Securing APACHE configurations As per PCI standards
Prepared By:- Sarang Acharya
Date 19-july-2012
Hide the Apache Version number, and other sensitive information.
There are two directives that you need to add, or edit in your httpd.conf file:
ServerSignature Off
ServerTokens Prod
TraceEnable off
Ensure that files outside the web root are not served
We don't want apache to be able to access any files out side of its web root. So assuming all your web sites are placed under one directory (we will call this /web), you would set it up as follows:
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /web>
Order Allow,Deny
Allow from all
</Directory>
Note: Below configurations will take place only after analysing the existing settings.
Turn off directory browsing
You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes
Options -Indexes
Turn off server side includes
This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes
Options -Includes
Turn off CGI execution
If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI
Options -ExecCGI
Don't allow apache to follow symbolic links
This can again can be done using the Options directive inside a Directory tag. Set Options to either None or -FollowSymLinks
Options -FollowSymLinks
Turning off multiple Options
If you want to turn off all Options simply use:
Options None
If you only want to turn off some separate each option with a space in your Options directive:
Options -ExecCGI -FollowSymLinks -Indexes
Turn off support for .htaccess files
This is done in a Directory tag but with the AllowOverride directive. Set it to None.
AllowOverride None
Note: Below options depends and differs from version to version
- userdir – Mapping of requests to user-specific directories. i.e ~username in URL will get translated to a directory in the server
- autoindex – Displays directory listing when no index.html file is present
- status – Displays server stats
- env – Clearing/setting of ENV vars
- setenvif – Placing ENV vars on headers
- cgi – CGI scripts
- actions – Action triggering on requests
- negotiation – Content negotiation
- alias – Mapping of requests to different filesystem parts
- include – Server Side Includes
- filter – Smart filtering of request
- version – Handling version information in config files using IfVersion
- as-is – as-is filetypes
Limiting large requests
Apache has several directives that allow you to limit the size of a request, this can also be useful for mitigating the effects of a denial of service attack.
A good place to start is the LimitRequestBody directive. This directive is set to unlimited by default. If you are allowing file uploads of no larger than 1MB, you could set this setting to something like:
LimitRequestBody 1048576
If you're not allowing file uploads you can set it even smaller.
Some other directives to look at are LimitRequestFields, LimitRequestFieldSize and LimitRequestLine. These directives are set to a reasonable defaults for most servers, but you may want to tweak them to best fit your needs.
Below settings should go in httpd-ssl.conf
SSLv2 should be disabled, and SSLv3, TLSv1, and/or newer should be implemented.
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite should be kept for High encryption standards.
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
Disable ephemeral Diffie-Hellman ciphers in Apache'
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:'!kEDH':!NULL