Making Volunerability Scanners Happy with Your Apache Server

Published November 28th, 2008

Problem Statement

If you run e-commerce sites that accept credit cards, you are bound to run into Payment Card Industry Data Security Standards (PCI DSS) related issues if you run Apache with default configuration settings. Most e-commerce sites that use third-party PCI compliance scanners for vulnerability scanning will report a number of problems, here we will discuss them and show you how to eliminate them.

Trim down Apache signature

Most commercial scanners will report that they can detect your Apache software version and other information from your default Apache configuration. For example, if you telnet to a Web server’s HTTP port (80) and enter HEAD / HTTP/1.0 and two newline characters following it, you will see the Web server signature information. Here is a sample of this reqest:

$ telnet www.example.com 80
Trying 100.101.102.103...
Connected to www.example.com (100.101.102.103).
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 28 Nov 2008 20:02:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html

As you can see this Web serer is running Apache 2.2.3 on CentOS platform and even has PHP/5.1.6. PCI compliance scanners do not like to see such info as the more info you hand out to the potential hackers, the bigger your chance of getting hacked against a known vulnerability is. So you can tell Apache to show minimal signature using the following directives in your Apache configuration (httpd.conf):

  ServerTokens Prod
  ServerSignature Off

Disable TRACK/TRACE support

By default, Apache has TRACE and TRACK request methods enabled. The TRACE method allows a client to get data sent to the server returned. For example:

$ telnet localhost 80
Trying 127.0.0.1...
Connected to k2.evoknow.com (127.0.0.1).
Escape character is '^]'.
TRACE / HTTP/1.0
X: 100
Y: 101

HTTP/1.1 200 OK
Date: Fri, 28 Nov 2008 22:09:28 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
X: 100
Y: 101

Here you can see that we have sent a TRACE request with two custom headers (X, Y) and the server returned the data back in a message/http type response.

The PCI compliance scanners also complain about the TRACK/TRACE support that is available in Apache, which you can turn off using either a mod_rewrite rule as shown below:

<IfModule rewrite_module>
  # Block TRACE/TRACK XSS vector
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)
  RewriteRule .* - [F]
</IfModule>

Or you can use TraceEnable off directive to disable TRACE in your httpd.conf file. Once disabled, you need to verify that it is truly off, so you can test your site using a manual telnet session as shown below:

[root@cassini conf]# telnet localhost 80
Trying 127.0.0.1...
Connected to k2.evoknow.com (127.0.0.1).
Escape character is '^]'.
TRACE / HTTP/1.0
X: 100
Y: 101

HTTP/1.1 405 Method Not Allowed
Date: Fri, 28 Nov 2008 22:19:26 GMT
Server: Apache
Allow:
Content-Length: 223
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
</body></html>
Connection closed by foreign host.

Category: Security | Tags: