Thursday, September 26, 2013

Some tips on setting up for Apache 2.2

Here's some of the things i used to set up and harden my Apache, with both performance and security in mind.
This serve as a brain dump and hopefully it help you.

ServerTokens to set from default "Full" to "Prod" so that amount of information shown by Apache is reduced.

ServerSignature to remain as default "Off" to disable version and patch level display

keepAlive to remain as default "On" so that long-lived HTTP sessions will be allowed for multiple requests to be sent over the same TCP connections.

AllowOverride to set from default "All" to "None" to prevent users from setting up .htaccess files which can override default security features.

ScriptAlias is to be commented and to disable the use of cgi-bin. Recommended to use "Directory", "SetHandler" and "Options" instead if required.

To place the "%D" (time taken to serve the request, in microseconds) in Log format. It will be helpful during troubleshooting time.

Only recommend to compile mod_ssl statiscally into Apache core. This is more for performance since nowsaday, we rely more on HTTPS services.

For at least minimum control over the Apache, enable the following modules like "mod_authz_host" for access control, "mod_dir" for directory control and "mod_rewrite" for filtering of rogue web entities.

Restrict what Apache would listen on to provide its services. e.g. Listen .

Use group or distribution email address for "ServerAdmin".

Set a timeout limit ("Timeout") for server to fail a request after waiting for a number of seconds. Default is 300.

Limit the number of requests allowed per connection ("MaxKeepAliveRequests") when KeepAlive is on. Default is 100.

Limit the time a server will wait for subsequent request ("KeepAliveTimeout") before terminating the connection. Default is 15 seconds. This one will affect how much resource Apache will hoard.

Enable "mod_deflate" for better throughput especially in high-volume web services.




# Range is 1 (least compression) to 9 (most compression)
DeflateCompressionLevel 6

    # Netscape 4.x has some problems...
    BrowserMatch ^Mozilla/4 gzip-only-text/html

    # Netscape 4.06-4.08 have some more problems
    BrowserMatch ^Mozilla/4\.0[678] no-gzip

    # Only compress for IE 7, 8 or 9 as there are bugs
    # compressing for IE 6 and older
    BrowserMatch \bMSIE(7|8|9) !no-gzip !gzip-only-text/html

    # Don't compress images and pdf
    SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|pdf)$ no-gzip dont-vary

    # Make sure proxies don't deliver the wrong content
    Header append Vary User-Agent env=!dont-vary



To enable compression within the "vhost" or "location" for outgoing traffic.

SetOutputFilter DEFLATE

Set TraceEnable to "off"

Configure the SSLCipherSuite to use only the better cipher, e.g SSLCipherSuite ALL:!ADh:!SSLv2:!EXPORT56:!EXPORT40:!RC4:!DES:+HIGH

Also set SSLProtocol all -SSLv2 to disable SSL version 2.

Remove contents in cgi-bin, htdocs, icons, extra and original if not required.

If you want to hide and mask away Apache identity further, update in ap_release.h to the following


#define AP_SERVER_BASEVENDOR “Restricted Server”
#define AP_SERVER_BASEPRODUCT “Secure Web Server”

Remove the welcome page if it exist.

Tuesday, September 17, 2013

How to capture network traffic using tcpdump on Sourcefire IDS box

In the usual Linux box, we capture network traffic using tcpdump like below

# tcpdump -i eth0

However, in the Sourcefire IDS box, it appears that the network interface are not configured. See below.


eth0      Link encap:Ethernet  HWaddr 01:0A:0B:FB:CD:39
          BROADCAST MULTICAST  MTU:1518  Metric:1
          RX packets:83477 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:614 (16.5 Mb)  TX bytes:0 (0.0 b)
          Memory:f2e20000-f2e40000


After checking on google, you cant dump on ethX. What you need to do is to dump from fpX instead, where eth0 will have the corresponding fp0, eth1 will have fp1 and so on.

Thats it.