# Thoughts on securing apache



## wmorri (May 29, 2008)

Hi,

I am looking for information on how to secure my apache server. It is just running with the standard security features. I did a little reading on how to secure it from the apache website but it didn't make a lot of senses to me. So I am looking for some ideas from the folks here at the forum.

I am running Fedora 10 and apache mod_ssl just so that you know.

Cheers!


----------



## Skie (Mar 15, 2003)

mod_ssl will only give you SSL capabilities to encrypt the actual transmission. It won't do anything for you in regards to securing the actual software. 

What things confused you? Perhaps someone can explain things better. 

One place you may wish to start if you're using any PHP scripts (any scripts or no scripts, doesn't matter, it helps) is to install and configure ModSecurity. It basically looks for specific URL's that are accessing your server and rejects them. Here's an example of my Mod Security log.


```
Date  	Time  	IP  	GET  	Host  	Message  	Action
2007-11-24 	10:36:40 	1.2.3.4 	/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.1 	[url]www.domain.com[/url] 	Access denied with code 406. Pattern match "/etc/passwd" at THE_REQUEST 	406
```
What's happening here is someone's trying to gain access to the /etc/passwd file and display it using cat. Normally, a properly configured Apache and PHP server won't allow something like this, but people do find security holes in the software and use it to take advantage of it. This time around, they're trying to use a perl script that may or may not be located in cgi-bin. What ModSecurity does is it stops these types of attacks from even reaching Apache/PHP/whatever.


----------



## wmorri (May 29, 2008)

Skie,

Here are a couple of things that I am looking for. One is how to set up .htaccess. I have heard that it is important. The other thing is this server will be hosting my home business site, and I will be sending personal information over it, i.e. names and emails, so I don't want people to be able to see the traffic going through it.

These are just a couple that I can think of for now. Right now my server is just for my home use. But, I might want to use it for something else later on. I am definitely going to look at ModSecurity it looks really interesting.

Cheers!


----------



## Skie (Mar 15, 2003)

The .htaccess file can do a number of things (redirecting users to a different page/website, blocking users from seeing a page, handling HTTP Authentication, etc). I haven't learned everything there is to know about them as there is a lot of features that you can use and sometimes they can get quite complex. I've only used the features that I specifically needed. If you take a look at this .htaccess generator, you'll see what I'm talking about. http://cooletips.de/htaccess/ Mod Rewrite is probably the most commonly used feature. 

For transmitting personal information, you'll definately want SSL. You'll need to purchase an SSL certificate and you'll need a dedicated IP address (If any other websites share the same IP and you try to use https on them, you'll get the main site that's set up for SSL instead). 

If you're using Apache 2.x, I can give you my ModSecurity config which should work for you without any issues. Unfortunately, if you're using Apache 1.x, then my config won't work as the syntax for ModSecurity changed between Apache versions. 

The biggest security risk is the scripts/software that you're using. Everytime one of my customers has had their website hacked, it was because they failed to properly update their PHP or Perl scripts. However, you'll also want to make sure that you keep Apache, Perl and PHP itself updated. And I shouldn't have to say it, but keep the Kernel and the rest of the software on that system up to date as well. If you're not using the server for anything other then as a web server, disable any other software. Better yet, uninstall it. The more you have installed/running, the bigger the security risk. If you never use/login using a GUI, then remove Gnome/KDE/X. There's no reason to ever keep it.


----------



## wmorri (May 29, 2008)

Hi Skie,

I am having problems with the ./configure command. It is giving me this:

```
[[email protected] apache2]# ./configure
checking for g++... no
checking for c++... no
checking for gpp... no
checking for aCC... no
checking for CC... no
checking for cxx... no
checking for cc++... no
checking for cl.exe... no
checking for FCC... no
checking for KCC... no
checking for RCC... no
checking for xlC_r... no
checking for xlC... no
checking for C++ compiler default output file name...
configure: error: in `/home/will/Desktop/modsecurity-apache_2.5.7/apache2':
configure: error: C++ compiler cannot create executables
See `config.log' for more details.
[[email protected] apache2]#
```
I am wondering if you could give me some insight on this and how to install some of these and I can take it from there. I tried to install them from terminal and was only able to install gpp.

Cheers!


----------



## Skie (Mar 15, 2003)

It looks like gcc is not installed or not properly installed. Which distro are you using on that computer? If it's ubuntu, please run the following:


```
sudo apt-get install build-essential
```
If Fedora, you need to run the following as root:


```
yum install gcc
yum install binutils
```
That should take care of everything. If not, let me know.


----------



## wmorri (May 29, 2008)

Here is what I get when I try that:

```
[[email protected] ~]# yum install gcc
Loaded plugins: refresh-packagekit
Setting up Install Process
Parsing package install arguments
Package gcc-4.3.2-7.i386 already installed and latest version
Nothing to do
[[email protected] ~]# yum install binutils
Loaded plugins: refresh-packagekit
Setting up Install Process
Parsing package install arguments
Package binutils-2.18.50.0.9-8.fc10.i386 already installed and latest version
Nothing to do
[[email protected] ~]#
```
Cheers!


----------



## Skie (Mar 15, 2003)

Strange. Try this:


```
yum install gcc-c++ 
yum install cpp
```
You could combine those as "yum install gcc-c++ cpp", but I wrote them seperately. The first one should install fine, the second one should say it's already installed. Or they'll both install fine.


----------



## wmorri (May 29, 2008)

Ok,

Sorry for the delay, I was taking a couple days off from this project to clear my head. I got some of the configure to work but now I am getting this message.


> configure: looking for Apache module support via DSO through APXS
> configure: error: couldn't find APXS
> [[email protected] apache2]#


I will do a little looking but don't know what I will find.

Cheers!


----------



## Skie (Mar 15, 2003)

As root, run "updatedb". When it's done, type "locate apxs". If it's found, it should be at /usr/bin/apxs2.


----------



## wmorri (May 29, 2008)

Hi,

Ok here is what I found when I did that.


> [[email protected] apache2]# locate apxs
> /home/will/Desktop/modsecurity-apache_2.5.7/apache2/build/apxs-wrapper.in


Cheers!


----------

