Securing Apache 2 | HackerSploit Linux Security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys hack exploit here back again with another video welcome back to the linux security series in this video we're going to be taking a look at how to secure apache 2 uh or apache depending on whatever you want to call it but again we're referring to the latest version of apache which is apache 2. and this video is primarily going to be based around uh working with the configuration file and fixing common uh you know security mis configurations that are made uh especially when setting up a lamp stack or just using a patty in general uh we of course will then have a second section that will not there will be in another video that will actually cover uh how to set up a web application firewalls like mod security with apache and how to set that up you know so that you have some active filtering of traffic and again your web server is able to actively you know mitigate threats but in this video we'll be covering some very important uh security configurations that you need to make and how to set up your apache configuration securely now as i said we are going to be working with the wordpress development server and by default the lynode or the image that was used to create it uh sets up a lamp stack so that means we have apache uh already installed for us so we don't have to do anything we're just configuring it for the development team so what i'll do is i'll open up my terminal here and if we take a look at the uh the var dub dub dub directory you can see that um if i list out the files within here you can see that we have two directories that are being served we have html and we have wordpress which is where the wordpress installation is installed and of course we have a if you take a look very closely at the user uh the owner and the owner group we can see that it belongs to dub dub dub data and www.data which is a great uh thing uh to begin with so what i'm going to start off with are going to be the security essentials and we'll move then we'll move step by step so firstly the first thing you want to ensure whenever you're dealing with apache or any any web server technology you want to ensure that it's updated to the latest version now the reason you want to do this is not because of new features or well that is one option but for pieces of software like apache that you know over the years i've had multiple vulnerabilities almost a major vulnerability for every release you want to ensure that you keep it up to date or to the latest version so that any issues or any vulnerabilities are fixed immediately right and because we're on debian this is a rolling release distribution that means we're going to get the latest packages so i can just say sudo apt install apache 2 sorry that is apache 3. we don't have that yet so apache 2 and it's going to tell me i'm running the latest version so that's the first thing you want to do the second thing you want to do is you want to ensure that apache is using a a user account or a service account with the lowest privileges possible or it's using an unprivileged account now you can see that by default with any uh with any web server configuration it is recommended that you segregate duties as we already covered in the previous videos and again your segregating duties based on rules now we have already given the users their own accounts based on their roles and as we have seen within the password file uh all other service or system accounts uh that that again are dealing with services all get their own unprivileged accounts for example the mysql database has or uses a mysql service account uh that does again that does not uh have any privileges whatsoever you cannot log into it so on and so forth right that service account is just used for the mysql database and that service within the default configuration with any lamp stack it is recommended that you create www data and of course this is is going to be responsible for the web server as you can see it's carrying the least amount of privileges and again has no particular shell that can be used to log in now the reason you want to do this is again in the event your web server is compromised through a vulnerability and someone gets access to the system through the web server and in this case apache the user account they'll be greeted with is going to be dub dubbed update and firstly this account does not have any privileges so again they have limited access to what they can do on the system secondly they're only limited to the directories that they currently own in this case the only directory that they own is going to be the wordpress directory so they can do all the damage within there however they can't do anything within the system which is a great thing and of course we can also disable their ability to actually get a shell session which is also great so that's the second thing that you want to do ensure that your web server or apache is using a user account with the least amount of privileges right now let's take a look at some of the common security miss configurations that are made plenty of times and especially when we talk about you know setting up a lamp stack for wordpress or any other cms one of the biggest issues that new users face or when users face when configuring their website is they aren't they are unaware of the security misconfigurations that i'm just about to show you one of these misconfigurations is directory listing so for example this is the development website you know it's a simple wordpress website if i go over to the wordpress content directory and i look for the uploads directory and i hit enter what's this well you can clearly see that i have a directory listing for the uploads for the uploads folder uh on this web server that's currently running so that means i can pretty much access all the files that have been uploaded to the wordpress installation or to the wordpress server even files that i'm not supposed to see now what's wrong with this again as i said this is a vulnerability because anyone in the world who can access this website will have access to your uploads folder and of course not every upload that you make onto your server or that you make onto wordpress is going to be a public asset which means again you may have private files that are being stored there you have you may have user files your website may have authentication in place and that authentication can all be bypassed uh by directory listing or the directory listing vulnerability now if you look at it if you look at this page closely you can also see another vulnerability and that is the signature listing a vulnerability right away well it's not signature listing it's not a vulnerability per se all it does is it actually lists out the web server technology and the version number that you're using and the operating system that this web server is running on which is a huge vulnerability because an attacker can now of course potentially get uh what version of apache are running that can further aid them in in targeting attacks they also know what operating system you're running so that gives them an idea of how to structure the attacks now these two vulnerabilities are the most common ones that again you'll find even on production websites today that are running on apache and again it's very very simple to fix it now all of these all of these fixes can be applied or all of the configurations can all be made to the apache configuration file now the apache configuration file is found within the etsy directory and we'll use sudo and i'll use the vim editor so etsy apache apache2 and we're looking for the apache2.conf file now as i said this is the global configuration file where you can make a tons of changes to the web server how it works we however are only going to be targeting security right so firstly let's take a look at the directory uh configurations here which are going to be the most important right and here we have them so our directory specifications as you can see here it gives you a bit of a documentation as to what what's going on so this sets the default security model of the apache to httpd server it does not allow access to the root file system outside of user share and var dub dub dub the former is used for by web applications packaged in debian and the latter may be used for local directories served by the web server if your system is serving content from a sub directory in srv you must allow access here so what this is saying is these are all the directories that are being served by apache and of course the one that is of interest to us is var dub dub dub and then of course we have the html directory and wordpress now in here is where you specify all the options for that particular web server configuration so again um one of the things we need to fix is the fire is the fact that the website is indexing directories that should not be indexed and number two the signature of the web server is being displayed so the first thing we want to do and i'll just open up my notes here so that i have everything on on track here because there's a ton of configuration options that i need to set um the first thing we want to do is we want to set our options now before we do that we also have a file called the hd access file some of you may have heard of it now the htaccess file you can see it tells us the name of the file to look for in each directory for additional configuration directives a the htaccess file is where you put any additional configuration options uh that you want the web server to run so again we can enter it within the hd access file if we want and the hd access file is found within the the root of the web server i'll get to all of this in a second and we already have a great security configuration that's added automatically to this configuration file and that is the uh the the you can see it right over here so this is the files match operator which specifies that if if if all files or any files within the web server match hd right or they begin with the uh the the string ht then that means that the user will not be able to access them and that again is used as a security configuration that is set up to deny anyone access to this file because as i said it's stored within uh the the root of the web directory so as of this as of this point in time all the configurations all the options that we want to specify must be specified within the htaccess directory or the hd access file so i'm just going to disable this temporarily right and we'll just disable that and we'll go back in here now we can create our own directory specification for the wordpress directory so i'll just do that right now so we will say directory and we'll say var var dub dub dub html well not html we want wordpress right and we are then going to close that tag so directory um so now all the options that we want to configure for the wordpress installation can all be done within here so the first thing that we want to do is we want to set um allow override to all so we'll set allow override to also allow override to all and that means we're going to overwrite any options that have been set uh and then we're going to go right at the bottom here and we're going to set our options so options and we want to get rid of the indexing and to get rid of a option within the within the configuration we use the minus command or the hyphen and we say indexes right and then we also want to get rid of the server signature being displayed so to do that we say server signature so the signature is going to be off right so we just say off here and in addition to this we can also uh well i'll stick with that first and i because i just want to explain this so now that we've saved the changes we can now restart the web server so i'll just say uh sudo system control uh release system control and we'll say restart apache 2. the reason we're restarting it is so the new configuration settings can be loaded we hit enter we can see we don't get any error which means everything was successful so you can see we are currently on this page if i hit refresh one more time we still have access here so i'll just go back into this here and we will say sudo vim hc apache 2 and we will also enable it at the root of the web directory here so we'll get rid of the allow override line right over here and of course we are granting access to that directory which is perfectly fine so we'll also add the option here so options indexes and as i said you can work directly from this directory specification because it includes all files within it i just showed you how to create uh the new one right over there so i'll say restart and if i restart that now you can see that it's still listing this out but the server signature has disappeared now if this happens then uh the easiest way of fixing this if it's still displaying the indexing is to go directly is to go directly and create an htaccess file right over here so i'll just save that we've enabled the htaccess file and we're going to cd var dub dub dub and we say wordpress and we hit enter and then we say vim hd access this is a dot file so dot htaccess and we hit enter and we can then within here add the options so we say options get rid of the indexes and we save this file here and it looks like we do not have the permissions here so i'll just say w quit and enter and we'll just quit from here and we'll run we'll create the file with sudo so we say sudo and we hit enter and of course we'll say options sorry i'll just specify the syntax correctly here so options indexes save that and then we can restart the web server so sudo system control restart apache 2 and if we restart that you can now see it's going to tell us forbidden you don't have permission to access this resource so these are pretty much the the most common vulnerabilities that you're going to be uh you're going to be faced with now of course the second thing we're going to talk about is if we try and access you know html here you can see it's going to tell us that it's not found that's because it it is configured to access the um the wordpress directory which is exactly what we want for the development team so within the wordpress directory you can now see if i list all the files in here we have the htaccess file that we created but there's a problem the htaccess file belongs to the root user so we want to change that so we're going to say ch own so ch own and we're going to say dub dub dub data and we say www.data and we specify htaccess the file that we want to change ownership off so we'll change we'll just run it with sudo if we list all the files now you can see now they all belong to the user www data and of course with our apache configuration we saw we had the security configuration that prevents us from accessing the htaccess file so if we go right over here and say hey i want to access hd access like this and i hit enter you see it's going to tell us you don't have permission to access this resource which is excellent so now again we cannot access any of the directories like the wordpress content and even if i go on up to the uploads directory you can see i don't have access completely so these are the as i said the most important options now let's talk about um let's talk about securing a directory uh with authentication or using passwords to secure directories um so to do this and what i'm referring to exactly is what if we wanted to password protect our wordpress installation let's see the the developers are still working on the the word the wordpress website and uh they want to password protect it from the public uh and of course you need your username and password uh to actually get access the way we would do this is the first thing we want to do is we want to make sure we've updated our repository so we can say sudo apt update and hit enter and that's going to update our repository secondly we want to make sure we have apache utilities installed so sudo apt um install we'll say apt-get install um apache to utils and we just say apache to utils there we are we can see we have the utilities installed and then of course we want to go into the apache configuration directory so we're going to say sorry etsy apache 2 and apache2 config and sorry we'll just go into the directory we don't work with the configuration file yet we now want to create an hd password file so we're going to say sudo ht password and you can see the command autocompletes there we'll specify the configuration so it's going to be etsy apache apache 2 and then we specify hd password and this is where the uh the password files uh all the password hashes will be stored um so ht password like so and then we specify the name of the user we want to create for the authentication in this case i'll just say we'll just say dev right let's just keep it simple so we'll say dev it's going to ask us for a password i'll just provide the password here and uh there we are provided the password for the user dev so if we list the files within this within this directory and i'll list all of the files you can see we now have the hd password file so if i get the contents of the hd password file here you can see it gives us our hash our password hash for the user dev right which is excellent now the second thing we want to do is we can automatically add or set our configuration by modifying the hd access file within the wordpress directory so i'll just go into var dub dub dub and we're go into directly into the wordpress file and we say sudo vim we want to access the htaccess file here and we'll add some more configurations this is where we add all uh the authentication options that we want so we're going to say auth type is going to be basic and we then want to specify the auth name name so we're going to say we'll just call it development in progress this is the notice or the authentication name and then of course we're going to specify the auth user file right so auth user file this is this is the file that contains the password so that's under etsy apache 2 apache 2 make sure you get the configuration all the spelling uh correctly so auth file is etsy apache 2 and hd password um hd sorry that is incorrect like so so that's the the file that contains the um the the user password and then of course we need to specify uh the option require require valid user so we need a valid user um and after this we can just save that and we then need to restart the web server so i'm going to do that right now so where is the restart command or i'll have to just type it in manually so sudo apache 2 and it and that's going to restart it for us if we know if we now try and access the web server you can see it's going to tell us please enter username and password and when we hit cancel it's going to tell us this right over here so i'll just open that up it's going to tell us this server could not verify that you're authorized to access the document requested either you supply the wrong credentials or bad password or your browser doesn't understand how to supply the credentials so again if we try and log in using the credentials we created so dev and um enter the password we now have access to the wordpress development uh or we have now have access to the wordpress website so that's a quick little trip trick that can help you if you want to secure your content using a username and password it's great if you're storing again as i said private files on a web server and you want to protect a particular directory you can do all of that using the authentication options that i've just shown you right over here so that's pretty much all the options uh that i wanted to cover um and of course as i said we're going to be talking about uh preventing web application specific attacks uh using you know web application firewalls like mod security uh but in the next video we'll be taking a look at how to secure an nginx configuration or nginx web server [Music] you

Info

Channel: Linode

Views: 1,234

Rating: undefined out of 5

Keywords: linode, linux, cloud computing, alternative cloud, linux server, open source, sysadmin, apache, apache 2, securing apache 2, linux securing apache, secure apache server, apache server security, apache webserver, linux server security, securing linux server, linux security, linux security tutorial, linux tutorial, linux commands, linux web server, linux security hardening, how to secure linux, secure web server, apache web server, linode tutorial, hacker exploit, hackersploit

Id: tgxlkuQxkQY

Channel Id: undefined

Length: 21min 4sec (1264 seconds)

Published: Mon May 03 2021