Apache HTTP Server software was first launched 18 years ago and has been the most popular Web Server software for more than 10 years. Apache accounts for more than 50% of the Web Server market, this also makes it the most popular attack target.
Researchers from security companies ESET and Sucuri discovered the latest high-profile Apache attacks. Attackers tried to find a backdoor to access Apache and redirect network traffic to malicious websites. After visitors enter a malicious website, will be infected by the Blackhole vulnerability exploitation kit. This attack indicates that enterprises must develop Apache security best practices, and enterprises must be aware that insecure Apache Web servers may cause serious consequences.
In this article, we will provide best practices to help enterprises protect Apache servers against modern attacks.
Apache Security Basics
In many cases, Apache servers are infected with outdated modules, configurations, or even Web code hosted by Web servers. To solve these problems, enterprises should use the latest version of Apache HTTP and its attachments, and keep the HTTP server updated, which is crucial. However, the current trend of attackers is to focus on external component frameworks, modules, and attachments. These vulnerabilities make Apache HTTP vulnerable and hard to get rid. Enterprises should track these new components, which is equal to half of the success, and the other half is to ensure that these packets are installed with the latest patch and upgraded to the latest version. In addition, when updating, enterprises should remember to carefully check the download source. Smart attacks often try to disguise malware as software updates.
In addition to keeping updates, enterprises should also configure Apache HTTP Server to minimize the attack surface. Although this sounds simple, only the system administrator can handle dozens of considerations (usually need to work with Web developers ). For example, the latest trend of distributed denial-of-service attacks is to consume system resources with the minimum amount of traffic. The impact of such attacks can be minimized by configuring parameters, such as configuring RequestReadTimeout, TimeOut, KeepAliveTimeout, and MaxRequestWorkers to reduce the resource consumption value. In addition, the system administrator should consider the following factors:
• Use a privileged account to run HTTPd. If attackers attempt to attack the background program itself, this can minimize the impact on the entire system.
• You cannot use the. htaccess file by configuring the AllowOverride parameter to None. This ensures that the htaccess file is unavailable.
• The configuration mode (such as mod_python and mod_php) is used to use the security mode. This configuration can be performed wherever necessary, but this may not be necessary in the new version.
• Lock the file system so that only the root user can rewrite the Apache binary file. This will prevent the httpd binary file from being replaced by a malicious version.
Monitor Apache attacks
Even if protection measures are deployed to protect the Apache server, enterprises must be vigilant against attackers using other methods ". To prevent attackers from sneaking in, enterprises must closely monitor their logs to track signs of attacks. Enable a certain level of logging, and record the system-level HTTPd and internal web Background programs. You can simply create a bash or Python script to search for specific content in the log, or use the built-in syslogd command to remind the administrator of potential errors or attacks. Effective monitoring and alerting require enterprises to understand the content they provide. Some content (for example, using LDAP for Identity Authentication) may cause less dynamic web servers to generate alerts. If your server tries to use LDAP, and the web application is designed to use local authentication, this may cause an alarm. Disabling mod_php may allow enterprises to exclude this type of attack alert, so that real alerts can play a role. For web servers facing high-risk attacks, enable mod_log_forensic to obtain a deeper view of client requests.
If mod_security is enabled, all systems will benefit, but high-risk web servers will benefit the most. This module also allows enterprises to use various tools to detect and prevent attacks. You can also integrate it into the existing enterprise security mode through IPS, IDS, NIDS, and SIEM systems. Mod_security can also be used as a web application firewall. When used for a web application that may not have the best input filtering, it plays a very huge role.
Be vigilant
By developing these basic measures, enterprises can ensure the security of Apache HTTP servers and provide content at the lowest risk. One of the most important parts of an operating security system is to keep track of the latest security risks and software versions. In addition, active monitoring can effectively protect the security of your Apache instance.