Securing Apache on Ubuntu – Part 2

My previous article focused on basic security tips and tricks to secure Apache web server in Ubuntu.

Here I am going to show you some advance security tips and tricks for securing an Apache web server.

Clickjacking is a well-known web server vulnerability. It is known as a “UI redress attack.” It is a malicious technique used by an attacker to collect an infected user’s clicks. Clickjacking is made up from two words – Click and Hijacking. Click means “mouse clicks” and Hijacking means “force a user to click.” Clickjacking means forcing a user to click on a Web page on which the hacker wants him to click to perform the desired malicious activity.

To secure your Apache web server from a Clickjacking attack, you need to use “X-FRAME-OPTIONS” to prevent it.

You can do this by editing the “apache2.conf” file.

sudo nano /etc/apache2/apache2.conf

Add the following line inside Directory /var/www/html/:

 Header always append X-Frame-Options SAMEORIGIN

Save the file and restart Apache.

sudo /etc/init.d/apache2 restart

Now, try to open a web browser to access your web server. Check HTTP response headers in firebug; you should see X-Frame-Options as shown in the below image.

apache-x-frame

Etags, also known as “Entity Tags,” are a vulnerability in Apache. They allow remote users to obtain sensitive information like inode number, child process IDs and multipart MIME boundary using the Etag header. It is recommended to disable Etag.

You can do this by editing the “apache2.conf” file.

sudo nano /etc/apache2/apache2.conf

Add the following line inside Directory /var/www/html/:

FileETag None

Save the file and restart Apache.

Now, try to open a web browser to access your web server. Check HTTP response headers in firebug; you should not see Etag at all.

apache-etag

Old HTTP protocol (HTTP 1.0) has a security vulnerability related to session hijacking and Clickjacking attacks. It is recommended to disable old protocol.

You can disable it using the “mod_rewrite” rule by only allowing HTTP 1.1 protocol.

For this, edit the “apache2.conf” file.

sudo nano /etc/apache2/apache2.conf

Add the following line inside Directory /var/www/html/:

RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1\.1$
RewriteRule .* - [F]

Save the file and restart Apache.

In Ubuntu, HTTP 1.1 protocol supports many request methods like “OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT” which may not be required. It is recommended to enable only HEAD, POST and GET request methods.

To fix this, edit the Apache configuration file.

sudo nano /etc/apache2/apache2.conf

Add the following line inside Directory /var/www/html/:

 deny from all

Save the file and restart Apache.

XSS (also known as Cross-site Scripting) is one of the most common application-layer vulnerabilities. It allows an attacker to execute code on the target web server from a user’s web browser. Attackers can attack on XSS vulnerable web server by using a browser side scripting (JavaScript), so it is recommended to enable XSS protection on Apache.

You can do this by editing the Apache configuration file.

sudo nano /etc/apache2/apache2.conf

Add the following line inside Directory /var/www/html/:

 Header set X-XSS-Protection "1; mode=block"

Save the file and restart Apache.

Now, try to open a web browser to access your web server. Check HTTP response headers in firebug; you should see X-XSS-Protection Options as shown in the below image.

apache-xss

The HTTPOnly Cookie is also known as a secure cookie used for transmitting http or https over the Internet. It is recommended to use “HttpOnly” and “Secure flag” in a cookie. This will protect your Apache web server from most common attacks like CSS, cookies attacks, and cookies injections.

To fix this, edit the Apache configuration file.

sudo nano /etc/apache2/apache2.conf

Add the following line inside Directory /var/www/html/:

 Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Save the file and restart Apache.

I hope that you have enough knowledge now to secure your Apache web server from various kinds of attacks. If you have any questions feel free to comment below.