httpd Loaded plugins: langpacks, ulninfo Resolving Dependencies Dependencies Resolved … .. Installed:  httpd.x86_64 0:2.4.6-40.0.1.el7_2.4 Complete! [root@WebServer oracle$>systemctl enable httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@WebServer oracle$>systemctl start httpd.service [root@WebServer oracle$>systemctl status httpd.service ● httpd.service - The Apache HTTP Server   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)   Active: active (running) since Thu 2016-08-25 12:30:24 EDT; 1min 10s ago     Docs: man:httpd(8)           man:apachectl(8) Main PID: 22361 (httpd)   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"   CGroup: /system.slice/httpd.service           ├─22361 /usr/sbin/httpd -DFOREGROUND           ├─22457 /usr/sbin/httpd -DFOREGROUND           ├─22458 /usr/sbin/httpd -DFOREGROUND           ├─22459 /usr/sbin/httpd -DFOREGROUND           ├─22460 /usr/sbin/httpd -DFOREGROUND           └─22461 /usr/sbin/httpd -DFOREGROUND Aug 25 12:30:19 xxxxxxxxx systemd[1]: Starting The Apache HTTP Server... Aug 25 12:30:24 xxxxxxxxx systemd[1]: Started The Apache HTTP Server. Aug 25 12:30:40 xxxxxxxxx systemd[1]: Started The Apache HTTP Server.

Firewall : By default the port 80 is blocked so we need to change firewall rules to enable http port, we will enable ports 80, 443 and 10000.

[root@WebServer oracle$>firewall-cmd --zone=public --add-port=80/tcp --permanent success [root@WebServer oracle$>firewall-cmd --zone=public --add-port=443/tcp --permanent success [root@WebServer oracle$>firewall-cmd --zone=public --add-port=10000/tcp --permanent Success [root@WebServer oracle$>firewall-cmd --reload success

Default Page : At this point we can create some simple page. Once done this will also disable the above RHEL7 apache test page from apearing:

[root@WebServer oracle$>echo "APACHE on RHEL7" > /var/www/html/index.html

2. Hide the Apache version

Visit your web server in Firefox. Activate Firebug by clicking the Firebug icon on the top right side.

If you check the HTTP response headers in Firebug, it will show the Apache version along with your operating system name and version, as shown in this screenshot:

To hide this information from browsers, you will need to make some changes in Apache's main configuration file.

You can do this by editing the httpd.conf file:

sudo nano /etc/httpd/conf/httpd.conf

Add the following line at the end of file:

ServerSignature Off
ServerTokens Prod
Save the file and restart the Apache service to reflect these changes:

sudo apachectl restart

Now, open Firefox and access your web server. Check the HTTP response headers in Firebug, You can see that setting ServerSignature to Off has removed the version information from Server.

3. Turn off directory listing  

Directory listing in the absence of an index file is enabled by default in Apache. Directory listing displays all the files from the Apache web root directory. If this is enabled, then a hacker can easily view any file, analyze it, and obtain sensitive information about an application of your Apache server.

Here is an example of the directory listing of your Apache web root directory:

You can turn off this setting by using the Options directive in the Apache configuration file for a specific web directory.

sudo vi  /etc/httpd/conf/httpd.conf
Find the section that begins with Directory /var/www/html and add -Indexes in the Options directive:

<Directory /var/www/html/>
   Options -Indexes
   AllowOverride None
   Require all granted
</Directory>
Save the file and restart Apache service to reflect these changes.

sudo apachectl restart
Next, try to visit your website in a browser. You will get a "Forbidden" error as shown in the image below. http://192.168.1.42:80/cert

4. Secure Apache from XSS attacks

Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.

You can do this by editing the httpd.conf file:

sudo vi /etc/httpd/conf/httpd.conf
Add the following line:

<IfModule mod_headers.c>
   Header set X-XSS-Protection "1; mode=block"
</IfModule>
Save the file and restart Apache to reflect changes.

sudo apachectl restart

Now, open Firefox and visit your website. When you check HTTP response headers in Firebug, you should see that XSS Protection is enabled and mode is blocked.

5. Secure Apache from clickjacking attacks

Clickjacking, also known as "User Interface redress attack," is a malicious technique to collect an infected user's clicks. Clickjacking tricks the victim (visitor) into clicking on an infected site.

To avoid this, you need to use X-FRAME-OPTIONS to prevent your website from being used by clickjackers.

You can do this by editing the httpd.conf file:

sudo nano /etc/httpd/conf/httpd.conf

Add the following line:

Header append X-FRAME-OPTIONS "SAMEORIGIN"

Save the file and restart Apache:

sudo apachectl restart

Now, open Firefox and visit your website. When you check the HTTP response headers in Firebug, you should see X-Frame-Options  as shown in below image:

6. Disable ETag

ETags (entity tags) are a well-known point of vulnerability in Apache web server. ETag is an HTTP response header that allows remote users to obtain sensitive information like inode number, child process ids, and multipart MIME boundary. ETag is enabled in Apache by default.

You can see ETag by checking HTTP response headers in Firebug:

To prevent this vulnerability, disabling ETag is recommended.

You can do this by editing httpd.conf file:

sudo nano /etc/httpd/conf/httpd.conf

Add the following line:

FileETag None
Save the file and restart Apache:

sudo apachectl restart
Now, open Firefox and visit your website. When you check the HTTP response headers in Firebug, you should not see Etag listed.