Hardening guide for Apache 2.4.6 on CentOS 6.4 (64bit edition)

      This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack.
      Some of the features explained in this document are supported by only some of the Internet browsers:

    • X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
    • TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
    Pre-Requirements

    • policycoreutils-python-* package installed
    • setools-libs-* package installed
    • libcgroup-* package installed
    • audit-libs-python-* package installed
    • libsemanage-python-* package installed
    • setools-libs-python-* package installed
    • gcc* package installed
    • gcc-c++* package installed
    • autoconf* package installed
    • automake* package installed
    Installation Phase

  1. Login to the server using Root account
  2. Upgrade the Openssl build:
    rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm

    yum --enablerepo=axivo update openssl -y

  3. Download Apache source file into /tmp, from:
    http://httpd.apache.org/download.cgi
  4. Download APR and APR-Util source files into /tmp, from:
    https://apr.apache.org/download.cgi
  5. Download PCRE source file into /tmp, from:
    http://sourceforge.net/projects/pcre/files/pcre/
  6. Compile PCRE from source file:

    tar zxvf /tmp/pcre-8.33.tar.gz -C /tmp

    mv /tmp/pcre-8.33 /usr/local/pcre

    cd /usr/local/pcre

    ./configure --prefix=/usr/local/pcre

    make

    make install

  7. Extract Apache source files:
    cd /tmp

    tar zxvf httpd-2.4.6.tar.gz

    cd httpd-2.4.6/srclib/

    tar zxvf ../../apr-1.4.8.tar.gz

    ln -s apr-1.4.8/ apr

    tar zxvf ../../apr-util-1.5.2.tar.gz

    ln -s apr-util-1.5.2/ apr-util

  8. Compile the Apache from source files:
    cd /tmp/httpd-2.4.6

    ./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre

    make

    make install

  9. Remove the source files:
    rm -rf /tmp/apr-1.4.8.tar.gz

    rm -rf /tmp/apr-util-1.5.2.tar.gz

    rm -rf /tmp/httpd-2.4.6.tar.gz

    rm -rf /tmp/httpd-2.4.6

    rm -rf /tmp/pcre-8.33.tar.gz

  10. Remove Default Content:
    rm -rf /opt/httpd/cgi-bin

    rm -rf /opt/httpd/htdocs

    rm -rf /opt/httpd/icons

    rm -rf /opt/httpd/man

    rm -rf /opt/httpd/manual

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf

    rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf

    rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-default.conf

    rm -rf /opt/httpd/conf/extra/httpd-default.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-info.conf

    rm -rf /opt/httpd/conf/extra/httpd-info.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf

    rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf

    rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf

    rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf

    rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf

    rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf

    rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in

    rm -rf /opt/httpd/conf/extra/proxy-html.conf

    rm -rf /opt/httpd/conf/extra/proxy-html.conf.in

    rm -rf /opt/httpd/conf/original

  11. Updating Ownership and Permissions on Apache folders:
    chown root:root /opt/httpd/bin/apachectl

    chown root:root /opt/httpd/bin/httpd

    chmod 770 /opt/httpd/bin/apachectl

    chmod 770 /opt/httpd/bin/httpd

    chown -R root:root /opt/httpd

    chmod -R go-r /opt/httpd

    chown -R root:root /opt/httpd/logs

    chmod -R 700 /opt/httpd/logs

  12. Create folder for the web content:
    mkdir -p /www
  13. Updating Ownership and Permissions on the web content folder:
    chown -R root /www

    chmod -R 775 /www

  14. Fix the SELinux security context on the new web folder:
    semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"

    restorecon -F -R -v /www

  15. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
    From:
    LogLevel warnTo:
    LogLevel notice

    From:
    DocumentRoot "/opt/httpd/htdocs"To:
    DocumentRoot "/www"

    From:
    Listen 80To:
    Listen Server_FQDN:80
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ServerAdmin root@localhostTo:
    ServerAdmin webmaster@mycompany.com
    Note: Replace mycompany.com with the actual Company DNS name.

    From:
    #ServerName www.example.com:80To:
    ServerName Server_FQDN
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"To:
    # ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"

    From:
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory />
    Options None
    AllowOverride None
    Require all denied
    Order deny,allow
    deny from all
    <LimitExcept GET POST>
    deny from all
    </limitexcept>
    </Directory>

    From:
    <Directory "/opt/httpd/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    </Directory>
    To:
    <Directory "/www">
    Options None
    AllowOverride None
    Require all granted
    Order allow,deny
    Allow from all
    <LimitExcept GET POST>
    deny from all
    </limitexcept>
    </Directory>

  16. Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with:
    ScriptAlias

    IndexOptions

    AddIconByEncoding

    AddIconByType

    AddIcon

    DefaultIcon

    ReadmeName

    HeaderName

    IndexIgnore

    LanguagePriority

    ForceLanguagePriority

  17. Comment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules:
    LoadModule cgi_module modules/mod_cgi.so

    LoadModule status_module modules/mod_status.so

    LoadModule info_module modules/mod_info.so

    LoadModule autoindex_module modules/mod_autoindex.so

    LoadModule include_module modules/mod_include.so

    LoadModule userdir_module modules/mod_userdir.so

    LoadModule env_module modules/mod_env.so

    LoadModule negotiation_module modules/mod_negotiation.so

    LoadModule actions_module modules/mod_actions.so

  18. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/httpd.conf
  19. Add the following sections to the end of the /opt/httpd/conf/httpd.conf file:
    # Configure custom error message:
    ErrorDocument 400 "The requested URL was not found on this server."
    ErrorDocument 401 "The requested URL was not found on this server."
    ErrorDocument 403 "The requested URL was not found on this server."
    ErrorDocument 404 "The requested URL was not found on this server."
    ErrorDocument 405 "The requested URL was not found on this server."
    ErrorDocument 408 "The requested URL was not found on this server."
    ErrorDocument 410 "The requested URL was not found on this server."
    ErrorDocument 411 "The requested URL was not found on this server."
    ErrorDocument 412 "The requested URL was not found on this server."
    ErrorDocument 413 "The requested URL was not found on this server."
    ErrorDocument 414 "The requested URL was not found on this server."
    ErrorDocument 415 "The requested URL was not found on this server."
    ErrorDocument 500 "The requested URL was not found on this server."
    # Configure Server Tokens
    ServerTokens Prod
    # Disable Server Signature
    ServerSignature Off
    # Disable Tracing
    TraceEnable Off
    # Maximum size of the request body.
    LimitRequestBody 25000
    # Maximum number of request headers in a request.
    LimitRequestFields 40
    # Maximum size of request header lines.
    LimitRequestFieldSize 4000
    # Maximum size of the request line.
    LimitRequestLine 4000
    MaxRequestsPerChild 10000
    # Configure clickjacking protection
    Header always append X-Frame-Options SAMEORIGIN
  20. Edit using VI the file /opt/httpd/include/ap_release.h and replace the following strings:
    From:
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"To:
    #define AP_SERVER_BASEVENDOR "Restricted server"

    From:
    #define AP_SERVER_BASEPROJECT "Apache HTTP Server"To:
    #define AP_SERVER_BASEPROJECT "Secure Web Server"

    From:
    #define AP_SERVER_BASEPRODUCT "Apache"To:
    #define AP_SERVER_BASEPRODUCT "Secure Web Server"

  21. Download the Apache boot script into /tmp from:
    http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2
  22. Extract and install the Apache boot script:
    cd /tmp/

    tar xvjf blfs-bootscripts-20131023.tar.bz2

    cd /tmp/blfs-bootscripts-20131023

    make install-httpd

  23. Edit using VI, the file /etc/init.d/httpd, and replace the strings below:
    From:
    /usr/sbin/apachectlTo:
    /opt/httpd/bin/apachectl

    From:
    log_info_msgTo:
    echo

    From:
    evaluate_retvalTo:
    #evaluate_retval

  24. Configure the Apache to start automatically:
    chkconfig httpd on
  25. Configure IPTables:
    service iptables stop

    iptables -P INPUT DROP

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A OUTPUT -o lo -j ACCEPT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  26. Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
    iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
    Note: Replace 10.0.0.0/8 with the internal segment and subnet mask
  27. Allow HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  28. Save the IPTables settings:
    service iptables save
  29. Start the Apache daemon:
    service httpd start
    SSL Configuration Phase

  1. Login to the server using Root account.
  2. Create folder for the SSL certificate files:
    mkdir -p /opt/httpd/conf/ssl

    chmod 600 /opt/httpd/conf/ssl

  3. Run the command bellow to generate a key pair:
    /usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048
    Note: Specify a complex pass phrase for the private key (and document it)
  4. Run the command bellow to generate the CSR:
    /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr
    Note: The command above should be written as one line.
  5. Send the file /tmp/apache.csr to a Certificate Authority server.
  6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt
  7. Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded).
  8. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
    From:
    Listen Server_FQDN:80To:
    Listen Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    ServerName Server_FQDNTo:
    ServerName Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    #Include conf/extra/httpd-ssl.confTo:
    Include conf/extra/httpd-ssl.conf

    From:
    #LoadModule socache_shmcb_module modules/mod_socache_shmcb.soTo:
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

  9. Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings:
    From:
    SSLCertificateFile "/opt/httpd/conf/server.crt"To:
    SSLCertificateFile /opt/httpd/conf/ssl/server.crt

    From:
    SSLCertificateKeyFile "/opt/httpd/conf/server.key"To:
    SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key

    From:
    #SSLCertificateChainFile "/opt/httpd/conf/server-ca.crt"To:
    SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt

    From:
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5To:
    SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

    From:
    #SSLHonorCipherOrder onTo:
    SSLHonorCipherOrder On

    From:
    Listen @@SSLPort@@To:
    Listen Server_FQDN:443
    Note: Replace Server_FQDN with the actual DNS name.

    From:
    DocumentRoot "/opt/httpd/htdocs"To:
    DocumentRoot "/www"

    From:
    ServerName www.example.com:@@SSLPort@@To:
    #ServerName www.example.com:@@SSLPort@@

    From:
    ServerAdmin you@example.comTo:
    ServerAdmin webmaster@mycompany.com
    Note: Replace mycompany.com with the actual Company DNS name.

    From:
    <VirtualHost _default_:@@SSLPort@@>To:
    <VirtualHost _default_:443>

  10. Add the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file:
    # Disable SSLv2
    SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2
    # Disable SSL Compression
    SSLCompression Off
  11. Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/extra/httpd-ssl.conf
  12. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
    iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  13. Remove HTTP access from the Internet on the public interface (i.e. eth0)
    iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
    Note: Replace eth0 with the public interface name
  14. Save the IPTables settings:
    service iptables save
  15. Restart the Apache service:
    service httpd restart

One Response to “Hardening guide for Apache 2.4.6 on CentOS 6.4 (64bit edition)”

Leave a Reply

Search This Blog
Labels
NetworkedBlogs