Seguridad y Hardening en Apache

[el-brujo]

Fortificando Apache

HTTP Request Methods

Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol.

Código (apache) [Seleccionar] Expandir


<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>



Web Application Security

Disable Trace HTTP Request

Código (apache) [Seleccionar] Expandir


TraceEnable off



Set cookie with HttpOnly and Secure flag

Requiere mod_headers

Código (apache) [Seleccionar] Expandir


Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure



Clickjacking Attack

https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

<iframe> <object>

Opciones:

X-Frame-Options

DENY, SAMEORIGIN, ALLOW-URL url

Código (apache) [Seleccionar] Expandir


Header always append X-Frame-Options SAMEORIGIN


Cross Site Scripting (XSS)

Código (apache) [Seleccionar] Expandir


Header set X-XSS-Protection "1; mode=block"



HTTP Strict Transport Security

https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

Código (apache) [Seleccionar] Expandir


Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"


Todo junto fichero confgiuración httpd.conf

Código (apache) [Seleccionar] Expandir



CoreDumpDirectory /tmp

# bajar timeout, por defecto 300
Timeout 80

# Maximum size of the request body.
#LimitRequestBody 10000
# Maximum number of request headers in a request.
LimitRequestFields 40
# Maximum size of request header lines.
LimitRequestFieldSize 4094
# Maximum size of the request line.
#request failed: URI too long (longer than 500)
#LimitRequestLine 500

#nuevo antidos
#RLimitCPU 10 20
#RLimitCPU 100 100
#RLimitMEM 10000000 10000000
#RLimitNPROC 25 25

# esconder versión Apache, aka  version banner
ServerTokens Prod

#seguridad
# http://httpd.apache.org/docs/2.2/mod/core.html#traceenable
TraceEnable off

#seguridad

<ifModule mod_headers.c>
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
#https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options: "nosniff"
</ifModule>

# https ssl

SSLRandomSeed startup file:/dev/urandom 1024

<IfDefine SSL>

# enable SSLv3 and TLSv1, but not SSLv2
#SSLProtocol all -SSLv2
#SSLProtocol -ALL +SSLv3 +TLSv1
# https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-#secrecy
# new 2014
# https://www.ssllabs.com/ssltest/analyze.html?d=foro.elhacker.net
# Grade A, antes Grade F
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
#SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+TLSv1 SLv2:+EXP:+eNULL

# mozilla
# https://wiki.mozilla.org/Security/Server_Side_TLS
# SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL:!eNULL

# noviembre 2014
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"

</IfDefine>


[_Enko]

Excelentes tips.

Va archivado a mis favoritos por si un dia necesito toquetear apache para algo serio 

Saludos y Gracias.

[Gh057]

Muchísimas gracias el-brujo, sobre todo por lo referido al HSTS. Un cordial saludo.