Apache Web Server Hardening & Security Guide. A practical guide to secure and harden Apache Web Server. Revenge Of The Sith Full Movie Download. Introduction. The Web Server is a crucial part of web- based applications. Apache Web Server is often placed at the edge of the network hence it becomes one of the most vulnerable services to attack. Having default configuration supply much sensitive information which may help hacker to prepare for an attack the web server. The majority of web application attacks are through XSS, Info Leakage, Session Management and PHP Injection attacks which are due to weak programming code and failure to sanitize web application infrastructure.

According to the security vendor Cenzic, 9. Below chart from Cenzic shows the vulnerability trend report of 2. This practical guide provides you the necessary skill set to secure Apache Web Server. Following are tested on Apache 2. I don’t see any reason it won’t work with Apache 2. This assumes you have installed Apache on UNIX platform. If not, you can go through Installation guide.

Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Latest trending topics being covered on ZDNet including Reviews, Tech Industry, Security, Hardware, Apple, and Windows.

• Information on US and Canadian commercial airports. Includes flight tracking, services offered, and local information.
• Here are Best PC Tricks 2017 and PC Hacks, Today we are here with Best PC Tricks and Hacks 2017.

You can also refer very free video about how to Install Apache, My. SQL & PHP. We will call Apache installation directory /opt/apache as $Web. Fair knowledge of Apache Web Server & UNIX command is mandatory. Information Leakage. In default Apache configuration you would have much sensitive information disclosures, which can be used to prepare for an attack. It’s one of the most critical tasks for an administrator to understand and secure them. As per report by Cenzic, 1.

A practical guide to secure and harden Apache Web Server. Introduction The Web Server is a crucial part of web-based applications. Apache Web Server is often.

Info leakage. We require some tool to examine HTTP Headers for verification. Let’s do this by install firebug add- on in Firefox. Click on Install Now.

Restart Firefox You can see firebug icon at right top bar. We will use this icon to open firebug console to view HTTP Headers information. There are many online tools also available which helps to check in HTTP header information.

Remove Server Version Banner. I would say this is one of the first things to consider, as you don’t want to expose what web server version you are using. Exposing version means you are helping hacker to speedy the reconnaissance process.

The default configuration will expose Apache Version and OS type as shown below. Implementation: Go to $Web. Apache. Verification: Open Firefox Activate firebug by clicking firebug icon at top right side Click on Net tab. Hit the URL in address bar. Expand the GET request and you could see Server directive is just showing Apache, which is much better than exposing version and OS type. Disable directory browser listing. Disable directory listing in a browser so the visitor doesn’t see what all file and folders you have under root or subdirectory.

Let’s test how does it look like in default settings. Go to $Web. To prevent this vulnerability, let’s implement it as below. This is required to fix for PCI compliance.

Implementation: Go to $Web. Authorization. 3.

Run Apache from non- privileged account. Default apache configuration is to run as nobody or daemon. It’s good to use a separate non- privileged user for Apache. The idea here is to protect other services running in case of any security hole. That’s because Apache is listening on port 8.

We will talk about how to change port number later in this course. Protect binary and configuration directory permission. By default, permission for binary and configuration is 7.

You can disallow another user to get into conf and bin folder. Implementation: Go to $Web. This must be done at the root level. Implementation: Go to $Web. Typically you may just need GET, HEAD, POST request methods in a web application, which can be configured in the respective Directory directive. Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.

Implementation: Go to $Web. Web Application Security. Apache web server misconfiguration or not hardened properly can exploit web application.

It’s critical to harden your web server configuration. Cookies. 4. 1. 1 Disable Trace HTTP Request. By default Trace method is enabled in Apache web server. Having this enabled can allow Cross Site Tracing attack and potentially giving an option to a hacker to steal cookie information. Let’s see how it looks like in default configuration. Do a telnet web server IP with listening port Make a TRACE request as shown below#telnet localhost 8. Trying 1. 27. 0. 0.

Let’s disable it and test it. Implementation: Go to $Web. Now, this web server doesn’t allow TRACE request and help in blocking Cross Site Tracing attack. Set cookie with Http. Only and Secure flag.

You can mitigate most of the common Cross Site Scripting attack using Http. Only and Secure flag in a cookie. Without having Http. Only and Secure, it is possible to steal or manipulate web application session and cookies and it’s dangerous. Implementation: Ensure mod. You can refer my previous post Secure Your Web Site from Clickjacking Attack. Implementation: Ensure mod.

If you have shared the environment and heavy traffic web applications you should consider disabling SSI by adding Includes in Options directive. SSI attack allows the exploitation of a web application by injecting scripts in HTML pages or executing codes remotely. Implementation: Go to $Web. You can apply this protection for a web application if it was disabled by the user. This is used by a majority of giant web companies like Facebook, twitter, Google, etc. Implementation: Go to $Web.

So why do we use older HTTP version of the protocol, let’s disable them as well? HTTP 1. 0 has security weakness related to session hijacking. We can disable this by using the mod. To mitigate this you can lower the timeout value to maybe 6. Implementation: Go to $Web.

SSLHaving SSL is an additional layer of security you are adding into Web Application. However, default SSL configuration leads to certain vulnerabilities and you should consider tweaking those configurations.

We require some tool to verify SSL settings. There are much available however, I would use SSL- Scan free tool. You can download from http: //sourceforge. SSL Key. Breaching SSL key is hard, but not impossible. It’s just matter of computational power and time.

As you might know using a 2. PC cracking away for around 7. So the higher key length you have, the more complex it becomes to break SSL key. The majority of giant Web Companies use 2. Outlook. com Microsoft.

Live. com Skype. com Apple. Yahoo. com Bing. com Hotmail. Twitter. com. Implementation: You can use openssl to generate CSR with 2. Generate self- signed certificateopenssl req - x. Generate new CSR and private keyopenssl req - out localhost.

Add Personal Cert, Signer Cert and Key file in httpd- ssl. SSLCertificate. File # Personal Certificate. SSLCertificate. Key. Gta Sa Cam Hack Mod For Minecraft.

File # Key File. SSLCACertificate. File # Signer Cert file. Verification: Execute sslscan utility with the following parameter. Change localhost to your actual domain name. Data encryption is the process of converting plain text into secret ciphered codes. It’s based on your web server SSL Cipher configuration the data encryption will take place.

So it’s important to configure SSL Cipher, which is stronger and not vulnerable. Let’s validate the Cipher accepted in current SSL configuration. We will use sslscan utility to validate as below command. Change localhost to your actual domain name. As you could see above, in current configuration DHE, AES, EDH, RC4 cipher is accepted.

Now if you are performing penetration test or PCI compliance test, your report will say RC4 Cipher detected. Lately, it was found that RC4 is a weak cipher and to pass certain security test, you must not accept RC4 or any weak cipher. You should also ensure not to accept any cipher, which is less than 1. Implementation: Go to $Web!

For ex – to reject RC4: ! RC4. Verification: Again, we will use sslscan utility to validate as below command.

Change localhost to your actual domain name. So now we don’t see RC4 anymore as accepted Cipher. It’s good to reject any low, medium, null or vulnerable cipher to keep yourself tension free from getting attacked. You can also scan your domain against Qualys SSL Labs to check if you have weak or vulnerable cipher in your environment. Disable SSL v. 2 & v. SSL v. 2 & v. PCI compliance then you are expected to close security finding to disable SSL v.

Any SSL v. 2/v. 3 communication may be vulnerable to a Man- in- The- Middle attack that could allow data tampering or disclosure. Let’s implement apache web server to accept only latest TLS and reject SSL v. Implementation: Go to $Web. Change localhost to your actual domain name. Alternatively, you may check your website with online SSL/TLS Certificate tool. Mod Security. Mod Security is an open- source Web Application Firewall, which you can use with Apache. It comes as a module which you have to compile and install.

If you can’t afford commercial web application firewall, this would be a good choice to go for it. Mod Security says: In order to provide generic web applications protection, the Core Rules use the following techniques: HTTP Protection – detecting violations of the HTTP protocol and a locally defined usage policy. Real- time Blacklist Lookups – utilizes 3rd Party IP Reputation.

Web- based Malware Detection – identifies malicious web content by check against the Google Safe Browsing API. HTTP Denial of Service Protections – defense against HTTP Flooding and Slow HTTP Do. S Attacks. Common Web Attacks Protection – detecting common web application security attack. Automation Detection – Detecting bots, crawlers, scanners and another surface malicious activity. Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application. Tracking Sensitive Data – Tracks Credit Card usage and blocks leakages. Trojan Protection – Detecting access to Trojans horses.

Identification of Application Defects – alerts on application misconfigurations. Error Detection and Hiding – Disguising error messages sent by the server. Download & Installation.