Securing websites with hardened Apache configurations and Mod Security

Linh Vu 2006

Web servers are always among the most vulnerable due to their nature of being open to access from everyone. As companies and organisations take advantage of the considerable benefits that Internet technologies offer, the task of securing a web server to protect web services and sensitive data can become overwhelming for, in most cases, a lone web administrator. There are countless rogue bots and script kiddies wandering about ready to pounce on web servers hosting insecure and unpatched web applications.

The aim of this presentation is to provide a comprehensive view of security enhancements made to the deployment and maintenance processes of websites through Apache configurations and modules, particularly mod- security. The scope is limited to the popular LAMP ( Linux/Apache/MySQL/PHP), but the techniques introduced here can also be applied to other platforms. While there are more layers of security needed to provide complete protection for a web server, the one for discourse here will be the web server (Apache) layer with a touch on web applications written in PHP.

I will provide a walk-through for securely deploying websites with hardened Apache virtual host configurations. I will present mod-security, the open source web application firewall, with its basic and enhanced rule sets, real examples of it in action against web exploits and how to manage a mod- security enabled web server. Lastly, I will discuss the awareness of Apache modules and their security implications when deploying or developing websites.

Presentation Slides

About Linh Vu

Linh Vu works as the system and web administrator at the Physics Department of the University of Melbourne. He is at the cowboy stage of the SDLC - Sysadmin Development Life Cycle - meaning he loves to explore new cool technologies with catchy names, and sneakily apply them in production before they pass rigorous enterprise quality testing for mission-critical spaceship launchers.