-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathStep2c-Prep.html
154 lines (154 loc) · 11.4 KB
/
Step2c-Prep.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
<!doctype html>
<html lang="en" prefix="og: http://ogp.me/ns#">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="description" content="Securing Apache - Debian/Ubuntu Step2c - Configuring Apache/PHP" />
<meta name="keywords" content="Apache, Security, SSL, TLS, Certificate, Debian, Ubuntu, Elliptical Curves, RSA, Encryption, PHP" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<meta name="author" content="Kevin Dziekonski" />
<meta name="generator" content="The Dead's Script O' Rama" />
<meta name="application-name" content="Zombie Security" />
<meta http-equiv="Content-Type" content="text/html" />
<meta name="robots" content="index, follow" />
<meta name="googlebot" content="index, follow" />
<meta name="copyright" content="Zombie materials are subject to copyrights" />
<meta property="og:title" content="Free Best Practice Security Guides" />
<meta property="og:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:secure_url" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="og:image:type" content="image/jpg" />
<meta property="og:image:alt" content="Zombie Security – Free Best Practice Security Guides" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://zombiesecured.com" />
<meta property="og:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="og:site_name" content="Zombie Secured" />
<meta property="twitter:card" content="summary" />
<meta property="twitter:site" content="https://zombiesecured.com " />
<meta property="twitter:site.id" content="@zombiesecured" />
<meta property="twitter:creator" content="@kevindziekonski" />
<meta property="twitter:description" content="Best Practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta property="twitter:title" content="Zombiesecured Free Educational Best Practices Security Guides" />
<meta property="twitter:image" content="https://zombiesecured.com/images/ZTwitter.jpg" />
<meta property="twitter:image.alt" content="Free security education and best practices - Network Access Management (NAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Identity Access Management (IAM), Identity Governance (IG), Apache & Tomcat?" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="msapplication-TileColor" content="#D83434" />
<meta name="msapplication-TileImage" content="https://zombiesecured.com/images/favicon.jpg" />
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-touch-fullscreen" content="yes">
<link rel="apple-touch-icon" href="https://zombiesecured.com/images/favicon.png" />
<link rel="canonical" href="https://zombiesecured.com/" />
<title>Step2c - Configuring Apache/PHP (Debian/Ubuntu)</title>
</head>
<body>
<div class="container-fluid">
<!-- Add the common header to display the main menu. -->
<div id="header"></div>
<div class="row">
<!-- This section is the side menu section -->
<div class="col-md-2">
<div id="apacheDebianSideMenu"></div>
</div>
<!-- This section is the content section -->
<div class="col-md-10">
<div class="card border-dark mb-3 mt-3">
<div class="card-header d-flex align-items-center justify-content-center">
<!-- This is the content header start. Add text here for the content banner text. -->
<h4>Securing Apache - Debian/Ubuntu</h4>
</div>
<div class="card-body">
<!-- This section is the content section. Add the bulk HTML here -->
<h3>Step 2c - Configuring Apache/PHP</h3>
<p class="card-text">We need to minimize the information we are sharing with everyone. Also, we need to look over what <a href="https://httpd.apache.org/docs/trunk/new_features_2_4.html" title="Apache2.4 Modules" target="_blank">modules are running</a> and interacting with what applications. The bulk of the work is really in this procedure. It does not just involve turning on or off modules; but instead heavy tweaking the modules behavior and function can really harden a system beyond a hackers reach. Over time I will release more documentation on how to modify and alter Apache2 for performance and trapping rogue admins.</p>
<h4>How to enable or disable Apache modules</h4>
<p class="card-text">Enabling modules:</p>
<pre>a2enmod (module name)</pre>
<p class="card-text">Disabling modules:</p>
<pre>a2dismod (module name)</pre>
<h4>Disable unnecessary Apache modules </h4>
<p class="card-text">To list all of the Apache modules running:</p>
<pre>apachectl -M</pre>
<p class="card-text"><span class="orange">Disable ANY Modules not needed for your configuration or turn them all off and re-enable them by following the below steps</span></p>
<h4>Enabling needed Apache modules </h4>
<pre>a2enmod ssl headers rewrite expires proxy proxy_fcgi proxy_http http2 cache cache_socache socache_shmcb php5</pre>
<h4>Enabling the newly created sites under Apache</h4>
<pre>a2ensite /etc/apache2/sites-available/EXAMPLE_com_ssl.conf</pre>
<pre>a2ensite /etc/apache2/sites-available/EXAMPLE_com.conf</pre>
<h4>Disabling the default sites under Apache</h4>
<p class="card-text red">Do not forget to handle the IP defaulting to a web page if you disable the defaults. Do not use the Apache2 default page!</p>
<pre>a2dissite /etc/apache2/sites-enabled/000-default.conf</pre>
<pre>a2dissite /etc/apache2/sites-enabled/default-ssl.conf</pre>
<h4>Change the Timeout & KeepAlive </h4>
<pre>nano /etc/apache2/apache2.conf</pre>
<h5>Locate, find and change the lines that are in<span class="blue"> blue:</span></h5>
<p class="card-text">Timeout <span class="blue">30</span><br>
KeepAliveTimeout <span class="blue">5</span></p>
<p class="card-text"><span class="blue"><Directory /></span><span class="orange"> <--- Protect our system files - If you did not add this in the prior <a href="Step2b-Prep.html">Step2b</a>, you can add it globally here</span><br>
<span class="blue"> Require all denied<br>
AllowOverride None<br>
Options None</span><br>
<span class="blue"></Directory></span> </p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Remove Apache Version, Operating System, Port, and Hostname from being advertised</h4>
<p class="card-text">We could put all of Security Header settings in this file, but I highly do not recommend it on a Server that hosts numerous sites!</p>
<pre>nano /etc/apache2/conf-enabled/security.conf</pre>
<h5>Locate, find and change the lines that are in<span class="blue"> blue:</span></h5>
<p> ServerTokens <span class="blue">Prod</span><br>
ServerSignature <span class="blue">Off</span><br>
TraceEnable <span class="blue">Off</span> </p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Remove the PHP version from being advertised (Just incase you have it installed</h4>
<pre>nano /etc/php5/apache2/php.ini</pre>
<h5>Locate, find and change the lines that are in<span class="blue"> blue:</span></h5>
<p> expose_php = <span class="blue">Off</span></p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Tweak our performance a bit with mpm_event</h4>
<p class="card-text">Each process under event can contain multiple threads and each is capable of more than one task. This results in Apache having the lowest requirements when used with mpm_event.</p>
<p class="card-text">We are using a configuration that requires us to address the higher load requirements.</p>
<pre>nano /etc/apache2/mods-enabled/mpm_event.conf</pre>
<h5>Locate, find and change the lines that are in<span class="blue"> blue. </span></h5>
<p class="card-text"><span class="orange">Config for a dedicated Web application server. If this a Web server, email, DNS, and so forth, cut everything in half and MaxMemFree minimum of 4096 - Which is 4 megs and alter as necessary.</span></p>
<p class="card-text"><IfModule mpm_event_module><br>
<span class="blue"> #StartServers 5</span><br>
<span class="blue"> #MinSpareServers 5</span><br>
<span class="blue"> #MaxSpareServers 10</span><br>
<span class="blue"> #MaxRequestWorkers 150</span><br>
<span class="blue"> #MaxConnectionsPerChild 0</span><br>
<span class="blue"> MaxMemFree 0</span><br>
<span class="blue"> StartServers 5</span><br>
<span class="blue"> MinSpareServers 15</span><br>
<span class="blue"> MaxSpareServers 30</span><br>
<span class="blue"> ServerLimit 32</span><br>
<span class="blue"> MaxClients 256</span><br>
<span class="blue"> MaxRequestWorkers 50</span><br>
<span class="blue"> MaxConnectionsPerChild 1000</span><br>
</IfModule></p>
<h4>Close and exit the file</h4>
<kbd>ctrl</kbd><strong> + </strong><kbd>o</kbd> (Save)<br />
<kbd>ctrl</kbd><strong> + </strong><kbd>x</kbd> (Exit)<br />
<h4 class="mt-3">Restart Apache</h4>
<pre>systemctl restart apache2</pre>
</div>
<!-- This is the end of the bulk content section. -->
<div class="card-footer text-secondary">
<!-- This is the card footer where the next/previous links and arrows go. The links will need to be updated for every page. -->
<a class="text-secondary float-left" href="Step2b-Prep.html"><i class="fa fa-arrow-left fa-2x"></i> PREVIOUS </a> <a class="text-secondary float-right" href="Step3-Lock.html"> NEXT <i class="fa fa-arrow-right fa-2x"></i></a> </div>
</div>
</div>
</div>
</div>
<!-- Add the common footer. -->
<div id="footer"></div>
<!-- Optional JavaScript -->
<!-- jQuery first, then Popper.js, then Bootstrap JS -->
<script src="https://code.jquery.com/jquery-3.3.1.min.js" integrity="sha384-tsQFqpEReu7ZLhBV2VZlAu7zcOV+rXbYlF2cqB8txI/8aZajjp4Bqd+V6D5IgvKT" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>
<script src="/js/zombie.js"></script>
</body>
</html>