IIT Inc. - IT Consulting, Staffing and Multimedia Communication Solutions
IT Consulting and Staffing Services
for the Government Public Sector Clients
  • About IIT
    • Home
    • About IIT - Overview
    • IIT Awards
    • IIT Certified MBE Diversity Supplier - IIT Inc.
  • Services
    • IT Consulting and Outsourcing
    • Services Overview
    • Contract and Direct Hire Staffing Services
    • Recruitment Process Management
    • Government Solutions - IIT Inc. Public Sector Practice >
      • NYS HBITS - IIT Inc
  • Careers
    • See All Current Jobs Openings >
      • Search Jobs
      • Submit Resume
    • Career Tips & Helpful Articles >
      • Resume Writing Tips
      • Career Tips - Enhancing your career and current job
      • Interview Tips
  • Supplier Diversity
  • Contact Us
    • Information Request
    • Geographic Markets Served
  • Blog

7 Tips to Harden Your Apache Installation on Linux

6/27/2014

 
Hackers are constantly discovering ways to gain access to Web servers to send spam, launch synchronized attacks on other servers, steal personal information and deface websites. Because Apache is the most commonly used Web server software, hackers focus many of their efforts on trying to discover vulnerabilities they can leverage on an Apache server. After you install Apache from the default APT package on Debian or Ubuntu, or from the default Yum package on Red Hat, CentOS or Fedora, you can strengthen the security of your installation with these seven tips to harden your Apache Web server.

 

1.      Keep Your OS Updated. The Apache community is very active and alert to security issues. Make sure that you frequently apply patches for your operating system, which will include security patches for Apache. Update your installation with either Apt or Yum:

apt-get update && apt-get upgrade (Debian/Ubuntu)

yum update (RHEL/CentOS/Fedora)

             

2.      Suppress OS Information When Errors Occur. When an error occurs, the default behavior in Apache is to display the Apache version and the operating system flavor and version, for example, "Apache2/2.22 (Debian) Server at 10.16.2.100 Port 80." This gives hackers valuable information they don't need to know. To suppress this information, edit your Apache configuration file:

           /etc/apache2/apache2.conf (Debian/Ubuntu)

           /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)




Add the following two settings:

           ServerSignature Off

           ServerTokens Prod

 

And restart your server:

           /etc/init.d/apache2 restart (Debian/Ubuntu)

           service httpd restart (RHEL/CentOS/Fedora)

               3.      Turn Off Directory Listings. If a visitor navigates to a Web page that doesn't have an index.html, index.php or other valid index file, Apache displays a list of all files in the directory to the visitor. The visitor who can click to open each file and use the listing to navigate the file system on the server. Disable this option using an Options directive in your Apache configuration file:

           <Directory /var/www>

     Options -Indexes

           </Directory>

             4.      Disable the Trace HTTP Request. In a cross-site scripting attack, a hacker can trick the HTTP Trace request into displaying the HTTP cookies to steal the session. Disable the option by editing your Apache configuration file:

           /etc/apache2/apache2.conf (Debian/Ubuntu)

           /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)

    Add the following setting:

           TraceEnable Off

 

  And restart your server:

           /etc/init.d/apache2 restart (Debian/Ubuntu)

           service httpd restart (RHEL/CentOS/Fedora)

               5.      Protect Your Root Directory. A website visitor should never have access to your root directory. If a hacker finds his way there, protect the directory with the Order option:

           <Directory />

                 AllowOverride None

                 Order deny,allow

                 Deny from all

           </Directory>

 

6.      Disable unnecessary modules. More modules mean more ways for a hacker to exploit your system. Generate a list of modules that are enabled:            cat /etc/apache2/mods-enabled (Debian/Ubuntu)

           grep LoadModule /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)

  Disable the modules you don't need:

           unlink /etc/apache/mods-enabled/<module>.so (Debian/Ubuntu)

           vim /etc/httpd/conf/httpd.conf and prefix the LoadModule line with a "#" (RHEL/CentOS/Fedora)

  Then restart your server:

           /etc/init.d/apache2 restart (Debian/Ubuntu)

           service httpd restart (RHEL/CentOS/Fedora)

 

Some modules you might not need include autoindex, include, imap, info, suexec, and userdir.   


7.      Limit outgoing connections. An Apache server should have very few instances where it needs to initiate a connection. Use IPTABLES to place Apache output connections in a specific chain, and only accept the connections on valid ports. For example, to reject all outgoing connections except outgoing email on ports 25 and 143 use the following iptables configuration:

 

            iptables --new-chain apache2_out

            iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

            iptables --append OUTPUT -m owner --uid-owner <user> -j apache2_out

            iptables --append apache2_out -p tcp --syn -d 127.0.0.1 --dport 25 -j RETURN

            iptables --append apache2_out -p tcp --syn -d 127.0.0.1 --dport 143 -j RETURN

            iptables --append apache2_out -j REJECT

 

Substitute www-data for <user> on Debian/Ubuntu or nobody for <user> on RHEL/CentOS/Fedora.

 

Then restart IPTABLES:

           /etc/init.d/iptables restart (Debian/Ubuntu)

           service iptables restart (RHEL/CentOS/Fedora)

 

 

Disclaimer: This article and other articles provided on this electronic medium is not intended to be an advise of any kind, and provided by IIT Inc. as a value to our readers in a form of information and discussion. We recommend verifying this information, and performing your own analysis prior to using any information provided herein.  

Let’s Discuss Net Neutrality

5/29/2014

 
Net Neutrality means that the ISP gives identical access to each packet of information (those little bits and bytes) travelling on the Internet backbone, disregarding the origin of the packet. That means ISP does not interfere whether the information originated from Amazon, Facebook, Twitter, your Corporate Servers or Netflix.

Various Internet Service Providers (ISPs) are pushing to take control of the internet traffic, and manipulate it as they see fit.  

Since ISPs are the last segment on various hops information and data takes, from its origination, before getting to the end customer (you), the ISPs want to control how fast they deliver the information to you, depending on information's origin and information type. 

According to some reports, video and other streaming services, like the ones offered by NetFlix, Amazon and Youtube, consume a third of total available internet bandwidth. This fluctuates depending on time of the day (more streaming traffic during evenings), slowing down other users not streaming videos etc. There have been some news that an ISP took efforts to slow down video streaming, causing 'buffering' errors when the end users were trying to watch online videos. This manipulation by ISP created a debate, whether ISPs have the right to create special fast lanes or slow lanes on the information highway.

 

While I have my opinions, I can see both sides of the argument. Let’s use some analogies to discuss this argument.

  • One example that comes to mind is E-ZPass (those electronic devices installed in our cars, that allow us to go through faster lanes on a highway). I recall when E-ZPass was first rolled out, drivers paid less to go thru toll lanes with E-ZPass. Drivers saved money as well as the toll collectors, as they needed to deploy less personnel to collect those tolls. That seemed to be a win-win scenario, which also laid the ground work for a fast adoption of the E-ZPass technology. Then the toll collectors got smart. They started charging the same toll, whether you paid cash or whether use you used E-ZPass. Drivers still continued using these devices as they were hooked on the convenience factor. Is there some parallel between E-ZPass and Net Neutrality? 
 

  • Another example I can think of is equivalent of “Fast Pass” used in Amusement Parks like Six Flags and Disney’s attractions in Florida. These parks offer regular tickets, where customers have to stand in long lines before entering an attraction. They also offer, for an additional cost, “Fast Pass”. These are frequently more than the actual price of the admission to the park. There are customers for both – customers who buy regular priced tickets and choose to stand in long lines, as well as “Fast Pass” customers who are willing to pay extra, for the convenience of standing in much shorter lines, thereby improving their experience of the “day at the park”. Is there some parallel between Fast-Pass and Net Neutrality?
 

One difference I can see between above examples and Net Neutrality is that Internet was founded and promoted “initially” by US Government, whereas above examples involve “initial” services from the private sector. While private sector has certain amount of freedom on how it charges its customers, and “menu” of services it chooses to offer its customers, public sector domain is frequently bound by laws. However, while the internet may have been a gift from the public sector, it would be an understatement to say that the private sector commercial enterprises dictate the functioning of the internet as it exists today.

 

A couple of related comments below from Wikipedia

  • “Neutrality proponents claim that telecom companies seek to impose a tiered service model in order to control the pipeline and thereby remove competition, create artificial scarcity, and oblige subscribers to buy their otherwise uncompetitive services”

  • “Opponents of net neutrality claim that broadband service providers have no plans to block content or degrade network performance. Despite this claim, there has been a single case where an Internet service provider, Comcast, intentionally slowed peer-to-peer (P2P) communications. Still, other companies have begun to use deep packet inspection to discriminate against P2P, FTP, and online games, instituting a cell-phone style billing system of overages, free-to-telecom "value added" services, and bundling”

 

While I will restrict my opinions on the issue itself, I feel confident to say that “Attorneys from commercial enterprises will keep fighting this issue until they win. There is too much money at stake. Net neutrality will be a thing of the past. I give it three years.”

 

What do you think?

Forward>>

    Author

    Picture
    Dinesh Gulati, Managing Director, IIT Inc.

    About IIT: Since 1995, IIT has been a leading provider of technology 
    services. Our core services include IT Consulting, Outsourcing and 
    Staffing Services.


    Archives

    September 2019
    March 2019
    October 2018
    February 2018
    December 2017
    June 2017
    March 2016
    November 2015
    October 2015
    September 2015
    May 2015
    November 2014
    September 2014
    July 2014
    June 2014
    May 2014
    April 2014
    January 2014
    March 2013
    September 2012

    Categories

    All
    Careers
    General Business
    Government
    HR / Recruiting
    Leadership
    Technology


    Tag

    IT Staffing, IT Consulting, Recruiting,  MBE Certified IT Staffing, NY Upstate and Downstate NYC New York Top IT Consulting Firms, MA Massachusetts Boston Top IT Consulting Firms, TX Texas Austin Top IT Consulting Firms, NC North Carolina Raleigh Top IT Consulting Firms, Oracle Consulting, Microsoft Consulting, IBM Consulting, Data Warehouse Consulting, CMS Consulting, Network Consulting, QA Testing Consulting, 
Home | About IIT | Services | Industries | Careers | Open Jobs | Submit Resume | NYS HBITS | Blog | Privacy Policy | Contact Us 
Copyright, IIT Inc. 1995 - 2024