If your New to Runner or just registered please check your junk mail or spam folder to activate registration . Welcome to Runner ... Movie section will be closing on runner to view movies go to Tell It As It Is for latest movies videos @ https://tellitasitis.ga/

Go Back   Runner > Servers > Server Security

Server Security Server Security Learn teach to secure websites servers

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 04-10-2021, 03:47 PM
Runner's Avatar
Runner Runner is online now
Administrator
 
Join Date: Nov 2020
Location: Moose Jaw
Posts: 329
Send a message via Skype™ to Runner
Default Commonly Missed Security Settings For Apache Web Server

Code:
Hide Web Server Information

By  default, Apache web server discloses some valuable information like a  web server version which can help attacker leverage any known bug or  vulnerability present in the specific version of the package. 
 
As  shown in the image above anyone can easily identify the web server's  version. We can prevent Apache to disclose this information: 
Settings:
Make  changes in Apache's default configuration /etc/httpd/conf/httpd.conf.  Add the required code ServerSignature Off and ServerTokens Prod at the  end of the file as shown below and save the file.
 
Now reload Apache service.
sudo service httpd reload
Test again using curl and you will see Apache is no longer disclosing the version.
 


Disable Directory Listing 

In  the web server's document root if there is no index file then Apache  will list all content presently there. As shown below in the image you  will see all contents in the browser if directory listing is enabled, so  the webserver can disclose some content unnecessarily.
 
Settings:
Make  changes in Apache's default configuration /etc/httpd/conf/httpd.conf.  Add the required code Options -Indexes as shown below and save the file.  Note that you can also create a .htaccess file with this code under the  same document root to disable directory listing.
 
Now  reload Apache service. Note that this setting may be overridden by the  per-directory .htaccess files as specified in the documentation.
sudo service httpd reload
Test again in a browser, you should get a 403 Forbidden error.


Optimize SSL/TLS Settings 

It  is always recommended to run your website over https, however, it's not  always enough to just set up an SSL certificate. There are some  vulnerable SSL protocols and weak ciphers that we should disable to  mitigate the risks.
Note: With these settings, your  application might not support some legacy browsers. For more details  please look into the detailed chart by Wikipedia about browsers compatibility with different SSL protocols.
Settings:
You  can create a ssl.conf file under /etc/httpd/conf.d/ and add below-given  code in it to disable weak SSL protocols and ciphers.
                                                         





SSLProtocol TLSv1.2                       SSLHonorCipherOrder on                       SSLCipherSuite HIGH:!aNULL:!MD5:!3DES             
    
 
        
                
      
     
 
 Now restart Apache service.



Protection Against Cross-Site Scripting

Cross-site  Scripting (XSS) is quite a common attack which is basically a  client-side code injection. We can mitigate the risk of such attacks up  to some level using X-XSS-Protection headers.
Note: These settings may impact your application functionality, please check here for more details about this header settings.
Settings:
Make  changes in Apache default configuration /etc/httpd/conf/httpd.conf. Add  the required code Header set X-XSS-Protection "1: mode=block" at the  end of the file as shown below and save the file.
 
Now reload Apache service.
sudo service httpd reload
You can test using curl command if header is enabled:
curl --head http://apachehost.com
You should see X-XSS-Protection: 1; mode=block in the output.


Protection Against Clickjacking Attacks

Clickjacking  is another type of attack to force users to download malware, access  malicious links, visit malicious web pages, etc. Apache can use  X-FRAME-OPTIONS in HTTP Header to prevent clickjacking attacks. 
Note:  There are different directives X-FRAME-OPTIONS header supports. We have  only used SAMEORIGIN in our example below. Look for a detailed article  about X-Frame-Options HTTP response header for more details about other  directives and their possible impact on your website's functionality. Here is one of the good article by Mozilla.
Settings:
Make  changes in Apache default configuration /etc/httpd/conf/httpd.conf. Add  the required code Header always append X-Frame-Options SAMEORIGIN at  the end of the file as shown below and save the file.
 
Now reload Apache service.
sudo service httpd reload
You can test using curl command if the header is enabled:
curl --head http://apachehost.com
You should see X-Frame-Options: SAMEORIGIN in the output.


Protection Against content-type sniffing

According to Wikipedia  Content sniffing, also known as media type sniffing or MIME sniffing,  is the practice of inspecting the content of a byte stream to attempt to  deduce the file format of the data within it. Apache can use  X-Content-Type-Options in HTTP Header to prevent content-type sniffing.
Note: These settings may impact your application functionality, please check here for more details about this header settings.
Settings:
Make  changes in Apache default configuration /etc/httpd/conf/httpd.conf. Add  the required code Header set X-Content-Type-Options nosniff at the end  of the file as shown below and save the file.
 
Now reload Apache service.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 11:39 PM.


Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Copyright ©2020 - 2021, Runner
Ad Management plugin by RedTyger