Apache

From TBP Wiki
Jump to: navigation, search

Apache The Apache HTTP Server, colloquially called Apache (/əˈpætʃi/ ə-PATCH-ee), is free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation.

The vast majority of Apache HTTP Server instances run on a Linux distribution,[5] but current versions also run on Windows and OS/2, and a wide variety of Unix-like systems. Past versions also ran on OpenVMS, NetWare and other operating systems.

Originally based on the NCSA HTTPd server, development of Apache began in early 1995 after work on the NCSA code stalled. Apache played a key role in the initial growth of the World Wide Web, quickly overtaking NCSA HTTPd as the dominant HTTP server, and has remained most popular since April 1996. In 2009, it became the first web server software to serve more than 100 million websites. As of August 2018, it was estimated to serve 39% of all active websites and 35% of the top million websites.

Tools and Scripts

Apache error log location

  • /usr/local/apache/logs/error_log

Website under attack

This counts the number of ModSecurity hits in the Apache log

  • sudo cat /usr/local/apache/logs/error_log | grep -i "modsec" | awk '{print $10}' | sort | uniq -c | sort -n

See who is accessing what in Apache

  • sudo cat /usr/local/apache/logs/access_log |awk '{print $1" "$7}'|sort|uniq -c|sort -n -k1

Check for bot/cron/ajax traffic

  • for i in $(ls /usr/local/apache/domlogs/`whoami`/*{,-ssl_log});do for j in 'bot' 'cron' 'ajax';do printf '%s => %s => %s\n' "$(grep -E ${j} ${i}|wc -l)" "${j}" "${i}"|grep -E '^[1-9][^ ]{2}+';done;done

Headers Security

Here are some good mods for the .conf file within the headers for Apache:

Be aware that https has to be forced for HSTS to work.

   Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure"
   <IfModule headers_module>
   RequestHeader set X-HTTPS 1
   Header set Referrer-Policy "no-referrer-when-downgrade"
   </IfModule>
   Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://mysiteURL.com"
   <IfModule mod_headers.c>
   	Header set X-XSS-Protection "1; mode=block"
   </IfModule>
   <IfModule mod_headers.c>
   	Header set X-Content-Type-Options nosniff
   </IfModule>
   <IfModule mod_headers.c>
   	Header set X-XSS-Protection "1; mode=block"
   	Header always append X-Frame-Options SAMEORIGIN
   	Header set X-Content-Type-Options nosniff
   </IfModule>
   <IfModule mod_headers.c>
   Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"
   </IfModule>
   <IfModule mod_headers.c>
       Header set Expect-CT enforce,max-age=2592000,report-uri="https://foo.example/report"
   </IfModule>
   Options -Indexes
   ServerSignature Off