Apache HTTP Server

HOWTO: Secure Tighten

 * 1) general
 * 2) mod_evasive
 * 3) mod_security
 * 4) testing

general

http://httpd.apache.org/docs/trunk/misc/security_tips.html

mod_evasive

http://systembash.com/content/how-to-stop-an-apache-ddos-attack-with-mod_evasive/

mod_security

http://www.root25.com/2012/11/how-to-install-modsecurity-on-apache-ubuntu12-stepbystep-tutorial.html

https://raw.github.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended

http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server

http://www.grosseosterhues.com/2011/07/enabling-mod-security-protection-in-apache2-on-ubuntu/

testing

http://cirt.net/nikto2

In order to prove the setup is working, a test file called test.php with the following content can be used:



It’s supposed to be placed in the root of your web server, so that it can be accessed by http://yourserver.tld/test.php. To run the actual test, the following address will do:

http://yourserver.tld/test.php?secret_file=/etc/passwd

If the content of /etc/passwd is displayed, ModSecurity is not working. A working installation will show a “403 Forbidden” error message.

http://yourserver.tld/?abc=../../

HOWTO: Check The Server CN (CommonName) Of Your SSL Certificate
openssl x509 -in server.crt -noout -subject

HOWTO: Redirect Whole Web Site To Secure
Edit your .htaccess file and add the following block of code...

RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
 * 1) This checks to make sure the connection is not already HTTPS
 * 1) This rule will redirect users from their original location, to the same location but using HTTPS.
 * 2) i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
 * 3) The leading slash is made optional so that this will work either in httpd.conf
 * 4) or .htaccess context

keywords: apache, rewrite, redirect http, https

HOWTO: Hide Files In A Directory Listing
Add the following line to your .htaccess file...

IndexIgnore filename.ext *.ico

Thanks to http://www.ducea.com/2006/06/08/apache-tips-tricks/

WebDAV
/etc/apache2/modules.d/45_mod_dav.conf

    LimitXMLRequestBody 131072 Alias /dav "/var/www/dav"  Dav On       Options +Indexes IndexOptions FancyIndexing AddDefaultCharset UTF-8 AllowOverride None Order allow,deny Allow from all AuthType Basic AuthName "WebDAV" AuthUserFile /etc/apache2/dav.passwd Require valid-user   DavLockDB "/var/lib/dav/lockdb"  BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "MS FrontPage" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[012345678]" redirect-carefully BrowserMatch "^gnome-vfs/1.0" redirect-carefully BrowserMatch "^XML Spy" redirect-carefully BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully  
 * 1) The following directives disable redirects on non-GET requests for
 * 2) a directory that does not include the trailing slash.  This fixes a
 * 3) problem with several clients that do not appropriately handle
 * 4) redirects for folders with DAV methods.

Create the password file and restart Apache...

htpasswd -c /etc/apache2/dav.passwd test /etc/init.d/apache2 restart

To test, install the software cadaver

emerge net-misc/cadaver

Then...

server.domain.com ~ $ cadaver http://10.0.0.1/dav Authentication required for WebDAV on server `10.0.0.1': Username: test Password: dav:/dav/> ls Listing collection `/dav/': succeeded. fish.txt                              5  Jan 24 15:22 dav:/dav/> cat fish.txt Displaying `/dav/fish.txt': fish dav:/dav/> quit Connection to `10.0.0.1' closed.