I setup a SuSE Enterprise Linux (SLES) 10 SP2 web server last week, and wanted to do some basic hardening of the default Apache configuration. Here’s what I did.
- edit /etc/apache2/httpd.conf
- Add RewriteEngine On
- Add RewriteLogLevel 2
- Add RewriteLog /var/log/apache2/rewrite.log
- Add ServerSignature Off
The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents - Add ServerTokens Prod
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules - Add ErrorDocument 500 “Internal server error” to return a generic error message when http 500 error occurs
- Add ErrorDocument 404 “An unknown error occurred, please try again later” (http 404 = not found)
- Add ErrorDocument 403 “An unknown error occurred, please try again later” (http 403 = forbidden)
- Save – exit httpd.conf
- touch /var/log/apache2/rewrite.log to create the rewrite.log file
- touch /srv/www/htdocs/.htaccess to create the .htaccess file
- Edit the /srv/www/htdocs/.htaccess file
- Add Options +FollowSymLinks –MultiViews
Note: FollowSymLinks must be set to + for rewrite to work! - Add rewrite rules appropriate for your environment. I’m using some rules that can be found in the Pauldotcom Security Weekly episode #94 show notes, which were based on a post by nullbyte.
- Save – exit .htaccess
- YaST – Network Services – HTTP Server
- Server Modules tab – rewrite – toggle status to enabled – finish
- From a terminal run: SuSEconfig
- From a terminal run: /etc/init.d/apache2 restart
- With a web browser, try to access a page on the server that does not exist, ie http://server/nothere.html
- View the /var/log/apache2/rewrite.log
You should see the attempt logged
August 4, 2008 at 9:28 am
thanks,.
November 8, 2008 at 3:53 am
why the rewrite, what for?