Basic Apache Hardening in SLES 10

I setup a SuSE Enterprise Linux (SLES) 10 SP2 web server last week, and wanted to do some basic hardening of the default Apache configuration.  Here’s what I did.

  1. edit /etc/apache2/httpd.conf
  2. Add RewriteEngine On
  3. Add RewriteLogLevel 2
  4. Add RewriteLog /var/log/apache2/rewrite.log
  5. Add ServerSignature Off
    The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents
  6. Add ServerTokens Prod
    This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules
  7. Add ErrorDocument 500 “Internal server error” to return a generic error message when http 500 error occurs
  8. Add ErrorDocument 404 “An unknown error occurred, please try again later”  (http 404 = not found)
  9. Add ErrorDocument 403 “An unknown error occurred, please try again later”    (http 403 = forbidden)
  10. Save – exit httpd.conf
  11. touch /var/log/apache2/rewrite.log to create the rewrite.log file
  12. touch /srv/www/htdocs/.htaccess to create the .htaccess file
  13. Edit the /srv/www/htdocs/.htaccess file
  14. Add Options +FollowSymLinks –MultiViews
    Note: FollowSymLinks must be set to + for rewrite to work!
  15. Add rewrite rules appropriate for your environment.  I’m using some rules that can be found in the Pauldotcom Security Weekly episode #94 show notes, which were based on a post by nullbyte.
  16. Save – exit .htaccess
  17. YaST – Network Services – HTTP Server
  18. Server Modules tab – rewrite – toggle status to enabled – finish
  19. From a terminal run: SuSEconfig
  20. From a terminal run: /etc/init.d/apache2 restart
  21. With a web browser, try to access a page on the server that does not exist, ie  http://server/nothere.html
  22. View the  /var/log/apache2/rewrite.log 
    You should see the attempt logged

Comments [2]

Leave a Reply

Your email address will not be published. Required fields are marked *