Top Easy Steps to Implement Server Security

Published in

An Idea (by Ingenious Piece)

5 min readJul 7, 2019

Web server security is the protection of information assets that can be accessed from a Web server. Web server security is important for any organization that has a physical or virtual Web server connected to the Internet. Web site security logs should be audited on a continuous basis and stored in a secure location.

It is not so difficult to implement Server security. I will walk through some of the security Parameter which gives your web server a defense wall.

Remove Server Version Banner

As you don’t want to reveal your web server version. The reveling version helps hacker to recognize your server details. The default configuration allows below details to all.

Add these configurations in your apache

ServerTokens Prod
ServerSignature Off

Disable directory browser listing

Stop exposing your directory listing.

Showing all the directory listing from your application

Go to your virtual host and add the below config

<Directory /opt/apache/htdocs>
Options -Indexes
</Directory>
OR
<Directory /opt/apache/htdocs>
Options None
</Directory>

Hide Etag in your Response

An entity tag (ETag) is an HTTP header used for Web cache validation and conditional requests from browsers for the resource.

Add below line to your config to hide this.

FileETag None

configuration directory permission

You can disallow another user to get into conf and bin folder.
chmod –R 750 your bin and conf

Protect your server setting

In a default installation, users can override apache configuration using .htaccess. If you want to stop users from changing your apache server settings, you can add AllowOverride to None as shown below.
<Directory /> AllowOverride None </Directory>

Protect your HTTP Request Methods

HTTP 1.1 protocol support many request methods which may not be required and some of them are having potential risk.

Typically you may need GET, HEAD, POST request methods in a web application, which can be configured in the respective Directory directive.

Default configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.
<LimitExcept GET POST HEAD> deny from all </LimitExcept>

Disable Trace HTTP Request

By default Trace method is enabled in Apache web server. Having this enabled can allow Cross Site Tracing attack and potentially giving an option to a hacker to steal cookie information. Let’s see how it looks like in the default configuration.

Add the following directive and save the httpd.conf to blocking Cross Site Tracing attack

TraceEnable off

As you could see in the above TRACE request, it has blocked my request with HTTP 405 Method Not Allowed.

Set cookie with HttpOnly and Secure flag

You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies, and it’s dangerous.

Ensure mod_headers.so is enabled in your httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Avoid Clickjacking Attack

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Mitigating clickjacking with X-Frame-Options response header

The X-Frame-Options response header is passed as part of the HTTP response of a web page, indicating whether or not a browser should be allowed to render a page inside a <FRAME> or <IFRAME> tag.

<IfModule headers_module>
<IfVersion >= 2.4.7 >
Header always setifempty X-Frame-Options DENY
</IfVersion>
<IfVersion < 2.4.7 >
Header always merge X-Frame-Options DENY
</IfVersion>
RequestHeader unset Proxy
</IfModule>

There are three values allowed for the X-Frame-Options header:

DENY — does not allow any domain to display this page within a frame
SAMEORIGIN — allows the current page to be displayed in a frame on another page, but only within the current domain
ALLOW-FROM URI — allows the current page to be displayed in a frame, but only in a specific URI — for example, www.example.com/frame-page

Server Side Include

Server Side Include (SSI) has a risk of increasing the load on the server. If you have shared the environment and heavy traffic web applications you should consider disabling SSI by adding Includes in Options directive.

SSI attack allows the exploitation of a web application by injecting scripts in HTML pages or executing codes remotely.

<Directory /opt/apache/htdocs> Options –Indexes -Includes Order allow,denyAllow from all </Directory>

Note: if you have multiple Directory directives in your environment, you should consider doing the same for all.

SSL

Having SSL is an additional layer of security you are adding into Web Application. However, the default SSL configuration leads to certain vulnerabilities, and you should consider tweaking those configurations.

X-XSS Protection

Cross Site Scripting (XSS) protection can be bypassed in many browsers. You could apply this protection for a web application if it was disabled by the user. This is used by a majority of giant web companies like Facebook, Twitter, Google, etc.

Header set X-XSS-Protection "1; mode=block"

As you can see, XSS-Protection is injected in the response header.

Add google reCAPTCHA v3

reCAPTCHA v3 is a new version that detects abusive traffic on your website without user friction. It returns a score for each request you send to reCAPTCHA and gives you more flexibility to fight against spam and abuse in your own way

Above are some top steps that you can add in your server to avoid hack event.i will share new stories around mod security, SSL Cipher.