Ubuntu 9.04: Increasing Apache Security – Part 1

Apache Security is a real and present danger for all of us who use the Internet.  This is an important topic for not only Ubuntu but all distros.

Installation Options
You have two options during installation.  Install from source or install a binary from the repository.  One of the reasons that many people have chosen Ubuntu 9.04 Jaunty Jackalope for their server is that they want an easy install of the web server.  Well, no problem, this article will show you some modules that you may want to unload to save on RAM and provide some extras security even if you choose to install from the Ubuntu repository.

Install Binary from Repository
This makes it fast and easy to install and upgrade.  However, the version, options and how fast security patches are delivered are all up to the distro maintainers.

The Ubuntu 9.04 comes with the latest apache version which is stable.
sudo apache2 -v
Server version: Apache/2.2.11 (Ubuntu)
Server built:   Apr  1 2009 16:03:38

Install from Source
The biggest advantage is that you can make all of the decisions.  You decide upon the compile-time options and the modules.  This allows you to save resources by limiting modules and securing apache by choosing more secure options.

The major disadvantage is the time it takes to make these decisions and to make them happen. In addition, when you consider this option, you also need to think about when you need to upgrade, you will have to do it all over again.  During this process you must also document changes and options so that it may be done easier the next time or provide an outline for someone else to do it.

Download the source from apache.org.

Verify the integrity of the file you download.  The site will provide a MD5 sum for the file.
3e98bcb14a7122c274d62419566431bb  httpd-2.2.11.tar.bz2
Execute the command to get the sum.
md5sum httpd-2.2.11.tar.bz2
3e98bcb14a7122c274d62419566431bb  httpd-2.2.11.tar.bz2

Move the file to /usr/src

mv httpd-2.2.11.tar.bz2 /usr/src

Uncompress and Untar
sudo bzip2 -d httpd-2.2.11.tar.bz2
sudo tar  httpd-2.2.11.tar

Move into the directory created.
sudo cd httpd-2.2.11

../configure –prefix=/usr/local/apache

sudo make
sudo make install

sudo /usr/local/apache/bin apachectl start

Now verify it is running by using netstat.
sudo netstat -aunt

What modules are installed with the simple compile?  You will see a list when it is compiled.  This is a basic default install which will probably not work for you but it is important to start small and build.

checking whether to enable mod_http… yes
checking whether to enable mod_mime… yes (default)
checking for extra modules… none
checking whether to enable mod_dav… no
adding “-I$(top_srcdir)/modules/dav/main” to INCLUDES
checking whether to enable mod_status… yes (default)
checking whether to enable mod_autoindex… yes (default)
checking whether to enable mod_asis… yes (default)
checking whether to enable mod_info… no
checking whether to enable mod_suexec… no
checking whether to enable mod_cgi… yes (default)
checking whether to enable mod_cgid… no
checking whether to enable mod_dav_fs… no
checking whether to enable mod_dav_lock… no
checking whether to enable mod_vhost_alias… no
checking whether to enable mod_negotiation… yes (default)
checking whether to enable mod_dir… yes (default)
checking whether to enable mod_imagemap… no
checking whether to enable mod_actions… yes (default)
checking whether to enable mod_speling… no
checking whether to enable mod_userdir… yes (default)
checking whether to enable mod_alias… yes (default)
checking whether to enable mod_rewrite… no

Choosing a Static Binary or Dynamic Modules
On the security side a single static binary will not support someone trying to add a pre-compiled backdoor to apache. So it will be more secure as the intruder would have to recompile the whole apache server.  The  disadvantage of the static binary is you will need to reconfigure and recompile every time there is an update.  Finally, because the static version cannot share a dynamic library you may end up using more RAM.

The modules can be compiled statically in the the binary or you can copile them as Dynamic Shared Objects (DSO).  With Dynamic Shared Objects you can compile them when the apache server is built or you can compile them later using apxs.  In order to use DSO support you need to compile the mod_so into the binary.

The advantages of compiling in the mod_so are significant.  Once this is compiled into the binary you can add modules or drop modules by using the LoadModule command in the httpd.conf(CentOS) or apache2.conf(Ubuntu/Debian) file.

Modules use the Multi-Processing Module (MPM). There are two types of MPMs.  The standard is the prefork MPM which create child processes which each handle one connection at a time.  Prefork is the standard because it works well with one or two CPUs and it is more stable as it can function with problem modules.  However, it will use more memory, somewhere between 12-15 RAM per process.

The worker MPM is the to the other option.  It uses multiple threads so that each thread will handle a single connection.  The advantage of the worker is that it is faster, more scalable and the memory footprint is less.  It works better with multiple CPUs.  The disadvantage is that faulty modules can cause threads to crash, so stability may be an issue.

Adding Modules
There are several reasons that you will want to reduce modules.  First, by reducing modules you will reduce some resource usage, especially RAM.  Second, you will eliminate those modules that may create security risks.

Modules to Consider Removing Based on Security
mod_userdir
This module allows users to have their own web site in the home directory.
mod_asis
Allows designated file types that contain their own headers.
mod_autoindex
Without default html file it will display directory contents.
mod_include
This modules allows server-side includes(SSI).
mod_cgi
This module allows cgi-scripts.
mod_info
This will allow the server configuration page to be viewed from the Internet.
mod_status
This will provide real-time status of your apache server to the web.

Modules to Consider Adding Based on Features
mod_setenvif
You will be able to set environmental variables based on requests.
mod_rewrite
This an important module for making changes to requests that come in and is used ofter with programs like Joomla or WordPress.
mod_headers
This module will allow you to change request and response headers.
mod_ssl
This module allows you to use SSL for secure communication.

Make your decisions and then recompile with the modules you want to add or subtract.
./configure \
> –prefix=/usr/local/apache \
> –enable-rewrite \
> –enable-so \
> –disable-imap \
> –disable-userdir \
> –disable-cgi

Now once it is done you can review what modules were compiled into the apache version.

# ./httpd -l
Compiled in modules:
core.c
mod_authn_file.c
mod_authn_default.c
mod_authz_host.c
mod_authz_groupfile.c
mod_authz_user.c
mod_authz_default.c
mod_auth_basic.c
mod_include.c
mod_filter.c
mod_log_config.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_negotiation.c
mod_dir.c
mod_actions.c
mod_alias.c
mod_rewrite.c
mod_so.c

Loading and Unloading Modules with the Default Ubuntu Apache

Under the official Apache way of doing business, there’s only one configuration file.  You would use this file to set the configuration for global webserver options, to determine which modules are enabled, and to configure each individual website that your server is hosting.

The Debian/Ubuntu developers have broken the typical httpd.conf file t up into several files.  Global server settings are configured in the “/etc/apache2/apache2.conf” file.  Website configuration files are placed in the “/etc/apache2/sites-available” directory.  Port configurations are in the “/etc/apache2/ports.conf” file.  And module “load” files are in the “/etc/apache2/mods-available” directory.  For any websites or modules that are actually enabled  for use, a link would be placed in either the “/etc/apache2/sites-enabled” directory, or the “/etc/apache2/mods-enabled” directory.  All of these configuration files are tied together with the mod_include module.

To illustrate this take a look at selected portions of the apache2.conf file.

# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

# Include all the user configurations:
Include /etc/apache2/httpd.conf

# Include ports listing
Include /etc/apache2/ports.conf

# Include generic snippets of statements
Include /etc/apache2/conf.d/

. . .
. . .

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/

Security Issues with mod_status
With the mod_status module, you can easily configure Apache so that you can check on the status of your webserver.  The mod_status module is already enabled, and the proper lines are already in the apache2.conf file.   (These lines are easy to find.  They’re all the way down toward the bottom of the file.)

#<IfModule mod_status.c>
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the “.example.com” to match your domain to enable.
#
#<Location /server-status>
#    SetHandler server-status
#    Order deny,allow
#    Deny from all
#    Allow from .example.com
#</Location>
#</IfModule>

All you have to do is uncomment these lines, change the “Allow from” line. . .

<IfModule mod_status.c>
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the “.example.com” to match your domain to enable.
#
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 192.168.5.10
</Location>
</IfModule>

. . . and reload.

sudo /etc/init.d/apache2 force-reload
* Forcing reload of web server (apache2)…
[ OK ]

Assuming that the IP address on your desktop computer is 192.168.5.10, you can go to it and check on the status of your Apache webserver.  All you have to do is to append “server-status” at the end of the homepage URL.

If you add the “ExtendedStatus on” option, you’ll be able to see more information on your status page.  (Note that you can’t place this option within the <Location> stanza.  Otherwise, it won’t work.)

<IfModule mod_status.c>
ExtendedStatus on
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the “.example.com” to match your domain to enable.
#
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 192.168.0.6
</Location>
</IfModule>

Security Issues with mod_info
You can use the mod_info module to obtain configuration information about your webserver.  Look for this stanza toward the bottom of your apache2.conf file:

#<IfModule mod_info.c>
#
# Allow remote server configuration reports, with the URL of
#  http://servername/server-info (requires that mod_info.c be loaded).
# Change the “.example.com” to match your domain to enable.
#
#<Location /server-info>
#    SetHandler server-info
#    Order deny,allow
#    Deny from all
#    Allow from .example.com
#</Location>
#</IfModule>

Uncomment the lines and change the “Allow from” line.

<IfModule mod_info.c>
#
# Allow remote server configuration reports, with the URL of
#  http://servername/server-info (requires that mod_info.c be loaded).
# Change the “.example.com” to match your domain to enable.
#
<Location /server-info>
SetHandler server-info
Order deny,allow
Deny from all
Allow from 192.168.0.6
</Location>
</IfModule>

Unlike the mod_status module, this module isn’t enabled with a default installation of Apache.  So, you’ll need to enable it.

sudo a2enmod info
Module info installed; run /etc/init.d/apache2 force-reload to enable.

. . .and reload.

sudo /etc/init.d/apache2 force-reload
* Forcing reload of web server (apache2)…
[ OK ]

From the workstation that you authorized in the “Allow from” directive, you can just append “server-info” to the end of the homepage URL.

Adding and Removing Modules

If you read the official Apache documentation, you’ll see that the official way to load modules is to place “load” statements into the main Apache configuration file.  However, the Ubuntu developers–well, actually, it was the Debian developers before them–came up with a way to configure what modules are to be loaded without having to muck around with configuration files.  The Debian/Ubuntu way also gives the webserver administrator a way to see at a glance what Apache modules are ready for use.  Here’s how it all works.

If you look in the “/etc/apache2″ directory, you’ll see the directories “mods-available” and “mods-enabled”.  In the “mods-available” directory, you’ll see:

actions.load          autoindex.load     ext_filter.load      proxy.conf
alias.load            cache.load         file_cache.load      proxy_connect.load
asis.load             cern_meta.load     filter.load          proxy_ftp.load
auth_anon.load        cgid.conf          headers.load         proxy_http.load
auth_basic.load       cgid.load          ident.load           proxy.load
auth_dbm.load         cgi.load           imagemap.load        rewrite.load
auth_digest.load      charset_lite.load  imap.load            setenvif.load
auth_ldap.load        dav_fs.conf        include.load         sick-hack-to-update-modules
authn_alias.load      dav_fs.load        info.load            speling.load
authn_anon.load       dav.load           ldap.load            ssl.conf
authn_dbd.load        dav_lock.load      log_forensic.load    ssl.load
authn_dbm.load        dbd.load           mem_cache.conf       status.load
authn_default.load    deflate.conf       mem_cache.load       suexec.load
authn_file.load       deflate.load       mime.load            unique_id.load
authnz_ldap.load      dir.conf           mime_magic.conf      userdir.conf
authz_dbm.load        dir.load           mime_magic.load      userdir.load
authz_default.load    disk_cache.conf    negotiation.load     usertrack.load
authz_groupfile.load  disk_cache.load    php5.conf            version.load
authz_host.load       dump_io.load       php5.load            vhost_alias.load
authz_owner.load      env.load           proxy_ajp.load
authz_user.load       expires.load       proxy_balancer.load

The “.load” files contain scripts which cause Apache to load a given module.  However, not all of the modules with these associated files are loaded.  That’s because they first need to be “enabled”.  (

The “.conf” files set certain parameters for some of these modules.   cd to the “/etc/apache2/mods-enabled” directory.  There, you’ll see these files:

alias.load          authz_groupfile.load  cgi.load  mime.load         setenvif.load
auth_basic.load     authz_host.load       dir.conf  negotiation.load  status.load
authn_file.load     authz_user.load       dir.load  php5.conf         userdir.conf
authz_default.load  autoindex.load        env.load  php5.load         userdir.load

This listing represents the “enabled” modules, the ones that can be loaded into your running session of Apache.  Do an “ls -l” command, and you’ll see that these aren’t files, but rather links to the load-script files in the “mods-available” directory.

total 0
lrwxrwxrwx 1 root root 28 2007-04-29 14:04 alias.load -> ../mods-available/alias.load
lrwxrwxrwx 1 root root 33 2007-04-29 14:04 auth_basic.load -> ../mods-available/auth_basic.load
lrwxrwxrwx 1 root root 33 2007-04-29 14:04 authn_file.load -> ../mods-available/authn_file.load
lrwxrwxrwx 1 root root 31 2007-05-01 19:26 auth_pam.load -> ../mods-available/auth_pam.load
. . .

In order to enable a module, you’ll need to use the “a2enmod” utility.  To disable a module, use “a2dismod”.  So, let’s say that you need to load the “mod_log_forensic” module.  Instead of having to mess around with hand-editing Apache’s configuration file, just cd to the “/etc/apache2/mods-available” directory and enter:

sudo a2enmod log_forensic
Password:
Module log_forensic installed; run /etc/init.d/apache2 force-reload to enable.

Note that you don’t have to enter the “.load” file extension with this command.  Now, when you look in the “mods-enabled” directory, you’ll see a link to this load-script file that wasn’t there before:

ls -l log*
lrwxrwxrwx 1 root root 35 2007-05-02 12:45 log_forensic.load -> ../mods-available/log_forensic.load

Also, note the message that bash returns when you run the a2enmod command.  That’s another difference between the Ubuntu way and the official Apache way.  The “apachectl” utility that you would need to use with the Apache way doesn’t exist on Ubuntu.  Instead, in order to reload Apache so that it can load in the newly-enabled module, you would need to enter:

sudo /etc/init.d/apache2 force-reload
Password:
* Forcing reload of web server (apache2)… apache2:
[ OK ]

Now, in order to use the module, you’ll need to add directives to one or more configuration files.  If it’s something that’s meant to affect operation of the entire server, you can add them to the main Apache configuration file.  If it’s something that’s only to affect a certain website, then add the directives to the configuration file for that site.  (Actually, you should do this before you perform the “force-reload” operation.)

Now, let’s say that you no longer need a certain module, and you no longer want to waste the memory to keep it loaded.  To get rid of it, enter:

sudo a2dismod log_forensic
Module log_forensic disabled; run /etc/init.d/apache2 force-reload to fully disable.

Again, perform a “force-reload” to complete the operation.

Let’s look at a snippet from the “/etc/apache2/apache2.conf” file:

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
StartServers          5
MinSpareServers       5
MaxSpareServers      10
MaxClients          150
MaxRequestsPerChild   0
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers          2
MaxClients          150
MinSpareThreads      25
MaxSpareThreads      75
ThreadsPerChild      25
MaxRequestsPerChild   0
</IfModule>

Here, we see that module directives can be invoked on a conditional basis.  In this example, one set of directives will be in effect if the “mpm_prefork_module” is enabled, and the other set will be in effect if the “mpm_worker_module” is enabled.

You can also use an exclamation point to invoke directives if a module isn’t enabled.

<IfModule !mpm_netware.c>
LockFile /var/lock/apache2/accept.lock
</IfModule>

Here, we have a directive that’s in effect only if the “mpm_netware.c” module isn’t enabled.

When you use Ubuntu repositories to install modules, a “.load” file will be automatically created and placed in the “/etc/apache2/mods-available” directory.  It will also be enabled.

There are several enabled modules that don’t show up in the “mods-available” directory.  That’s because they’re compiled in with the Apache executable.  These modules provide basic webserver functionality that is needed on every installation of Apache.

You can use the “apache2 -l” command to see which modules are compiled into your installation of Apache.

apache2 -l
Compiled in modules:
core.c
mod_log_config.c
mod_logio.c
prefork.c
http_core.c
mod_so.c

The “core” module has its own section in the Apache documentation.  If you print it out, expect about 44 pages of output on standard letter-size paper.  There are “core” directives for both server and website configuration.

Tagged as: apache security, Ubuntu 9.04, Ubuntu apache2