Hardening the Apache HTTP Server

Apache comes with a lot of pre-loaded modules that you probably won’t need. For example mod_perl and mod_cgi. Remove these by deleting the corresponding LoadModule directives from the httpd.conf file. There are also pre-installed content and examples that should be removed, things like FastCGI examples. It is an advantage to give away as little information as possible about the software you run. If you call a page that does not exist, Apache will return a HTTP 404 error with information like this:

Oracle-Application-Server-10g/10.1.2.0.0 Oracle-HTTP-Server Server at apex.corp.net Port 7777

Server: Oracle-Application-Server-10g/10.1.2.0.0 Oracle-HTTP-Server.

To stop the publishing of this information these two directives in the httpd.conf file can be changed:

ServerSignature Off
ServerTokens Prod

For a comprehensive checklist of things to harden read these:

• Securing Oracle Application Server by Caleb Sima
• Hardening Oracle Application Server 9i and 10g by Alexander Kornbrust

They both cover the Oracle Application Sever so they contain information that is not relevant if you use the OHS from the database Companion CD but they are still very informative.


Author: PeterLorenzen - 27 Apr 2007

Comments