Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

Apache Security

Security + Headers

This is Debian apache for the specific version of 2.4

sudo vim /etc/apache2/apache2.conf

Cache Control

<filesMatch ".(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
    Header set Cache-Control "max-age=3600, public"
</filesMatch>

Headers

I’ve included an exclusion of HSTS headers for 1 site

<IfModule mod_headers.c>
    <Directory />
        # These headers will be set for all domains
        Header always set X-XSS-Protection "1; mode=block"
        Header always set x-Frame-Options "SAMEORIGIN"
        Header always set X-Content-Type-Options "nosniff"
        Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"
        Header always set Referrer-Policy "strict-origin"

        # This will exclude grimoire.somesite.com for HSTS header
        SetEnvIf Host "grimoire\.jamesfraze\.com" exclude_hsts
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=!exclude_hsts
    </Directory>
</IfModule>

Prevent File Access

<FilesMatch "^\.ht">
 Require all denied
</FilesMatch>

# block direct access to files starting with .
<FilesMatch "^\..*$">
  Order Allow,Deny
  deny from all
</FilesMatch>

Deny Directories by Default

deny all directories by default, block auto indexing

<Directory />
  Options -Indexes
  #Order Deny,Allow
  #Deny from all
  #AllowOverride None
  Require all denied
</Directory>

Allow Specific Directories

<Directory /var/www/html/*>
  Order Deny,Allow
  Allow from all
  AllowOverride All
  Require all granted
</Directory>

ACL + Htdigest

You need to create the htdigest file first out of the web directory

sudo htdigest -c /var/www/.htdigest RESTRICTED james

If the .htdigest does not have the proper permissions it is dangerous.

sudo chown www-data:www-data /var/www/.htdigest
sudo chmod 640 /var/www/.htdigest

THe ACL and htdigest are separate protections, but I use them together.

You will also need to install the modules before they can be used:

sudo a2enmod auth_digest
sudo a2enmod authz_core
sudo a2enmod authz_host
sudo a2enmod authn_core
sudo a2enmod authn_file
sudo systemctl restart apache2

And then you can use that file and combine with ACL. The the config changes in /etc/apache2/apache2.conf or /etc/apache2/sites-available/somesite.conf will take effect:

 <Location /wp-login.php>
  Require ip 192.0.0.2
  Require ip 192.0.0.3

  # Here is the auth
  AuthType Digest
  AuthName "RESTRICTED"
  Require valid-user
  AuthUserfile /var/www/.htdigest
 </Location>

The old way was to use “Allow from”, but this does not work the same in Apache 2.4

 <Location /phpmyadmin>
  Order Deny,Allow
  Deny from all
  Allow from 192.0.2.2 192.0.0.3
  AuthType Digest
  AuthName "RESTRICTED"
  Require valid-user
  AuthUserfile /var/www/.htdigest
 </Location>

Silence Headers

ServerTokens Prod
ServerSignature Off

Test and Restart

sudo apache2ctl -t
sudo systemctl apache restart

Security Header Baseline

Note, you need port 443 open to this scanner to have it test

For example, if you were using UFW, you might need to add this:

ufw allow from any to any port 443
ufw status numbered

https://securityheaders.com/?q=yoursite.com

Permissions

Over time, and even during setup, you might have relaxed permissions. This is the right way, and assumes that your user is a member of the group www-data. You might need to use youruser.www-data to be able to directly upload files to your folder if you host multiple users. I have the same user, do my work as root, then reset all permissions as I go and after I’m done I run this:

sudo chown -R www-data:www-data /var/www/html/somesite.com/
sudo find /var/www/html/somesite.com/ -type d -exec chmod 755 {} \;
sudo find /var/www/html/somesite.somesite.com/ -type f -exec chmod 644 {} \;

What is Htdigest?

htdigest is a tool for creating and managing password files for use with the HTTP Digest Authentication method in Apache. Here are a few best practices and things to avoid when using htdigest for Apache2 security:

Use a strong and unique password for each user. Passwords should be long and complex, using a mix of uppercase and lowercase letters, numbers, and special characters.

Use htdigest to create a password file in a secure location, such as outside of the web root.

Use a .htaccess file to limit access to specific directories or pages to only authorized users.

Use AuthType Digest and AuthDigestProvider file in your Apache configuration to enable digest authentication and point to the password file created with htdigest

Use AuthName to provide a realm name to the user.

Things to avoid:

  • Don’t use a weak or easily guessable password for any user,
  • Don’t store the password file in an insecure location, such as within the web root,
  • Don’t use htdigest as the only way to protect your resources, it’s important to use other security measures such as using a web application firewall
  • Avoid using AuthBasicProvider file and AuthType Basic, as this is less secure than digest authentication.
  • As for 2-factor authentication, it is possible to use it together with htdigest, but this would require some additional configuration and possibly the use of a third-party library or application. One approach is to use a library like mod_auth_mellon that supports both Digest and SAML-based 2FA.
  • Another approach is to use a service like Authy or Google Authenticator to provide the 2FA, then use mod_authn_otp to integrate it with your Apache2 server.

What type of Encryption?

htdigest uses the MD5 algorithm for password encryption, which is considered to be secure. But it’s worth noting that MD5 is no longer recommended for use in cryptography and is considered as weaker than other algorithms such as SHA-256 or bcrypt.

Htdigest Required over SSL?

Using htbasic over SSL is generally considered to be more secure than using it over an unencrypted connection, but keep in mind that even when using SSL, htbasic is still less secure than htdigest because it sends the password in plain text and is vulnerable to replay attacks. Additionally, SSL has it’s own set of vulnerabilities that can be exploited.

Best Practice

In general, it is best to use both htdigest and SSL together for the most secure authentication and encryption for your website.