How can I make Apache safe on my Server?

I just got a VPS to host my client’s website, and I am totally new to web hosting and administration.

The host I am with offers a semi-managed VPS, and while they are helpful, I want to make sure I check everything out to keep my client’s site and customers safe.

Is there like a “Top-10 List” of things you should do to make Apache safe?

I believe I am running Apache 2.4, and I trust my web host has installed all relevant security patches, but I’m sure there are still lots of “gotchas” out there!

Thanks.

Hi mikey!

Aw, “semi-managed?” What does that mean? What do they manage and what do they leave to you?

As I’ve preached before, better to have the host manage the server (they don’t have to get in the way … and don’t unless you ask for help), better to have WHM/cPanel making regular updates (cPanel has been changing with new features as well as plugging security issues - which they tell you about as soon as they have a patch). YOUR job is to write good code recognizing that everything which visitors submit (intended or not - the last thread I answered questioned requests for /?q=node/add …) MUST be carefully matched to what the script expects to receive (including checking data types as well as values, e.g., look for [and replace] apostrophes in strings which will touch your database!).

Once you get into PHP coding, I would also recommend adding a script on the server OUTSIDE the web space which can be run on regular intervals (daily?) which can create a hash value for ALL files (I’ve said all executable files but HTML code can contain JavaScript code which is executable) and compare that with a timestamped hash of that file from the last scan. If you’ve updated (or added or deleted) files, you’ll know to expect seeing them in the list of changed files (as determined by non-matching hash values). Too tough? I wrote an article for SitePoint so you can either search for that or PM me for the code (and PDF which walks you through the code, too).

Again, it’s a matter of letting the experts do their job and paying attention to the things which are your responsibility (and within your capability).

One further note, WebHostingBuzz is posting a notice upon login (to WHM) that mod_security had been added as an option (because it does require some user management - configuration and review of the prolific logs it generates). As a “user,” mod_security would be a good thing for you to look into.

Additional suggestions:

  • password control (make them difficult and require changes);
  • manage FTP access to the server as well as individual accounts (I have clients who want to get into their website but will only allow that if I create a new account for them, i.e., jail them within their account so any back code will not affect other client websites … or the server);
  • same with telnet access (although that is more dangerous because of the powerful things that can be done from the shell);
  • keep WHM/cPanel up to date (security updates are the most important);
  • REQUIRE daily checks of canned apps (like WordPress as they are always under attack and do update their code frequently AND ensure that updates are IMMEDIATELY made - best, IMHO, to only use canned apps in their own account because attacks on them are so often successful that the whole server could be compromised);
  • keep master copies of your files as backups for reinstallation (attacks do happen and they are occationally successful);
  • throttle your mail server (successful attacks are often by spammers who use your server to send SPAM - choke that off in your mail queue so you can delete the thousands of e-mails which can only get your server blacklisted);
  • learn some mod_rewrite code (http://dk.co.nz/seo) to help protect your scripts from malicious code (as with the /?q=node/add query string the other member was getting frustrated with; it’s also a VERY useful tool for webmasters!);

That should be enough to keep you off the streets nights for a while!

Regards,

DK

Hey, DK!

They guarantee to manage the server, network and infrastructure for sure. They also take care of major patches and regularly do security patches.

They have been good about helping out answer questions about basic set up stuff, and have given me some free-bees as far as support that someone like GoDaddy would have charged me for.

Physical sever should all be covered.

Not sure about WHM/cPanel, but I do know they sell you a VPS with the latest LAMP stack and they do security patches regularly.

If you want a newer/different version of, say, PHO, then they might charge if the request was purely feature driven.

Seems fair.

My PHP santizes everything, and I use Prepared Statements for the database part.

That is a great idea! :thumbsup:

I’m up to the code challenge!

I have to pay to have that installed, and I would need to learn how to configure and manage it, but it is on my To-Do list in the next month or so.

If you mean end-users, that is in my code already - although I don’t require people to change them after so long. Guess I need to do that.

Currently the only account is for me - the webmaster.

That was disabled.

How can I monitor when new updates are available?

My host says they do that, but I have no way of knowing…

All “home-grown” code here! :wink:

I have all original code on my laptop, and that has FDE along with a backup disk with FDE.

I had CSF (?) installed by advanced hosting…

Will check that out when I can!

Ha ha! Yeah, no sleep or partying for me for the next year while I try and get this site up, running, visited, and secure!!

Thanks for the advice!

P.S. I think I owe you a reply to one of your PM’s that I forgot about…

Hi mikey,

Sounds like they’re taking care of the server end of things … as they should.

I won’t use a host which does not provide WHM (Web Host Manager)/cPanel (the premier website control panel). That makes management of the websites and domains quite simple. While there are other control panels, the cPanel stack is clearly at the top of the heap.

Many hosts won’t include WHM/cPanel because it’s an additional license for them so “bare bones” hosts will often offer WHM/cPanel as an option but at an additional cost.

YOUR PHP sanitizes everything? (That statement scares me because I have a problem believing it.) Does that mean that your code examines all visitor input? That’s an extremely valuable skill so I hope you’ve learned all the ins and outs of that. IMHO, prepared statements should be an intermediary between the sanitized input and the database (as a further check).

Your host wants to be paid for a free Apache module? Horrors! Look it up - it’s an easy task for a webmaster to install mod_security. Keeping the rules up to date and reviewing the logs are where the effort comes in. Of course, there is a website dedicated to creating and testing mod_security rule sets so that’s neither difficult nor time consuming.

YOU should be able to access your account via Telnet but there should be NO public (or client) access.

Are you kidding? My WHM/cPanel is AUTOMATICALLY updated every day! I doubt your host needs to do anything to be sure it’s updated BUT, if you insist, you can visit cpanel.com every day (or week or hour or minute) to be sure.

Kudos to you for using ‘All “home-grown” code’! I do, too, but still worry about having overlooked something. At least “home-grown” code makes it difficult (hopefuly) for hackers to get in and damage websites.

FDE?

CSF? IMHO, throttling is important (to limit possible SPAM and protect from being added to blacklists.

Keep mod_rewrite at the top of your ToDo list and get on it ASAP. It’s an incredibly powerful tool for webmasters (and one of the things I insist on having available with any host (mod_rewrite is NOT enabled by default).

There’s no rest for the wary - but BE WARY of all the attack vectors you can imaging (and understand that’ll be less than half of those hackers are using).

Regards,

DK

I think so, but time will tell.

Yes, it is nice.

It means whether you send my website input through a $_POST or $_GET or Form or Upload or whatever, my code will carefully inspect it and smash it to pieces with a baseball bat if you so much as think of sending me bad or invalid code!! :wink:

Then I beat it up a second time with Prepared Statements and (some) constraints in MySQL.

I stand behind my code…

I think so, but I don’t know for sure. On my To-Do list.

[quote=“dklynn, post:4, topic:112320, full:true”]
YOU should be able to access your account via Telnet but there should be NO public (or client) access.[/quote]

Oh, okay.

I will have to research that.

I sleep well at night knowing I am running all original code. (Learning Linux and System Administration is what makes me sweat!!!)

Full Disk Encryption

CSF - ConfigServer Security & Firewall

CSF comes with Login Failure Daemon (LFD) and I think it addresses those types of things, but that is on my To-Do List as well!

I use it now minimally for preventing directory listings and for mod_rewrites. Will have to read up on its other capabilities.

My website is hacker safe, because it is offline! (I’m still trying to get my server safely configured.)

LOL

mikey,

Whew! I’m relieved to read that you are very conscious (suspicious) of all user input (including 404 requests?). That’s your first line of defense (after mod_rewrite’s limited capabilities in this realm). Your prepared statements (for database access) is a great second line. As far as I’m concerned, your clients appear to be in very good hands.

Mod-security can help your host defend against DOS attacks as well as many others (I’m just getting into the rule creation and then I’ll be examining the OSR (?) rule sets to see which I want to enable. As I said, it’s a GREAT tool but it does have a considerable learning curve and requires monitoring of its log files (and deleting old logs as I’m sure they’re a storage hog).

Thanks for your definitions. FDE must certainly come with its key stored within your website AND uploads to your website will certainly have to be processed by the key (like a door key to the entrance hallway). I have the feeling that your entrance hallway is well protected, though, so I wouldn’t lose too much sleep. Just be aware that FDE (and mod_security, for that matter) required considerable additional processing before serving files to your site visitors. Ditto CSF, I’m sure. There is a price to pay for security (in cost as well as convenience) but it beats having to rebuild servers and reputation!

Regards,

DK

OSR => OWASP

Sorry for that error.

Regards,

DK

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.