Top Easy Steps to Implement Server Security
Web server security is the protection of information assets that can be accessed from a Web server. Web server security is important for any organization that has a physical or virtual Web server connected to the Internet. Web site security logs should be audited on a continuous basis and stored in a secure location.
It is not so difficult to implement Server security. I will walk through some of the security Parameter which gives your web server a defense wall.
Remove Server Version Banner
As you don’t want to reveal your web server version. The reveling version helps hacker to recognize your server details. The default configuration allows below details to all.
Add these configurations in your apache
Disable directory browser listing
Stop exposing your directory listing.
Showing all the directory listing from your application
Go to your virtual host and add the below config
Hide Etag in your Response
Add below line to your config to hide this.
configuration directory permission
You can disallow another user to get into conf and bin folder.
chmod –R 750 your bin and conf
Protect your server setting
In a default installation, users can override apache configuration using .htaccess. If you want to stop users from changing your apache server settings, you can add
None as shown below.
Protect your HTTP Request Methods
HTTP 1.1 protocol support many request methods which may not be required and some of them are having potential risk.
Typically you may need GET, HEAD, POST request methods in a web application, which can be configured in the respective Directory directive.
Default configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.
<LimitExcept GET POST HEAD>
deny from all
Disable Trace HTTP Request
By default Trace method is enabled in Apache web server. Having this enabled can allow Cross Site Tracing attack and potentially giving an option to a hacker to steal cookie information. Let’s see how it looks like in the default configuration.
Add the following directive and save the httpd.conf to blocking Cross Site Tracing attack
As you could see in the above TRACE request, it has blocked my request with HTTP 405 Method Not Allowed.
Set cookie with HttpOnly and Secure flag
You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies, and it’s dangerous.
- Ensure mod_headers.so is enabled in your httpd.conf
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Avoid Clickjacking Attack
Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.
Mitigating clickjacking with X-Frame-Options response header
The X-Frame-Options response header is passed as part of the HTTP response of a web page, indicating whether or not a browser should be allowed to render a page inside a <FRAME> or <IFRAME> tag.
<IfVersion >= 2.4.7 >
Header always setifempty X-Frame-Options DENY
<IfVersion < 2.4.7 >
Header always merge X-Frame-Options DENY
RequestHeader unset Proxy
There are three values allowed for the X-Frame-Options header:
- DENY — does not allow any domain to display this page within a frame
- SAMEORIGIN — allows the current page to be displayed in a frame on another page, but only within the current domain
- ALLOW-FROM URI — allows the current page to be displayed in a frame, but only in a specific URI — for example, www.example.com/frame-page
Server Side Include
Server Side Include (SSI) has a risk of increasing the load on the server. If you have shared the environment and heavy traffic web applications you should consider disabling SSI by adding Includes in Options directive.
SSI attack allows the exploitation of a web application by injecting scripts in HTML pages or executing codes remotely.
Options –Indexes -Includes
Order allow,denyAllow from all
Note: if you have multiple Directory directives in your environment, you should consider doing the same for all.
Having SSL is an additional layer of security you are adding into Web Application. However, the default SSL configuration leads to certain vulnerabilities, and you should consider tweaking those configurations.
Cross Site Scripting (XSS) protection can be bypassed in many browsers. You could apply this protection for a web application if it was disabled by the user. This is used by a majority of giant web companies like Facebook, Twitter, Google, etc.
Header set X-XSS-Protection "1; mode=block"
As you can see, XSS-Protection is injected in the response header.
Add google reCAPTCHA v3
reCAPTCHA v3 is a new version that detects abusive traffic on your website without user friction. It returns a score for each request you send to reCAPTCHA and gives you more flexibility to fight against spam and abuse in your own way
Above are some top steps that you can add in your server to avoid hack event.i will share new stories around mod security, SSL Cipher.