Linux Security - Securing Apache2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] before we get started with today's video i just want to take you through the structure of this particular series um so we've actually partnered with leno to bring you this series uh this series will involve two parts so if you head over to lynnode.com under events you should find the hackersploit leonard live linux server security series and you can just click on more info here so this series is going to be a 12-part series on how to set up secure and audit linux servers uh and we'll begin on on the first of october uh and the first series will be available on youtube and will include ssh security essentials configuring sudo access securing apache 2 securing engine x and the uncomplicated firewall the second part of the series will be hosted on linux live and it's absolutely free you don't have to pay anything and again you can access you can actually register for that there this is going to be an advanced series that will build up or build off the first series and we'll cover things like brute force protection ip tables uh wordpress security and security auditing on linux with the linus tool um so to access that just click on the registration link on on the on24 platform and that will take you here so that will give you an idea of all the various web costs and when they're going to be posted and it'll give you a summary of what will be covered exactly these are advanced uh webcasts that will be about 40 minutes and you can register for them absolutely free of charge uh we've also uh partnered with lino to give you guys a free credit uh so again if you are interested in using lynode uh for your virtual private server or for your hosting whether you're a developer or a administrator uh you can get a hundred dollars of 90 day credit uh and this is for new accounts um so that's fantastic definitely do take advantage of this if you're getting started with linux or you're actually following you're following along with this series however make sure to actually redeem this offer or this code which is under promo.linux.com and the code is hackersploit100 this offer will only be limited till the 15th of december so definitely check that out that being said let's get started with today's video hey guys hack exploit here back again with another video welcome back to the linux security series in this video we're going to be taking a look at how to secure apache 2 or apache depending on whatever you want to call it but again we're referring to the latest version of apache which is apache 2. and this video is primarily going to be based around uh working with the configuration file and fixing common uh you know security misconfigurations that are made uh especially when setting up a lamp stack uh or just using apache in general uh we of course will then have a second section that will not there will be in another video that will actually cover uh how to set up a web application firewalls like mod security with apache and how to set that up uh you know so that you have some active filtering of traffic and again your web server is able to actively you know mitigate threats but in this video we'll be covering some very important uh security configurations that you need to make and how to set up your apache configuration securely now as i said uh we are going to be working with the wordpress development server and by default the linode or the image that was used to create it uh sets up a lamp stack so that means we have apache uh already installed for us so we don't have to do anything we're just configuring it uh for the development team so what i'll do is i'll open up my terminal here and if we take a look at the uh the var dub dub dub directory you can see that um if i list out the files within here you can see that we have two directories that are being served we have html and we have wordpress which is where the wordpress installation is installed and of course we have if you take a look very closely at the user uh the owner and the owner group we can see that it belongs to dub dub dub data and www.data which is a great thing to begin with so what i'm going to start off with are going to be the security essentials and we'll move then uh we'll move step by step so firstly the first thing you want to ensure whenever you're dealing with apache or any any web server technology you want to ensure that it's updated to the latest version now the reason you want to do this is not because of new features uh well that is one option but uh for pieces of software like apache that you know over the years i've had multiple vulnerabilities almost a major vulnerability for every release you want to ensure that you keep it up to date or to the latest version so that any issues or any vulnerabilities are fixed immediately right and because we're on debian this is a rolling release distribution that means we're going to get the latest packages so i can just say sudo apt install apache 2 sorry that is apache 3 we don't have that yet so apache 2 and it's going to tell me i'm running the latest version so that's the first thing you want to do the second thing you want to do is you want to ensure that apache is using a a user account or a service account with the lowest privileges possible or it's using an unprivileged account now you can see that by default with any with any web server configuration it is recommended that you segregate duties as we already covered in the previous videos and again your segregating duties based on rules now we have already given the users their own accounts based on their roles and as we have seen within the password file uh all other service or system accounts uh that that again are dealing with services all get their own unprivileged accounts for example the mysql database has or uses a mysql service account uh that does again that does not have any privileges whatsoever you cannot log into it so on and so forth right that service account is just used for the mysql database and that service within the default configuration with any lamp stack it is recommended that you create www data and of course this is is going to be responsible for the web server as you can see it's carrying the least amount of privileges and again has no particular shell that can be used to log in now the reason you want to do this is again in the event your web server is compromised through a vulnerability and someone gets access to the system through the web server and in this case apache the user account they'll be greeted with is going to be www data and firstly this account does not have any privileges so again they have limited access to what they can do on the system secondly they're only limited to the directories that they're currently on in this case the only directory that they own is going to be the wordpress directory so they can do all the damage within there however they can do anything within the system which is a great thing and of course we can also disable their ability to actually get a shell session which is also great so that's the second thing that you want to do ensure that your web server apache is using a user account with the least amount of privileges right now let's take a look at some of the common security misconfigurations that are made plenty of times and especially when we talk about you know setting up a lamp stack for wordpress or any other cms one of the biggest issues that new users face or when users face when configuring their website is they aren't they are unaware of the security misconfigurations that i'm just about to show you one of these misconfigurations is directory listing so for example this is the development website you know it's a simple wordpress website if i go over to the wordpress content directory and i look for the uploads directory and i hit enter what's this well you can clearly see that i have a directory listing for the uploads data for the uploads folder uh on this web server that's currently running so that means i can pretty much access all the files that have been uploaded to the wordpress installation or to to the wordpress server even files that i'm not supposed to see now what's wrong with this uh again as i said this is a vulnerability because anyone in the world who can access this website will have access to your uploads folder and of course not every upload that you make onto your server or that you make onto wordpress is going to be a public asset which means again you may have private files that are being stored there you have you may have user files your website may have authentication in place and that authentication can all be bypassed uh by directory listing or the directory listing vulnerability now if you look at it if you look at this page closely you can also see another vulnerability and that is the signature listing of vulnerability right over here well it's not signature listing it's not a vulnerability per se all it does is it actually lists out the web server technology and the version number that you're using and the operating system that this web server is running on which is a huge vulnerability because an attacker can now of course potentially get uh what version of apache you're running that can further aid them in in targeting attacks they also know what operating system you're running so that gives them an idea of how to structure the attacks now these two vulnerabilities are the most common ones that again you'll find even on production websites today that are running on apache and again it's very very simple to fix it now all of these all of these fixes can be applied or all of the configurations can all be made to the apache configuration file now the apache configuration file is found within the etsy directory and we'll use sudo and i'll use the vim editor so etsy apache apache2 and we're looking for the apache2.com file now as i said this is the global configuration file where you can make a tons of changes to the web server how it works we however are only going to be targeting security right so firstly let's take a look at the directory uh configurations here which are going to be the most important right and here we have them so our directory specifications as you can see here uh you it gives you a bit of a documentation as to what what's going on so this sets the default security model of the apache to httpd server it does not allow access to the root file system outside of user share and var dub dub dub the former is used for by web applications packaged in debian and the latter may be used for local directories served by the web server if your system is serving content from a sub directory in srv you must allow access here so what this is saying is these are all the directories that are being served uh by apache and of course the one that is of interest to us is far dub dub dub and then of course we have the html directory and wordpress now in here is where you specify all the options for that particular web server configuration so again um one of the things we need to fix is the fire is the fact that the website is indexing directories uh that should not be indexed and number two the signature of the web server is being displayed so the first thing we want to do and i'll just open up my notes here so that i have everything on on track here because there's a ton of configuration options that i need to set um the first thing we want to do is we want to set our options now before we do that we also have a file called the hd access file some of you may have heard of it now the htaccess file you can see it tells us the name of the file to look for in each directory for additional configuration directives hey the htaccess file is where you put any additional configuration options uh that you want the web server to run so again we can enter it within the hd access file if we want and the htaccess file is found within the the root of the web server i'll get to all of this in a second and we already have a great security configuration that's added automatically to this configuration file and that is the uh the the you can see it right over here so this is the files match operator which specifies that if if if all files or any files within the web server match hd right or they begin with the uh the the string hd then that means that the user will not be able to access them and that again is used as a security configuration that is set up to deny anyone access to this file because as i said it's stored within uh the the root of the web directory so uh as of this as of this point in time all the configurations all the options that we want to specify must be specified within the hd access directory or the hd access file so i'm just going to disable this temporarily right and we'll just disable that and we'll go back in here now we can create our own directory specification for the wordpress directory so i'll just do that right now so we will say directory and we'll say var um var www.html well not html we want wordpress right and we are then going to close that tag so directory so now all the options that we want to configure for the wordpress installation can all be done within here so the first thing that we want to do is we want to set um allow override to all so we'll set allow override to also allow override to all and that means we're going to overwrite any options that have been set and then we're going to go right at the bottom here and we're going to set our options so options and we want to get rid of the indexing and to get rid of a option within the within the configuration we use the minus a command or the hyphen and we say indexes right and then we also want to get rid of the server signature being displayed so to do that we say server signature so the signature is going to be off right so we just say off here and in addition to this we can also uh well i'll stick with that first and i because i just want to explain this so now that we've saved the changes we can now restart the web server so i'll just say sudo system control uh release system control and we'll say restart apache 2 the reason we're restarting it is so the new configuration settings can be loaded we hit enter we can see we don't get any error which means everything was successful so you can see we are currently on this page if i hit refresh one more time we still have access here so i'll just go back into this here and we will say sudo vim hc apache 2 and we will also enable it at the root of the web directory here so we'll get rid of the allow override line right over here and of course we're granting access to that directory which is perfectly fine so we'll also add the option here so options indexes and as i said you can work directly from this directory specification because it includes all files within it i just showed you how to create uh the new one right over there so i'll say restart and if i restart that now you can see that it's still listing this out but the server signature has disappeared now if this happens then the easiest way of fixing this if it's still displaying the indexing is to go directly is to go directly and create an hd access file right over here so i'll just save that we've enabled the hd access file and we're going to cd var dub dub dub and we say wordpress and we hit enter and then we say vim hd access and this is a dot file so dot ht access and we hit enter and we can then within here add the options so we say options get rid of the indexes and we save this file here and looks like we do not have the permissions here so i'll just say w quit and enter and we'll just quit from here and we'll run we'll create the file with sudo so we say sudo and we hit enter and of course we'll say options sorry i'll just specify the syntax correctly here so options indexes save that and then we can restart the web server uh so sudo system control restart apache 2 and if we restart that you can now see it's going to tell us forbidden you don't have permission to access this resource so the these are pretty much the the most common vulnerabilities that you're going to be uh you're going to be faced with now of course uh the second thing we're going to talk about is if we try and access you know html here you can see it's going to tell us that it's not found that's because it is configured to access the um the wordpress directory which is exactly what we want for the development team so within the wordpress directory you can now see if i list all the files in here we have the htaccess file that we created but there's a problem the htaccess file belongs to the root user so we want to change that so we're going to say ch own so ch own and we're going to say dub dub dub data and we say www.data and we specify htaccess the file that we want to change ownership off so we'll change we'll just run it with sudo if we list all the files now you can see now they all belong to the user www data and of course with our apache configuration we saw we had the security configuration that prevents us from accessing the htaccess file so we go right over here and say hey i want to access hd access like this and i hit enter you see it's going to tell us you don't have permission to access this resource which is excellent so now again we cannot access any of the directories like the wordpress content and even if i go on up to the uploads directory you can see i don't have access completely so these are the as i said the most important options now let's talk about um let's talk about securing a directory uh with authentication or using passwords to secure directories um so to do this and what i'm referring to exactly is what if we wanted to password protect our wordpress installation let's see the the developers are still working on the the word the wordpress website and uh they want to password protect it from the public uh and of course you need a username and password uh to actually get access the way we would do this is the first thing we want to do is we want to make sure we've updated our repository so we can say sudo apt update and hit enter and that's going to update our repository secondly we want to make sure we have apache utilities installed so sudo apt um install we'll say apt-get install [Music] um two utils and we just say apache to utils there we are we can see we have the utilities installed and then of course we want to go into the apache configuration directory so we're gonna say sorry uh etsy apache 2 and apache 2 config and so we will just go into the directory we don't work with the configuration file yet we now want to create an hd password file so we're going to say sudo ht password and you can see the command autocompletes there we'll specify the configuration so it's going to be etsy apache apache 2 and then we specify hd password and this is where the the password files or the password hashes will be stored so hd password like so and then we specify the name of the user we want to create for the authentication in this case i'll just say we'll just say dev right let's just keep it simple so we'll say dev it's going to ask us for a password i'll just provide the password here and there we are provided the password for the user dev so if we list the files within this within this directory and our list all of the files you can see we now have the hd password file so if i cut the contents of the hd password file here you can see it gives us our hash our password hash for the user dev right which is excellent now the second thing we want to do is we can automatically add or set our configuration by modifying the htaccess file within the wordpress directory so i'll just go into var dub dub dub and we'll go into directly into the wordpress file and we say sudo vim we want to access the hd access file here and we'll add some more configurations this is where we add all uh the authentication options that we want so we're going to say auth type um is going to be basic and we then want to specify the auth name name so we're going to say we'll just call it development in progress this is the notice or the authentication name and then of course we're going to specify the auth user file right so auth user file this is this is the file that contains the password so that's under etsy apache 2 apache 2 make sure you get the configuration or the spelling correctly so auth file is etsy apache 2 and hd password um hd sorry that is incorrect like so so that's the the file that contains the um the user password and then of course we need to specify uh the option require um require valid user so we need a valid user um and after this we can just save that and we then need to restart the web server so i'm going to do that right now so where is the restart commander i'll have to just type it in manually so sudo apache 2 and hit enter and that's going to restart it for us every night if we now try and access the web server you can see it's going to tell us please enter username and password and when we hit cancel it's going to tell us this right over here so i'll just open that up it's going to tell us this server could not verify that you're authorized to access the document requested either you supply the wrong credentials or bad password or your browser doesn't understand how to supply the credentials so again if we try and log in using the credentials we created so dev and enter the password we now have access to the wordpress development uh or we have now have access to the wordpress website so that's a quick little trip trick that can help you if you want to secure your content using a username and password it's great if you're storing again as i said private files on a web server and you want to protect a particular directory you can do all of that uh using the authentication options that i've just shown you right over here so that's pretty much all the options that i wanted to cover and of course as i said we're going to be talking about uh preventing web application specific attacks uh using you know web application firewalls like mod security uh but in the next video we'll be taking a look at how to secure an end nginx a configuration or an nginx web server so i'll be seeing you in the next video i just want to take a moment to thank all our patreons at patreon.com forward slash hackersploit for all the support your support and help is truly appreciated you keep us making uh newer and fresher and better content so i just want to say thank you to all the patreons so thank you murph the surf daniel bork jonathan kyle adam mack jamal guillory defean barry jeremy nikolai marie harrah max ciao dustin empress michael hubbard and jerry speds [Music] you

Info

Channel: HackerSploit

Views: 29,338

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, kali linux, hacking, linux, mastering linux security and hardening, security, linux security, linux security tutorial, linux security hardening, linux security course, linux server security, linux tutorial for beginners, ssh, ssh security, linux commands, linux tutorial, securing linux, securing linux server, how to secure linux, how to secure linux server, how to secure linux server from hackers, linode, linode tutorial, securing apache web server

Id: M1GpRWWRdC8

Channel Id: undefined

Length: 23min 42sec (1422 seconds)

Published: Sat Oct 03 2020