Apache is the most popular web server on this planet. It is open source and can
adapt to whatever your web serving requirements may be, from simple single website to complex
multiple subdomains with URL rewriting. Apache relies on one single text file /etc/httpd/conf/httpd.conf
to do its job. You can edit the contents of this file with any text editor to provide browser
access to all web sites on the server.
You can either have one web site per IP address or group a number
of sites to a single IP address. Make sure that the web server's log (/var/log/http) directory
is properly configured. The access logs can get quite large quickly with high-traffic sites.
The log rotator can be of big help to reduce the storage requirement of large log files so this
service needs to be configured properly and working.
The error logs need to be monitored frequently (preferably on a daily basis) to watch for operation
errors from the web server (missing pages, scripting problems, etc.) and potential denial-of-service
attacks or unauthorized access. If soft links are supported, the actual directories need to be
monitored closely for any potential security breach.
Following are common tips to harden the security of your web server.
1. The default user id for the apache web server httpd daemon is apache:apache. You should assign
a specific non-root Linux user account with restrictive read-write-execute privileges to run the
httpd binaries. No other users can access this user id's files and directories except root. Make
sure you do not allow non-root users to modify any files that root either executes or writes on
in any directories referenced by the apache daemon httpd.
2. Move the default DocumentRoot (/var/www) which hold the data hiearchy of your web site to a
different directory. This simple safeguard may prevent many inexperienced intruders from probing
the server, once they do not find the root path of your dedicated server at the expected location.
3. Do not allow direct access to file system such as /bin /etc, /bin, etc. If your web server needs to
execute binary scripts that require tools in these system directories, investigate and approve on a
case-by-case basis so no unexpected security compromise is encountered.
4. Use relative paths (../../ for example) to hide the hiearchy of data on your web server. If possible,
use the parent directory above the chroot directory so that access to these directories directly from
the browser address bar is not possible.
5. Avoid the use of server side includes and cgi binaries if using scripting language such as PHP.
In case of PHP, more robust security can be achieved with the use compiled codebytes together with
the Zend optimizer engine or bcompiler. The PHP scripts are stored on the server as binary code bytes
and are not human readable in case the server is compromised. The script should have provisions to check
for the server's domain name or IP address, so that these scripts will not run as is on other servers
without extensive modifications.
6. Protect your log files (both error and access logs) typically stored in /var/log/httpd. Check your log
files for error messages regarding security break-in attempts and warnings or notices from your scripting
host. An automated script scheduled at a predetermined interval (cron jobs) can scan the log files and
alert any potential risks. You need to configure and at a minimum check for the following error conditions:
400, bad request
401, unauthorized. The error document must use a local reference (no http://, for example,
/home/myserver/allsites/unauthorized.html). You need to pay special attention to this error
since it means an invalid user id and password were supplied to access the page producing the error.
403, http forbidden.
404, http not found. You need to provide a default or custom page for this error. This response is most
likely caused by a dead link (removing a page without properly updating all links). It can also come
from a potential intruder typing in the browser address bar to probe hidden page present on the dedicated server.
405, http method not allowed
Set the LogLevel directive to info so that other warning and critical error messages are recorded.
This includes other levels: emerg, alert, crit, error, warn, and notice. This setting will increase
the size of the log file significantly but the information recorded can be invaluable to determine
the cause and history of a security breach. A simple log rotator can be implemented to limit the
size of the log file.