Thursday, May 8 2008
Tightening up public Apache web servers
I recently read an interesting page entitled '80 of the Best Linux Security Applications'.
Whilst the page looks like a typical 'Digg top 10 list page' (aka Digg-Whoring) it does indeed list some good tools.
It did remind me of the great little tool Nikto; a very handy webserver security scanner.
Nikto does quite a good job of automating and detecting various web-server misconfigurations, as well as known vulnerabilities in web applications.
It's well worth running over your own host just to ensure there is nothing there that the script kiddies will find and play with.
One thing you will notice is that many public web-servers leave the TRACE method open by default. This isn't a bad thing when developing... but probably best avoided on a public web server. (Trace is defined in RFC2616).
Many people write that the way to disable it is via the following snippet of code:
Whilst this does indeed remove some of the TRACE methods, it doesn't remove all instances.
The preferred way to actually stop it comes from a recently added directive to your httpd.conf.
The EnableTrace directive was added in Apache 1.3.34, 2.0.55 and 2.2.x).
So basically using the following block will disable the trace method:
For those using Apache on a public IP address, it's recommended to disable the TRACE method.
If you require more information on how to harden Apache, I would recommend you take a read through the book 'Hardening Apache'. The author Tony Mobily is actually a fellow Aussie!
He's probably best known as the founder and Editor of the Free Software Magazine.
Whilst the page looks like a typical 'Digg top 10 list page' (aka Digg-Whoring) it does indeed list some good tools.
It did remind me of the great little tool Nikto; a very handy webserver security scanner.
Nikto does quite a good job of automating and detecting various web-server misconfigurations, as well as known vulnerabilities in web applications.
It's well worth running over your own host just to ensure there is nothing there that the script kiddies will find and play with.
One thing you will notice is that many public web-servers leave the TRACE method open by default. This isn't a bad thing when developing... but probably best avoided on a public web server. (Trace is defined in RFC2616).
Many people write that the way to disable it is via the following snippet of code:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* [F]
Whilst this does indeed remove some of the TRACE methods, it doesn't remove all instances.
The preferred way to actually stop it comes from a recently added directive to your httpd.conf.
The EnableTrace directive was added in Apache 1.3.34, 2.0.55 and 2.2.x).
So basically using the following block will disable the trace method:
EnableTrace off
For those using Apache on a public IP address, it's recommended to disable the TRACE method.
If you require more information on how to harden Apache, I would recommend you take a read through the book 'Hardening Apache'. The author Tony Mobily is actually a fellow Aussie!
He's probably best known as the founder and Editor of the Free Software Magazine.
< Beefing up ClamAV to detect and filter out scam, phishing and malware Emails | Asterisk, Snom-300 VOIP phone and Power Over Ethernet. >
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Matt,
I have been looking for this piece of information after struggling to get the .htaccess method to work. One of my companies client uses "Scanalert" and it always complains about this particular Trace vulnerability. I think scanalert uses the Nikto test suite but a bit customised to their needs. I will have to try this and see how it goes.
I have been looking for this piece of information after struggling to get the .htaccess method to work. One of my companies client uses "Scanalert" and it always complains about this particular Trace vulnerability. I think scanalert uses the Nikto test suite but a bit customised to their needs. I will have to try this and see how it goes.
No probs.
Let me know how it goes.
Hopefully it solves the problem.
Let me know how it goes.
Hopefully it solves the problem.
hi there,
Was looking at Tony Mobily's website: http://www.mobily.com and it looks to me as a defaced website. Is that how his site supposed to be?
Was looking at Tony Mobily's website: http://www.mobily.com and it looks to me as a defaced website. Is that how his site supposed to be?
It appears as it is indeed defaced. 
However I could be wrong?!
I guess he's a target.. and shows nothing is secure.
However I could be wrong?!
I guess he's a target.. and shows nothing is secure.
Quicksearch
Calendar
|
July '08 | |||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
Syndicate This Blog
Blog Administration
Blog Tags
alerting apps birthday building coding cricket entertainment family football gnome google hardware health holiday house Internet ISP life linksys Linux marriage microsoft monitoring movies nagios networking news office pets play review security shopping sms snoring spam sport tennis terrorism web windows work