harden your apache+php installation

14 Sep

Instructions follow on how to build and harden one of the most common configurations out there.

We are going for a DIY installation were everything is compiled from source, so some development tools are required. Let’s get our hands dirty!

Download an uncompress

cd /usr/local/src/
wget http://mirror.public-internet.co.uk/apache/httpd/httpd-2.2.4.tar.gz
tar -xvvzf httpd-2.2.4.tar.gz
wget http://uk2.php.net/get/php-5.2.3.tar.gz/from/this/mirror
tar -xvvzf php-5.2.3.tar.gz

Install software
Required by Apache:

apt-get install gcc make libc6-dev libc-dev \
linux-kernel-headers libssl-dev zlib1g-dev

Required by PHP:

apt-get install g++ g++-4.1 libfreetype6 \
libfreetype6-dev libgd2-noxpm libgd2-noxpm-dev \
libjpeg62 libjpeg62-dev libmysqlclient15-dev \
libpng12-0 libpng12-dev libstdc++6-4.1-dev \
libxml2 libxml2-dev

Tweak Apache
Get rid of the server banner, edit /usr/local/src/httpd-2.2.4/include/ap_release.h:

define AP_SERVER_BASEVENDOR "nomejortu"
define AP_SERVER_BASEPROJECT "nmt server"
define AP_SERVER_BASEPRODUCT "server"

Configure, compile and install

cd /usr/local/src/httpd-2.2.4/
./configure --disable-info --disable-autoindex \
--disable-include  --disable-userdir --disable-status \
--disable-imagemap --disable-cgid --disable-cgi \
--disable-proxy --enable-ssl=static \
--enable-rewrite=static --enable-dir=static \
--enable-unique_id=static --enable-so
make
make install

With the previous configure line we are removing modules that either disclose too much information or we do not need (wach out! you may need some of them). All inluded modules are statically linked to the binary. The only dynamic modules that we will be using are the mod_php and mod_security.

–disable-info, –disable-status: we don’t need server info or status at all.
–disable-autoindex, –disable-userdir: no automatic directory listings, no username enumeration through the /~ technique.
–enable-dir: redirect malformed urls (requests to directories without trailing slash) and the DirectoryIndex directive.
–disable-include, –disable-imagemap : no server side includes or image maps handled by the server.
–disable-cgid, –disable-cgi : no cgi interfaces.
–disable-proxy, –enable-ssl, –enable-rewrite: disable the proxy capanility, enable SSL and the rewrite engine.
–enable-unique_id: needed for mod_security (see below).
–enable-so:

Configure apache
In apache2’s configuration file (/usr/local/apache2/conf/httpd.conf) append:

# server banner
ServerSignature  Off
ServerTokens  Prod
# disable TRACE requests
TraceEnable off

If needed, add the index.php as a default file to DirectoryIndex directive on Line 165:

DirectoryIndex index.php index.html

In the same way, if you need virtual hosts enabled, uncomment the line 386 (or equivalent):

Include conf/extra/httpd-vhosts.conf

Add your options to that file. And if you need SSL support, uncomment the line 398 (or equivalent) of the same file:

Include conf/extra/httpd-ssl.conf

Change ownership of the htdocs and remove unnecessary files and folders:-

chown daemon.daemon /usr/local/apache2/htdocs/ -R
rm -rf /usr/local/apache2/htdocs/*
rm -rf /usr/local/apache2/cgi-bin/*
rm -rf /usr/local/apache2/icons

If you want your server to start at boot time, issue the following commands:-

rm /etc/init.d/apache2
ln -s /usr/local/apache2/bin/apachectl /etc/init.d/apache2
update-rc.d apache2 defaults

Be careful because if you have configured SSL with a certificate whose private key requires a pass phrase, the system will request the pass phrase and wait upon restart.

PHP
Not much on the PHP side. Download and compile:

cd /usr/local/src/php-5.2.3
./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql=/usr/include/mysql --with-config-file-path=/etc --with-gd --with-zlib-dir=/usr/lib/

make
make install

–with-apxs2: compile a module for apache2 in the specified location.
–with-mysql: .enable mysql support.
–with-config-file-path: .specify where you want the php.ini config file.
–with-gd: .the graphical library if you need it.
–with-zlib-dir: .use system’s zlib (downloaded from packages).

Although the php installation adds the LoadModule line, but you still need to edit apache configuration file (httpd.conf) and add the following:

AddType application/x-httpd-php .php .phtml

Modify the DirectoryIndex directive if you want the server to default to index.php when a directory is requested.

mod_security
Download:

cd /usr/local/src/
wget http://www.modsecurity.org/download/modsecurity-apache_2.1.2.tar.gz
tar -xvvzf modsecurity-apache_2.1.2.tar.gz
cd modsecurity-apache_2.1.2/apache2/

Edit the Makefile to adjust the following lines (compile mod_security with Apache’s version of the pcre library):

top_dir      = /usr/local/apache2
INCLUDES = -I /usr/include/libxml2 -I /usr/local/src/httpd-2.2.4/srclib/pcre/

Compile and install:

make
make install

Copy the default rule set to apache directory and include them in the main apache configuration file:

cp -r /usr/local/src/modsecurity-apache_2.1.2/rules/ \
/usr/local/apache2/conf/modsecurity

In /usr/local/apache2/conf/httpd.conf add the following lines:

LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf

In order to enforce the rules (by default mod_security would simply log requests that matched the rules), go to each and single file and change the SecDefaultAction to:

SecDefaultAction "phase:2,log,deny,status:400"

The End: up and running
Last but not least do not forget to remove software that you no longer need! No compilers or development libraries should remain in the sever.

First software needed to compile Apache:

apt-get remove --purge binutils cpp cpp-4.1 gcc-4.1 \
libssp0 make gcc libc6-dev libc-dev \
linux-kernel-headers libssl-dev zlib1g-dev

And also the one needed for PHP:

apt-get remove --purge libxml2-dev libfreetype6-dev \
libgd2-noxpm-dev libjpeg62-dev libpng12-dev libgd2-dev \
libmysqlclient15-dev g++ g++-4.1 libstdc++6-4.1-dev

Remove all the sources that we have used: