[HOWTO] Beaf up security on Apache with customized.conf

[fribse]

Hi There

As everybody probably want to get as good a security as possible, I'll just give a short example of the most commonly recommended methods.

Looking at apache's homepage, there are a few good hints on what to do.

1) BASIC SECURITY

First of you need to make your own config, so that you can quickly disable / enable your own security if something all of the sudden fails.

Connect to the QNAP with SSH (use Putty.exe).

Issue the command:

Code: Select all

# vi /etc/config/apache/apache.conf

Go to the last line of the apache.conf

Press 'I' (for insert)

Add the line

Code: Select all

include /share/YOURPREFERREDSHARE/customized.conf

Press ESC to go back to command mode
Press :w [ENTER] to write the file
Press :q [ENTER] to exit vi

If you use Qweb as your documentroot (the standard confi), you must not place the customized.conf on that share, but place it on another share of your choice, where you can easily modify it with your preferred editor.

Secondly, create your customized.conf file on the share just chosen (leavy putty open).
I would suggest you to use PSPAD, as it's a very good freeware editor. Do NOT use notepad, word, wordpad or any other M$ editor, as M$ does not understand the difference between a 'Carriage Return' and a 'Line Feed'.

The customized.conf should look like this

Code: Select all

ServerName www.site1.com
DocumentRoot "/share/Qweb"
<Directory />
  Order Deny,Allow
  Deny from all
</Directory>
<Directory "/share/Qweb">
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from All
</Directory>
ServerSignature Off
ServerTokens Prod
UseCanonicalName Off
HostnameLookups Off

This is your basic package.
The ServerName directive should of course reflect whatever your site is called. It will disable access to the entire server, and then allow access to the Qweb dir, and then it will minimize the info the apache server gives when users try to connect to it.

Now go back to your putty and issue the commands

Code: Select all

#/etc/init.d/Qthttpd.sh stop
#/etc/init.d/Qthttpd.sh start

This will activate your changes, watch out for warnings and errors.

2) Disabling request methods for the Apache

As the later firmwares also include the 'rewrite' module, we can further enhance the security by elimitating some of the weird http request hackers will send at you (Trace and Track), this method requires a newish firmware where the rewrite module is enabled, so get the latest firmware 3.x.

Add this line to your customized.conf

Code: Select all

TraceEnable Off

Try to telnet to the webserver

Issue the commands (from your PC's CMD, not putty):

Code: Select all

C:> telnet YOURNASIP 80 (enter)

OPTIONS * HTTP/1.0 (enter)(enter)

This will return:

Code: Select all

HTTP/1.1 200 OK
Date: Wed, 11 Mar 2009 06:31:31 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Then go to your putty and activate your latest changes:

Code: Select all

#/etc/init.d/Qthttpd.sh stop
#/etc/init.d/Qthttpd.sh start

And send the http request again:

Code: Select all

C:> telnet YOURNASIP 80 (enter)

OPTIONS * HTTP/1.0 (enter)(enter)

Now you will see:

Code: Select all

HTTP/1.1 200 OK
Date: Wed, 11 Mar 2009 06:35:08 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

Taadaa, the trace is gone.

These simple steps will give you a good solid apache.

3) Limiting access to specific folders

Now if you want to limit access to specific folders, please do NOT use .htaccess. Use apache.conf directives instead.
.htaccess is only meant for users that can not modify the apache config themselves, ie. if the webserver is hosted on a webhotel.

There are a few simple methods for limiting access, which can be made much more advanced, but for that, look at the apache documentation.
You can for example limit pr. IP, or by a username.

Code: Select all

<Directory "/share/Qweb/secretdir">
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from 192.168.0.0/24
</Directory>

This will limit access to the dir, to only allow users coming from the C-Class subnet 192.168.0.x access to this dir.
This can be usefull if you add eg. your own LAN-subnet and maybe the public IP from your work (you can have more than one Allow directive).

The second method will ask for a username and password

Code: Select all

<Directory "/share/Qweb/SECRETFOLDER">
    AllowOverride All
    Allow from All
    AuthType Basic
    AuthName HEADLINE
    AuthUserFile /share/YOURSHARENAME/access
    Require user USERNAME
</Directory>

This will only allow the user USERNAME access to SECRETFOLDER, and only with the valid password. And the password requester will have the header of HEADLINE
The username password is stored in a file called 'access', and placed on a share of your choice (again not directly on Qweb if your documentroot is placed there, it is placed there in a standard config).
The access file is made via ssh (putty) using the command htpasswd.

Code: Select all

# /usr/local/apache/bin/htpasswd -c /share/YOURSHARENAME/access USERNAME

EDIT: PATH FIXED

You will then be prompted for the password for the given user (if you omit the -c, you can add more usernames and passwords to the same file).

Again you should enable this by using putty, and issuing the commands:

Code: Select all

#/etc/init.d/Qthttpd.sh stop
#/etc/init.d/Qthttpd.sh start

I hope these steps will help out.
Look at httpd.apache.org under documentation for more, on how to set up group access or more advanced methods.

[Marc J]

Excuse the noob question, but after I press "i" and insert the line

Code: Select all

include /share/YOURPREFERREDSHARE/customized.conf

how do I then get out of that and "save" the edited apache.conf file?

The next step in your instructions is to go into putty and issue the commands

Code: Select all

#/etc/init.d/Qthttpd.sh stop
#/etc/init.d/Qthttpd.sh start

But putty is still on "insert" from the step before. I've tried hitting escape which gets me out of viewing apache.conf and I Start / Stop apache but then if I view apache.conf the last line (I just inserted) is not there.

[fribse]

To exit 'insert mode' to command mode press ESC
To save in vi (in command mode) write :s [ENTER]
To quit vi (in command mode) write :q [ENTER]

[Marc J]

Using the method here I hope I've secured the web server on my TS-439 Pro so that it is only accessible over LAN (192.168...) - thank-you very much!

I use this for development of sites, and I like the sites to be identical to the remote versions as far as possible. The problem is I have an .htaccess file in the root of some sites with the following: -

Code: Select all

## USER IP BANNING
<Limit GET POST>
 order allow,deny
 deny from 38.98.
 allow from all
</Limit>

Blocking traffic from an IP range which was using loads of bandwidth for no good reason. What I'm unsure of is the "allow from all" in that second bit of code. Is this undoing my block from the first one (in customized.conf), and actually opening that (local) site up to all but 38.98.xxx.xxx? Or is it safe to leave in on the local site?

I'm not very sure of the "order" and "deny, allow" bits at all

[fribse]

Yes, it can be very confusing, the order parameter is explained here: http://httpd.apache.org/docs/2.0/mod/mo ... html#order
But it doesn't explain the order the .htaccess contra config is evaluated. My thoughts are that the config is evaluated first, and then the .htaccess.

[techman]

Just to say thank you very much for this well documented info.

[Don]

Hi Fribse,

Many thanks for this. I'm finally setting up virtual hosts. With your tutorial on virtualhosts and apache security I have it working. I do have one question on security. If I want to allow access to a web site from my intranet (LAN) only and not the internet (WAN) would I use the following in the virtual host settings?

Code: Select all

<Directory />
    Order Allow,Deny
    Allow from 192.168.22.0/24
    Deny from all
</Directory>

Thanks
Don

[fribse]

Hi Fribse,

Many thanks for this. I'm finally setting up virtual hosts. With your tutorial on virtualhosts and apache security I have it working. I do have one question on security. If I want to allow access to a web site from my intranet (LAN) only and not the internet (WAN) would I use the following in the virtual host settings?

Code: Select all

<Directory />
    Order Allow,Deny
    Allow from 192.168.22.0/24
    Deny from all
</Directory>

Thanks
Don

Well, the allow/deny is correct, but the directory statement is not, that will allow your intranet users access to all of the nas, not just document root.

[Don]

Well, the allow/deny is correct, but the directory statement is not, that will allow your intranet users access to all of the nas, not just document root.

OK, so what would be correct? I didn't mention that the above statements are in a virtual host statement. Will this work?

Code: Select all

<VirtualHost *:80>
   ServerName http://crontab.xxxxxxxx.com
   ServerAlias crontab.xxxxxxxx.com
   ServerAdmin don@xxxxxxxx.com
   DocumentRoot "/share/Qweb/crontab"
   <Directory "/share/Qweb/crontab">
      Order Allow,Deny
      Allow from 192.168.22.0/24
      Deny from all
   </Directory>
</VirtualHost>

Thanks
Don

[Don]

Hi,

I did some reading of the apache manual and I think the order statement should me order deny,allow and not allow,deny. See the following table from the apache manual.

Code: Select all

Match                                   Allow,Deny result                               Deny,Allow result

Match Allow only                        Request allowed                                 Request allowed 
Match Deny only                        Request denied                                   Request denied 
No match                                  Default to second directive: Denied     Default to second directive: Allowed 
Match both Allow & Deny            Final match controls: Denied               Final match controls: Allowed

Don

[fribse]

The directory statement is correct now.
The deny, allow all depends on what you want to be the default behaviour.
I haven't tested, but my guess is that they will both do the trick. Let me know, and I'll do an 'external' test for you.

[sebus]

??????

Allow,Deny result = Final match controls: Denied

Deny,Allow result = Final match controls: Allowed

So which one do yoy think it safer? Hint, the one that by default DENY UNLESS YOU EXPLICITELY ALLOW

[fribse]

Are you complaining about something, or trying to help?