See Also
Chapter 4. Hardening Your System with Tools and Services
4.3. Securing Services
4.3.7. Securing t he Apache HT T P Server
The Apache HTTP Se rve r is one of the mos t s table and s e cure s e rvice s that s hips with Re d Hat Ente rpris e Linux 7. A large numbe r of options and te chnique s are available to s e cure the Apache HTTP Se rve r — too nume rous to de lve into de e ply he re . The following s e ction brie fly e xplains good practice s whe n running the Apache HTTP Se rve r.
Always ve rify that any s cripts running on the s ys te m work as inte nde d before putting the m into production. Als o, e ns ure that only the root us e r has write pe rmis s ions to any dire ctory containing s cripts or CGIs . To do this , run the following commands as the root us e r:
chown root <directory_name>
chmod 755 <directory_name>
Sys te m adminis trators s hould be care ful whe n us ing the following configuration options (configure d in /etc/httpd/conf/httpd.conf):
FollowSymLinks
This dire ctive is e nable d by de fault, s o be s ure to us e caution whe n cre ating s ymbolic links to the docume nt root of the We b s e rve r. For ins tance , it is a bad ide a to provide a s ymbolic link to /.
Indexes
This dire ctive is e nable d by de fault, but may not be de s irable . To pre ve nt vis itors from brows ing file s on the s e rve r, re move this dire ctive .
UserDir
The UserDir dire ctive is dis able d by de fault be caus e it can confirm the pre s e nce of a us e r account on the s ys te m. To e nable us e r dire ctory brows ing on the
s e rve r, us e the following dire ctive s : UserDir enabled
UserDir disabled root
The s e dire ctive s activate us e r dire ctory brows ing for all us e r dire ctorie s othe r than /root/. To add us e rs to the lis t of dis able d accounts , add a s pace -de limite d lis t of us e rs on the UserDir disabled line .
ServerTokens
The ServerTokens dire ctive controls the s e rve r re s pons e he ade r fie ld which is s e nt back to clie nts . It include s various information which can be cus tomize d us ing the following parame te rs :
ServerTokens Full (de fault option) — provide s all available information (OS type and us e d module s ), for e xample :
Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2
ServerTokens Prod or ServerTokens ProductOnly — provide s the following information:
Apache
ServerTokens Major — provide s the following information:
Apache/2
ServerTokens Minor — provide s the following information:
Apache/2.0
ServerTokens Min or ServerTokens Minimal — provide s the following information:
Apache/2.0.41
ServerTokens OS — provide s the following information:
Apache/2.0.41 (Unix)
It is re comme nde d to us e the ServerTokens Prod option s o that a pos s ible attacke r doe s not gain any valuable information about your s ys te m.
Important
Do not re move the IncludesNoExec dire ctive . By de fault, the Server-Side Includes (SSI) module cannot e xe cute commands . It is re comme nde d that you do not change this s e tting unle s s abs olute ly ne ce s s ary, as it could, pote ntially, e nable an attacke r to e xe cute commands on the s ys te m.
Removing httpd Modules
In ce rtain s ce narios , it is be ne ficial to re move ce rtain httpd module s to limit the
functionality of the HTTP Se rve r. To do s o, s imply comme nt out the e ntire line which loads the module you wis h to re move in the /etc/httpd/conf/httpd.conf file . For e xample , to re move the proxy module , comme nt out the following line by pre pe nding it with a has h s ign:
#LoadModule proxy_module modules/mod_proxy.so
Note that the /etc/httpd/conf.d/ dire ctory contains configuration file s which are us e d to load module s as we ll.
httpd and SELinux
For information, s e e the The Apache HTTP Se rve r and SELinux chapte r from the Re d Hat Ente rpris e Linux 7 SELinux Us e r's and Adminis trator's Guide .
4.3.8. Securing FT P
The File Transfer Protocol (FTP) is an olde r TCP protocol de s igne d to trans fe r file s ove r a ne twork. Be caus e all trans actions with the s e rve r, including us e r authe ntication, are une ncrypte d, it is cons ide re d an ins e cure protocol and s hould be care fully configure d.
Re d Hat Ente rpris e Linux 7 provide s two FTP s e rve rs :
Red Hat Co nt ent Accelerat o r (tux) — A ke rne l-s pace We b s e rve r with FTP capabilitie s .
vsftpd — A s tandalone , s e curity orie nte d imple me ntation of the FTP s e rvice . The following s e curity guide line s are for s e tting up the vsftpd FTP s e rvice . 4.3.8.1. FT P Greeting Banner
Be fore s ubmitting a us e rname and pas s word, all us e rs are pre s e nte d with a gre e ting banne r. By de fault, this banne r include s ve rs ion information us e ful to cracke rs trying to ide ntify we akne s s e s in a s ys te m.
To change the gre e ting banne r for vsftpd, add the following dire ctive to the /etc/vsftpd/vsftpd.conf file :
ftpd_banner=<insert_greeting_here>
Re place <insert_greeting_here> in the above dire ctive with the te xt of the gre e ting me s s age .
For mutli-line banne rs , it is be s t to us e a banne r file . To s implify manage me nt of multiple banne rs , place all banne rs in a ne w dire ctory calle d /etc/banners/. The banne r file for FTP conne ctions in this e xample is /etc/banners/ftp.msg. Be low is an e xample of what s uch a file may look like :
######### Hello, all activity on ftp.example.com is logged. #########
Note
It is not ne ce s s ary to be gin e ach line of the file with 220 as s pe cifie d in Se ction 4.4.1, “Se curing Se rvice s With TCP Wrappe rs and xine td”.
To re fe re nce this gre e ting banne r file for vsftpd, add the following dire ctive to the /etc/vsftpd/vsftpd.conf file :
banner_file=/etc/banners/ftp.msg
It als o is pos s ible to s e nd additional banne rs to incoming conne ctions us ing TCP Wrappe rs as de s cribe d in Se ction 4.4.1.1, “TCP Wrappe rs and Conne ction Banne rs ”.
4.3.8.2. Anonymous Access
The pre s e nce of the /var/ftp/ dire ctory activate s the anonymous account.
The e as ie s t way to cre ate this dire ctory is to ins tall the vsftpd package . This package e s tablis he s a dire ctory tre e for anonymous us e rs and configure s the pe rmis s ions on dire ctorie s to re ad-only for anonymous us e rs .
By de fault the anonymous us e r cannot write to any dire ctorie s .
Warning
If e nabling anonymous acce s s to an FTP s e rve r, be aware of whe re s e ns itive data is s tore d.
4.3.8.2.1. Ano nymo us Uplo ad
To allow anonymous us e rs to upload file s , it is re comme nde d that a write -only dire ctory be cre ate d within /var/ftp/pub/. To do this , run the following command as root:
~]# mkdir /var/ftp/pub/upload
Ne xt, change the pe rmis s ions s o that anonymous us e rs cannot vie w the conte nts of the dire ctory:
~]# chmod 730 /var/ftp/pub/upload
A long format lis ting of the dire ctory s hould look like this :
~]# ls -ld /var/ftp/pub/upload
drwx-wx---. 2 root ftp 4096 Nov 14 22:57 /var/ftp/pub/upload
Adminis trators who allow anonymous us e rs to re ad and write in dire ctorie s ofte n find that the ir s e rve rs be come a re pos itory of s tole n s oftware .
Additionally, unde r vsftpd, add the following line to the /etc/vsftpd/vsftpd.conf file : anon_upload_enable=YES
4.3.8.3. User Accounts
Be caus e FTP trans mits une ncrypte d us e rname s and pas s words ove r ins e cure ne tworks for authe ntication, it is a good ide a to de ny s ys te m us e rs acce s s to the s e rve r from the ir us e r accounts .
To dis able all us e r accounts in vsftpd, add the following dire ctive to /etc/vsftpd/vsftpd.conf:
local_enable=NO
4.3.8.3.1. Rest rict ing User Acco unt s
To dis able FTP acce s s for s pe cific accounts or s pe cific groups of accounts , s uch as the root us e r and thos e with sudo privile ge s , the e as ie s t way is to us e a PAM lis t file as
de s cribe d in Se ction 4.2.1, “Dis allowing Root Acce s s ”. The PAM configuration file for vsftpd is /etc/pam.d/vsftpd.
It is als o pos s ible to dis able us e r accounts within e ach s e rvice dire ctly.
To dis able s pe cific us e r accounts in vsftpd, add the us e rname to /etc/vsftpd/ftpusers
4.3.8.4. Use T CP Wrappers T o Control Access
Us e TCP Wrappe rs to control acce s s to e ithe r FTP dae mon as outline d in Se ction 4.4.1,
“Se curing Se rvice s With TCP Wrappe rs and xine td”.