Securing A Linux Web Server: Preventing Information Leakage

Information leakage is a serious threat to the security of a Linux server, and can result in a host of severe consequences including significant downtime and the compromise of sensitive data. Luckily, server administrators can mitigate the risk of information leakage through a series of configuration changes.

This article will provide some background on information leakage and the types of attacks it can lead to. We will then explain how you can configure your Linux web server to protect against information leakage. Much of this information that can be applied to improve the security of any Linux server; however, we will focus predominantly on securing an Apache web server in this article.

 

What Is Information Leakage and Why Is It A Security Threat?

Information leakage describes the actions of revealing information to an unauthorized party, and can be the result of either intentional actions such as those taken by malicious insiders, or unintentional actions such as employee negligence.

Information leakage can have severe consequences for the parties affected, including data compromise, lost productivity and reputation damage. Leaving your web server vulnerable to information leakage can result in an array of serious attacks, including Cross-Site Tracing attacks (XST) attacks and Man-in-the-Middle (MITM) attacks. XST involves the use of Cross-site Scripting (XSS) and the TRACE or TRACK HTTP methods. XST attacks can be used to steal cookie information or sensitive credentials and can be mitigated by disabling the TRACE HTTP request on an Apache web server (covered in more detail below). In a MITM attack, a malicious hacker secretly relays - and potentially alters - the communications between two parties without their knowledge. MITM attacks are commonly used to gain access to sensitive data, and can be mitigated by configuring an Apache web server to reject all SSL v2/v3 connection requests (also covered in more detail below).

 

How To Configure an Apache Web Server to Prevent Information Leakage

When securing a Linux server, the first configuration changes that should be made are to disable any potential sources of information leakage such as broadcast of the server version banner, failure to disable the directory browsing list, the ETag header, the Trace HTTP request or SSL v2/v3 and failure to review and disable optional running services that could potentially be exploited by a malicious actor. All Linux distributions have poor default configurations in regards to preventing information leakage - making it essential that the correct manual configurations are made to protect sensitive data. Let’s take a closer look at these configuration changes  and how they can be made.

 

Remove Server Version Banner 

Apache web server administrators should begin by ensuring that the server version banner has been removed. It is critical not to expose the version of the web server you are using, as this information can be exploited by malicious hackers. 

By default, Apache web servers are configured to show Apache Version and OS type. ServerSignature permits the addition of a footer line revealing the server name and version number under server-generated documents such as error messages, mod_proxy ftp directory listings and mod_info output plus, among others. ServerTokens determines if the server response header field that is sent back to clients contains a description of the server OS-type and information pertaining to enabled Apache modules. To avoid broadcasting this private information, edit your httpd.conf config file to add or modify the following directives if they don’t already exist:

ServerTokens Prod

ServerSignature Off

Save and exit, then restart Apache.

If you are running PHP, you will also want to hide your PHP version number. Learn how this can be done in this brief yet informative TecMint tutorial.

 

Disable Directory Browsing List

It is critical that Apache server administrators disable directory browser listing, which is enabled by default in Apache, to prevent visitors from being able to see the files and folders listed under root or subdirectory. When directory browser listing is disabled on a server, a forbidden error message will be displayed when a user attempts to access this information. To disable directory browser listing, add -Indexes to the Options directive for the required directory. Edit the config file corresponding with the virtual domain you’re configuring and add “Options -Indexes” to the Directory section corresponding with the directory for which you wish to disable indexes.

<Directory /var/www/mysite>

    Options -Indexes

</Directory>

Be sure to restart Apache after you’ve saved the file. If you don't have administrator access to the system or would like to easily manage directory listing on a per-directory basis, you can use the above Options -Indexes directive in the htaccess file corresponding with the directory as well.

 

Disable the ETag Header

It is critical that the ETag header - which is enabled by default in Apache - is disabled, as this header allows remote attackers to obtain sensitive information such as inode number, multipart MIME boundary and child processes. While this is not among the most serious information disclosure vulnerabilities in Apache, it is worth disabling the ETag header regardless - especially given how simple it is to do! To mitigate the risk of potential exploits of this vulnerability, edit your Apache config to add the following:

Header unset ETag

FileETag None

Restart Apache for the change to take effect.

 

Disable TRACE HTTP Request

Failure to disable the TRACE HTTP request, which is enabled by default in an Apache web server, can result in a Cross-Site Tracing attack and provide malicious hackers with access to cookie information. To disable the TRACE request so all such requests are blocked with 405 Method Not Allowed, edit your Apache config to add the following:

TraceEnable off

Restart Apache for the change to take effect.

 

Disable SSL v2 & v3

SSL v2 and v3 are obsolete versions of the SSL protocol that are ridden with security flaws and have since been superseded with the more secure Transport Layer Security (TLS) protocol. SSL v2 and v3 should be disabled to prevent Man-in-the-Middle attacks or the decryption of data between the affected service and clients. Disabling SSL v2 and v3 is also essential to PCI compliance and penetration testing. To configure an Apache web server to accept only the latest versions of TLS and reject all SSL v2/v3 connection requests, edit the ssl.conf file in your Apache config directory to add the following:

SSLProtocol all -SSLv2 -SSLv3

Once you have saved your config and restarted Apache, you should verify your SSL configuration to ensure that your certificate parameters are as expected, and identify any potential issues before they are exploited. Learn about ten online tools that you can use to test your SSL configuration in this GeekFlare article.

 

Review Additional Running Services

It is critical to review and disable any optional services running on the host that could result in potential security issues, such as CGI execution and symbolic links. Many administrators run a 'web server' and unknowingly are running a host of other services simultaneously, which all need to be carefully reviewed and secured.

If other services are running on the same web server, the banner for these services should be edited to remove any broadcast of the version number or other non-required information that could potentially be leaked, leading to compromise. 

The CGI execution and symbolic links services can be disabled using the Options directive in the httpd.conf configuration file. To disable CGI script execution, symbolic links, and server-side includes for your web server root directory and its subdirectories, include the following in your httpd.conf file:

<Directory /your/website/directory>

Options -ExecCGI -FollowSymLinks -Includes

</Directory>

Be sure to restart Apache after you’ve saved the file.

 

The Bottom Line

With a growing number of attacks targeting Linux servers - the majority of which can be attributed to misconfigurations and poor administration, server security and responsible administration are more crucial than ever. In general, Linux is a very secure OS due to the transparency of its source code and the constant scrutiny that it undergoes by the “many eyes” of the vibrant, global open-source community. However, all Linux distros have poor default configurations when it comes to preventing information leakage - making it imperative that the proper manual configuration changes are made to protect against this serious threat, which can result in data tampering or theft.

Preventing information leakage is of utmost importance and, when securing a Linux web server, the first configuration changes that should be made are to disable any potential sources of data leakage including the server version banner, the directory browsing list, the ETag header, the TRACE HTTP request, SSL v2/v3 and any unnecessary running services that could potentially lead to compromise. 

Have additional questions about how to secure your Linux servers against information leakage? Leave a comment below and one of our security experts would be happy to help! 

Stay tuned for future articles in this series which will cover topics including firewall considerations, permissions, PHP security, monitoring logs and ways to verify the security of a Linux web server. Have another topic you would like us to cover? Don’t be shy - let us know!