Apache Secure Web Server
Threats to a web serverMain hazards/threats to a web server are:
- Denial of service
- Unauthorized access
- Arbitrary code execution
- Elevation of privileges
- Trojan horses
Common attacks used for profiling include:
- Profiling is an exploratory process used by the attacker to collect information about web site.
- An attacker uses this information to know the weak points of the web site.
1. Port scans
2. Ping sweeps
3. NetBIOS and server message block (SMB) enumeration
2. Denial of Service
Common Denial of Service attacks include:
- This attacks occurs when your server is overloaded by service requests.
- The hazard is that your web server becomes too busy to respond the legitimate client requests.
1. Network-level SYN floods
2. Buffer overflows
3. Flooding the Web server with requests from distributed locations
3. Unauthorized access
4. Arbitrary code execution
- It occurs when a user without right permission gains access to restricted information.
Common code execution attacks include:
- This attack occurs when an attacker runs malicious code on the server.
- In code execution, there are attacks which hack the server resources or make additional attacks against the sub systems.
1. Path traversal
2. Buffer overflow leading to code injection
- These programs are designed to perform malicious acts.
- It cause disruption to the operating system and applications.
7. Trojan horses
- These programs are self-replicating and self-sustaining.
- These programs appear to be useful but damage the applications.
Editing ssl.conf configuration file
The ssl.conf file or ssl-httpd.conf file holds security related directives.
Steps to edit and configure ssl.conf file
- Open ssl.conf file using a text editor.
Default location of this file in
a) Linux - /usr/local/apache/etc
b) Windows – C:\Program Files\ Apache Software Foundation\Apache2.2\conf.extra
- Create a backup of ssl.conf file by simply copying the this file into another text editor file and save this file as ssl.confold.
- Open file and remove '#' sign from start point of the lines.
SSLCertificate /<path to><your_SSL_Certificate>.crt
SSLCertificateKeyFile /<path to><*.key file created with CSR>.key
SSLCertificateChainFile /<path to>qvsslica.crt
SSLCACertificateFile /<path to>qvrca2.crt
- Save ssl.conf file after making the changes.
- Locate httpd.conf file and open it using a text editor like notepad or “vi editor”.
- Create backup of httpd.conf file by simply copying this file into another text editor file and save this file as httpd.confold.
- In httpd.conf file, insert the following line anywhereconf/extra/ssl.conf
- Save httpd.conf file.
- Restart Apache Service.