Ubuntu Intrepid - Apache configuration #2

Continuing from the first Ubuntu Intrepid Apache configuration article, we'll now look at some of the other settings in the main apache2.conf file and what they can do.

Concentrating on efficiency and security, this will end our apache2.conf journey (for now).


ServerName

Default: Not Set

The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name).

If you followed the Ubuntu Intrepid installing Apache and PHP5 article, you will have already set the ServerName configuration.

If you fail to set the ServerName then on an Apache restart you will see the following warning:

apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

To stop the warning and set the ServerName, add the following to the apache2.conf:

ServerName demo

Remember the test slice has a hostname of 'demo' - set this to your hostname or FQDN.

HostnameLookups

Default:

HostnameLookups Off

If you want happy users and to save traffic, keep this at Off.

Setting this to 'On' will enable DNS lookups so host names can be logged (it performs a reverse DNS check), setting it to 'Double' will not only perform the reverse DNS check it will then check the resulting hostname.

All a bit much and if you desperately need hostname information from your visitors it is advised to use logresolve (located in /usr/sbin/logresolve) for this purpose. A small explanation can be found here.

Security Settings

It's a good idea to review a couple of security-related settings for Apache — ServerTokens and ServerSignature — which in the Ubuntu Intrepid Apache layout are stored by default in the 'security' config file:

/etc/apache2/conf.d/security

ServerTokens

Default:

ServerTokens Full

The ServerTokens setting will dictate how much information is sent in the Headers with regard to Apache version and modules in use.

The default (Full) would send something like this:

Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4 with Suhosin-Patch Server

Does this make a difference? Well, yes. If we can suppress that information it will make it harder for someone to find an exploit.

It does not make the actual install any more secure but all someone has to do right now is look for an exploit in Ubuntu Apache 2.2.9 and so on. Why make it easy for them?

The options are (with example outputs):

Full

Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4 with Suhosin-Patch

OS

Apache/2.2.9 (Ubuntu) Server

Minimal

Apache/2.2.9 Server

Minor

Apache/2.2 Server

Major

Apache/2 Server

Prod

Apache Server

It's up to you what level of info you want to give out. I prefer setting ServerTokens to Prod.

ServerSignature

Default:

ServerSignature On

Server generated pages, such as 404 pages or directory listings, can contain a footer line which includes server information and can include the ServerAdmin email address.

If you navigate to your Slice IP address and a non-existent page, you will see a 404 Page not found page with the footer information:

Apache  ServerSignature

The options are:

Off: Produces no footer

On: Produces footer information (at a level defined by the ServerTokens setting)

Email: Adds an email link to the information (email address is defined in the vhosts file with the ServerAdmin setting)

Keep in mind that many settings can be overridden by a virtual host file.

If you disable the ServerSignature in the 'security' config file, but a virtual host file has:

ServerSignature On

Then the global setting will be overridden and a footer will still be displayed on 404 pages, etc. for any sites associated with that virtual host.

Summary

There are some simple steps in this article, but ones which I believe are quite useful and aid in increasing the efficiency of your Slice and assist in the overall security of your Slice.

Mike

Article Comments:

Ryan commented Sat Jan 17 04:37:56 UTC 2009:

Very helpful! I wouldn't have known about these settings otherwise. I know people change them but couldn't have told you where to go to do it. Thanks for all these helpful articles! : )

Behrang Javaherian commented Mon Feb 09 23:52:21 UTC 2009:

Dear Mike Thanks for your article. Everyone is enabling the gzip option on their website so I think it is worth to show how to enable mod_deflate module for apache cheers

Ian Viemeister commented Sun Mar 01 21:53:57 UTC 2009:

You don't need to set ServerName to avoid the "Could not reliably determine the server's fully qualified domain name..." error from Apache, as long as you have /etc/hosts configured properly.

Assuming your hostname is "host1", your domain is "example.com", and your IP is 1.2.3.4, make sure your /etc/hosts has exactly these two lines, IN THIS ORDER:

1.2.3.4 host1.example.com host1 127.0.0.1 localhost

This will make sure that the gethostname() that Apache calls at start will get "host1.example.com" returned, and set ServerName properly.

Ian Viemeister commented Sun Mar 01 21:57:34 UTC 2009:

Ack. Formatting failure. Those two lines should read:

>

1.2.3.4 host1.example.com host1

127.0.0.1 localhost

Chris Martin commented Sat Mar 07 22:16:56 UTC 2009:

To help guard against Cross-site Tracing, experts suggest to have "TraceEnable" set to Off on production servers.

http://www.kb.cert.org/vuls/id/867593

Also...

"Although the particular attack highlighted made use of the TRACE functionality to grab authentication details, this isn't a vulnerability in TRACE, or in the Apache web server. The same browser functionality that permits the published attack can be used for different attacks even if TRACE is disabled on the remote web server. For example an attacker could create a carefully crafted page that when visited submits a hidden request to some arbitrary site through your browser, grabs the result and passes it to the attacker."

http://www.apacheweek.com/issues/03-01-24

Julian Rhind commented Mon Jun 29 02:28:40 UTC 2009:

Hi

Great tutorials thanks - while on the subject of leaking info - I found the autoindex mod was enabled by default - by following your previous tutorial I was able to

sudo a2dismod autoindex sudo /etc/init.d/apache2 restart

Thanks

Justin Louie commented Thu Aug 13 00:17:50 UTC 2009:

More continued thanks to you Mike!! These articles are great.

Russi commented Fri Apr 23 21:09:45 UTC 2010:

Mike , admire your posts that have already became real guides for me and my friends whom I've shared your bloglink with! Thanks for your work!

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)