Thursday, May 8 2008
Tightening up public Apache web servers
I recently read an interesting page entitled '80 of the Best Linux Security Applications'.
Whilst the page looks like a typical 'Digg top 10 list page' (aka Digg-Whoring) it does indeed list some good tools.
It did remind me of the great little tool Nikto; a very handy webserver security scanner.
Nikto does quite a good job of automating and detecting various web-server misconfigurations, as well as known vulnerabilities in web applications.
It's well worth running over your own host just to ensure there is nothing there that the script kiddies will find and play with.
One thing you will notice is that many public web-servers leave the TRACE method open by default. This isn't a bad thing when developing... but probably best avoided on a public web server. (Trace is defined in RFC2616).
Many people write that the way to disable it is via the following snippet of code:
Whilst this does indeed remove some of the TRACE methods, it doesn't remove all instances.
The preferred way to actually stop it comes from a recently added directive to your httpd.conf.
The EnableTrace directive was added in Apache 1.3.34, 2.0.55 and 2.2.x).
So basically using the following block will disable the trace method:
For those using Apache on a public IP address, it's recommended to disable the TRACE method.
If you require more information on how to harden Apache, I would recommend you take a read through the book 'Hardening Apache'. The author Tony Mobily is actually a fellow Aussie!
He's probably best known as the founder and Editor of the Free Software Magazine.
Whilst the page looks like a typical 'Digg top 10 list page' (aka Digg-Whoring) it does indeed list some good tools.
It did remind me of the great little tool Nikto; a very handy webserver security scanner.
Nikto does quite a good job of automating and detecting various web-server misconfigurations, as well as known vulnerabilities in web applications.
It's well worth running over your own host just to ensure there is nothing there that the script kiddies will find and play with.
One thing you will notice is that many public web-servers leave the TRACE method open by default. This isn't a bad thing when developing... but probably best avoided on a public web server. (Trace is defined in RFC2616).
Many people write that the way to disable it is via the following snippet of code:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* [F]
Whilst this does indeed remove some of the TRACE methods, it doesn't remove all instances.
The preferred way to actually stop it comes from a recently added directive to your httpd.conf.
The EnableTrace directive was added in Apache 1.3.34, 2.0.55 and 2.2.x).
So basically using the following block will disable the trace method:
EnableTrace off
For those using Apache on a public IP address, it's recommended to disable the TRACE method.
If you require more information on how to harden Apache, I would recommend you take a read through the book 'Hardening Apache'. The author Tony Mobily is actually a fellow Aussie!
He's probably best known as the founder and Editor of the Free Software Magazine.
Quicksearch
Calendar
|
July '08 | |||||
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
Syndicate This Blog
Blog Administration
Blog Tags
alerting apps birthday building coding cricket entertainment family football gnome google hardware health holiday house Internet ISP life linksys Linux marriage microsoft monitoring movies nagios networking news office pets play review security shopping sms snoring spam sport tennis terrorism web windows work