Apache config file.

Support for security such as Firewalls and securing linux
Post Reply
hack3rcon
Posts: 663
Joined: 2014/11/24 11:04:37

Apache config file.

Post by hack3rcon » 2020/08/04 16:06:40

Hello,
In below Apache configuration, which vulnerabilities exist?

Code: Select all

 
# least PidFile.
#
ServerRoot "/etc/httpd"

#Listen 12.34.56.78:80
Listen 80


# Example:
# LoadModule foo_module modules/mod_foo.so
#
Include conf.modules.d/*.conf


#
User apache
Group apache
#
ServerAdmin root@localhost
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
   AllowOverride none
   Require all denied
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"

#
# Relax access to content within /var/www.
#
<Directory "/var/www">
   AllowOverride None
   # Allow open access:
   Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/var/www/html">
   #
   # Possible values for the Options directive are "None", "All",
   # or any combination of:
   #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
   #
   # Note that "MultiViews" must be named *explicitly* --- "Options All"
   # doesn't give it to you.
   #
   # The Options directive is both complicated and important.  Please see
   # http://httpd.apache.org/docs/2.4/mod/core.html#options
   # for more information.
   #
   Options Indexes FollowSymLinks

   #
   # AllowOverride controls what directives may be placed in .htaccess files.
   # It can be "All", "None", or any combination of the keywords:
   #   Options FileInfo AuthConfig Limit
   #
   AllowOverride None

   #
   # Controls who can get stuff from this server.
   #
   Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
   DirectoryIndex index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
   Require all denied
</Files>

#
# ErrorLog: The location of the _error_ log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, _error_ messages relating to that virtual host will be
# logged here.  If you *do* define an _error_ logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "logs/error_log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, _error_, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
   #
   # The following directives define some format nicknames for use with
   # a CustomLog directive (see below).
   #
   LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
   LogFormat "%h %l %u %t \"%r\" %>s %b" common

   <IfModule logio_module>
     # You need to enable mod_logio.c to use %I and %O
     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
   </IfModule>

   #
   # The location and format of the access logfile (Common Logfile Format).
   # If you do not define any access logfiles within a <VirtualHost>
   # container, they will be logged here.  Contrariwise, if you *do*
   # define per-<VirtualHost> access logfiles, transactions will be
   # logged therein and *not* in this file.
   #
   #CustomLog "logs/access_log" common

   #
   # If you prefer a logfile with access, agent, and referer information
   # (Combined Logfile Format) you can use the following directive.
   #
   CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
     ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

</IfModule>

<Directory "/var/www/cgi-bin">
   AllowOverride None
   Options None
   Require all granted
</Directory>

<IfModule mime_module>
  TypesConfig /etc/mime.types

   AddType application/x-compress .Z
   AddType application/x-gzip .gz .tgz
   AddType text/html .shtml
   AddOutputFilter INCLUDES .shtml
</IfModule>

#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default.  To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8

<IfModule mime_magic_module>
   #
   # The mod_mime_magic module allows the server to use various hints from the
   # contents of the file itself to determine its type.  The MIMEMagicFile
   # directive tells the module where the hint definitions are located.
   #
   MIMEMagicFile conf/magic
</IfModule>

#
# Customizable _error_ responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on

# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf


#Security
TraceEnable off
ServerSignature Off
ServerTokens Prod
SSLProtocol -ALL +TLSv1.2
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
TimeOut 60


# Modules
LoadModule reqtimeout_module modules/mod_reqtimeout.so
RequestReadTimeout header=10-30,MinRate=500
Any opinion welcomed.
Thank you.

aks
Posts: 3022
Joined: 2014/09/20 11:22:14

Re: Apache config file.

Post by aks » 2020/08/04 18:47:58

a) Probably your versoin of httpd (including all modules compiled in there)
b) Is the apache user and group a system group - i.e.: no shell
c) Possibly whatever you have in /var/www/html (including symlinks).
d) Probably all cgis
e) The security ciphers, depends on your needs (also no TLS3).

Otherwise a rather pointless exercise..

BShT
Posts: 278
Joined: 2019/10/09 12:31:40

Re: Apache config file.

Post by BShT » 2020/08/05 12:14:14

i don´t like indexes directive

User avatar
KernelOops
Posts: 322
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Apache config file.

Post by KernelOops » 2020/08/06 08:26:18

In CentOS 8, you should use the system-wide crypto policy, changes should be made there (the way it works with other services like ssh):

Code: Select all

SSLCipherSuite				PROFILE=SYSTEM
SSLProxyCipherSuite			PROFILE=SYSTEM
I'll PM you an example apache config for CentOS 8 so you can get some ideas.
--
I love my computer - all my friends live there.
--

hack3rcon
Posts: 663
Joined: 2014/11/24 11:04:37

Re: Apache config file.

Post by hack3rcon » 2020/08/06 09:33:04

KernelOops wrote:
2020/08/06 08:26:18
In CentOS 8, you should use the system-wide crypto policy, changes should be made there (the way it works with other services like ssh):

Code: Select all

SSLCipherSuite				PROFILE=SYSTEM
SSLProxyCipherSuite			PROFILE=SYSTEM
I'll PM you an example apache config for CentOS 8 so you can get some ideas.
Thank you.

Post Reply

Return to “CentOS 8 - Security Support”