Hardening guide for Apache 2.4.6 on CentOS 6.4 (64bit edition)
- X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0
- TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0
-
This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack.
Some of the features explained in this document are supported by only some of the Internet browsers:
-
Pre-Requirements
- policycoreutils-python-* package installed
- setools-libs-* package installed
- libcgroup-* package installed
- audit-libs-python-* package installed
- libsemanage-python-* package installed
- setools-libs-python-* package installed
- gcc* package installed
- gcc-c++* package installed
- autoconf* package installed
- automake* package installed
-
Installation Phase
- Login to the server using Root account
- Upgrade the Openssl build:
rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm
yum --enablerepo=axivo update openssl -y
- Download Apache source file into /tmp, from:
http://httpd.apache.org/download.cgi - Download APR and APR-Util source files into /tmp, from:
https://apr.apache.org/download.cgi - Download PCRE source file into /tmp, from:
http://sourceforge.net/projects/pcre/files/pcre/ - Compile PCRE from source file:
tar zxvf /tmp/pcre-8.33.tar.gz -C /tmpmv /tmp/pcre-8.33 /usr/local/pcre
cd /usr/local/pcre
./configure --prefix=/usr/local/pcre
make
make install
- Extract Apache source files:
cd /tmp
tar zxvf httpd-2.4.6.tar.gz
cd httpd-2.4.6/srclib/
tar zxvf ../../apr-1.4.8.tar.gz
ln -s apr-1.4.8/ apr
tar zxvf ../../apr-util-1.5.2.tar.gz
ln -s apr-util-1.5.2/ apr-util
- Compile the Apache from source files:
cd /tmp/httpd-2.4.6
./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre
make
make install
- Remove the source files:
rm -rf /tmp/apr-1.4.8.tar.gz
rm -rf /tmp/apr-util-1.5.2.tar.gz
rm -rf /tmp/httpd-2.4.6.tar.gz
rm -rf /tmp/httpd-2.4.6
rm -rf /tmp/pcre-8.33.tar.gz
- Remove Default Content:
rm -rf /opt/httpd/cgi-bin
rm -rf /opt/httpd/htdocs
rm -rf /opt/httpd/icons
rm -rf /opt/httpd/man
rm -rf /opt/httpd/manual
rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf
rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in
rm -rf /opt/httpd/conf/extra/httpd-dav.conf
rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in
rm -rf /opt/httpd/conf/extra/httpd-default.conf
rm -rf /opt/httpd/conf/extra/httpd-default.conf.in
rm -rf /opt/httpd/conf/extra/httpd-info.conf
rm -rf /opt/httpd/conf/extra/httpd-info.conf.in
rm -rf /opt/httpd/conf/extra/httpd-languages.conf
rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in
rm -rf /opt/httpd/conf/extra/httpd-manual.conf
rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in
rm -rf /opt/httpd/conf/extra/httpd-mpm.conf
rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in
rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf
rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in
rm -rf /opt/httpd/conf/extra/httpd-userdir.conf
rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in
rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf
rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in
rm -rf /opt/httpd/conf/extra/proxy-html.conf
rm -rf /opt/httpd/conf/extra/proxy-html.conf.in
rm -rf /opt/httpd/conf/original
- Updating Ownership and Permissions on Apache folders:
chown root:root /opt/httpd/bin/apachectl
chown root:root /opt/httpd/bin/httpd
chmod 770 /opt/httpd/bin/apachectl
chmod 770 /opt/httpd/bin/httpd
chown -R root:root /opt/httpd
chmod -R go-r /opt/httpd
chown -R root:root /opt/httpd/logs
chmod -R 700 /opt/httpd/logs
- Create folder for the web content:
mkdir -p /www
- Updating Ownership and Permissions on the web content folder:
chown -R root /www
chmod -R 775 /www
- Fix the SELinux security context on the new web folder:
semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"
restorecon -F -R -v /www
- Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
From:
LogLevel warn
To:
LogLevel notice
From:
DocumentRoot "/opt/httpd/htdocs"
To:
DocumentRoot "/www"
From:
Listen 80
To:
Listen Server_FQDN:80
Note: Replace Server_FQDN with the actual DNS name.From:
ServerAdmin root@localhost
To:
ServerAdmin webmaster@mycompany.com
Note: Replace mycompany.com with the actual Company DNS name.From:
#ServerName www.example.com:80
To:
ServerName Server_FQDN
Note: Replace Server_FQDN with the actual DNS name.From:
ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"
To:
# ScriptAlias /cgi-bin/ "/opt/httpd/cgi-bin/"
From:
<Directory />
To:
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory />
Options None
AllowOverride None
Require all denied
Order deny,allow
deny from all
<LimitExcept GET POST>
deny from all
</limitexcept>
</Directory>From:
<Directory "/opt/httpd/htdocs">
To:
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
<Directory "/www">
Options None
AllowOverride None
Require all granted
Order allow,deny
Allow from all
<LimitExcept GET POST>
deny from all
</limitexcept>
</Directory> - Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with:
ScriptAlias
IndexOptions
AddIconByEncoding
AddIconByType
AddIcon
DefaultIcon
ReadmeName
HeaderName
IndexIgnore
LanguagePriority
ForceLanguagePriority
- Comment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules:
LoadModule cgi_module modules/mod_cgi.so
LoadModule status_module modules/mod_status.so
LoadModule info_module modules/mod_info.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule include_module modules/mod_include.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule env_module modules/mod_env.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule actions_module modules/mod_actions.so
- Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/httpd.conf
- Add the following sections to the end of the /opt/httpd/conf/httpd.conf file:
# Configure custom error message:
ErrorDocument 400 "The requested URL was not found on this server."
ErrorDocument 401 "The requested URL was not found on this server."
ErrorDocument 403 "The requested URL was not found on this server."
ErrorDocument 404 "The requested URL was not found on this server."
ErrorDocument 405 "The requested URL was not found on this server."
ErrorDocument 408 "The requested URL was not found on this server."
ErrorDocument 410 "The requested URL was not found on this server."
ErrorDocument 411 "The requested URL was not found on this server."
ErrorDocument 412 "The requested URL was not found on this server."
ErrorDocument 413 "The requested URL was not found on this server."
ErrorDocument 414 "The requested URL was not found on this server."
ErrorDocument 415 "The requested URL was not found on this server."
ErrorDocument 500 "The requested URL was not found on this server."
# Configure Server Tokens
ServerTokens Prod
# Disable Server Signature
ServerSignature Off
# Disable Tracing
TraceEnable Off
# Maximum size of the request body.
LimitRequestBody 25000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4000
# Maximum size of the request line.
LimitRequestLine 4000
MaxRequestsPerChild 10000
# Configure clickjacking protection
Header always append X-Frame-Options SAMEORIGIN - Edit using VI the file /opt/httpd/include/ap_release.h and replace the following strings:
From:
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
To:
#define AP_SERVER_BASEVENDOR "Restricted server"
From:
#define AP_SERVER_BASEPROJECT "Apache HTTP Server"
To:
#define AP_SERVER_BASEPROJECT "Secure Web Server"
From:
#define AP_SERVER_BASEPRODUCT "Apache"
To:
#define AP_SERVER_BASEPRODUCT "Secure Web Server"
- Download the Apache boot script into /tmp from:
http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2 - Extract and install the Apache boot script:
cd /tmp/
tar xvjf blfs-bootscripts-20131023.tar.bz2
cd /tmp/blfs-bootscripts-20131023
make install-httpd
- Edit using VI, the file /etc/init.d/httpd, and replace the strings below:
From:
/usr/sbin/apachectl
To:
/opt/httpd/bin/apachectl
From:
log_info_msg
To:
echo
From:
evaluate_retval
To:
#evaluate_retval
- Configure the Apache to start automatically:
chkconfig httpd on
- Configure IPTables:
service iptables stop
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- Allow SSH access from Internal segment (i.e. 10.0.0.0/8)
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
Note: Replace 10.0.0.0/8 with the internal segment and subnet mask - Allow HTTP access from the Internet on the public interface (i.e. eth0)
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name - Save the IPTables settings:
service iptables save
- Start the Apache daemon:
service httpd start
-
SSL Configuration Phase
- Login to the server using Root account.
- Create folder for the SSL certificate files:
mkdir -p /opt/httpd/conf/ssl
chmod 600 /opt/httpd/conf/ssl
- Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048
Note: Specify a complex pass phrase for the private key (and document it) - Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr
Note: The command above should be written as one line. - Send the file /tmp/apache.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded).
- Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings:
From:
Listen Server_FQDN:80
To:
Listen Server_FQDN:443
Note: Replace Server_FQDN with the actual DNS name.From:
ServerName Server_FQDN
To:
ServerName Server_FQDN:443
Note: Replace Server_FQDN with the actual DNS name.From:
#Include conf/extra/httpd-ssl.conf
To:
Include conf/extra/httpd-ssl.conf
From:
#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
To:
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
- Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings:
From:
SSLCertificateFile "/opt/httpd/conf/server.crt"
To:
SSLCertificateFile /opt/httpd/conf/ssl/server.crt
From:
SSLCertificateKeyFile "/opt/httpd/conf/server.key"
To:
SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key
From:
#SSLCertificateChainFile "/opt/httpd/conf/server-ca.crt"
To:
SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt
From:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
To:
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
From:
#SSLHonorCipherOrder on
To:
SSLHonorCipherOrder On
From:
Listen @@SSLPort@@
To:
Listen Server_FQDN:443
Note: Replace Server_FQDN with the actual DNS name.From:
DocumentRoot "/opt/httpd/htdocs"
To:
DocumentRoot "/www"
From:
ServerName www.example.com:@@SSLPort@@
To:
#ServerName www.example.com:@@SSLPort@@
From:
ServerAdmin [email protected]
To:
ServerAdmin webmaster@mycompany.com
Note: Replace mycompany.com with the actual Company DNS name.From:
<VirtualHost _default_:@@SSLPort@@>
To:
<VirtualHost _default_:443>
- Add the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file:
# Disable SSLv2
SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2
# Disable SSL Compression
SSLCompression Off - Comment out the entire section <Directory “/opt/httpd/cgi-bin”> inside the /opt/httpd/conf/extra/httpd-ssl.conf
- Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0)
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name - Remove HTTP access from the Internet on the public interface (i.e. eth0)
iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
Note: Replace eth0 with the public interface name - Save the IPTables settings:
service iptables save
- Restart the Apache service:
service httpd restart
Very nice post.