10g R2 Application Server Apache Hardening Steps

  Documents Created by             : Bharat Gali

  Email                                      : bharat@bharatgali.com

  Created date                            : 17-Nov-2005

  Application Server Version        :

  Last Revised                             :22-Apr-2010


Apache Harding Steps.


1. oracle_apache.conf Hardening
    /midtier/Apache/Apache/conf> cat oracle_apache.conf

-- Comment out the following Conf sections
    # Advanced Queuing - AQ XML
    #include " /midtier/Apache/Apache/conf/aqxml.conf"
    #include " /midtier/Apache/jsp/conf/ojsp.conf"
    #Directives needed for OraDAV module
    #include " /midtier/Apache/oradav/conf/moddav.conf"
    #OiD DAS module
    #include " /midtier/ldap/das/oiddas.conf"
    #include " /midtier/Apache/modplsql/conf/plsql.conf"
    # Oracle uix
    #include " /midtier/uix/uix.conf"

2. plsql.conf Hardening
    *****IMPORTANT ******

    This step(plsql.conf hardening) should not be performed @ the box where Portal instance is installed.

    /midtier/Apache/modplsql/conf> cat plsql.conf

-- Comment out the following Conf sections
    # Configure Oracle HTTP Server to load mod_plsql
    #LoadModule plsql_module /midtier/Apache/modplsql/bin/modplsql.so
    # Load in mod_plsql directives only if mod_plsql is loaded
    #<IfModule mod_plsql.c>
    #PlsqlLogEnable Off
    #PlsqlLogDirectory /midtier/Apache/modplsql/logs
    # PlsqlIdleSessionCleanupInterval 15 (default)
    # PlsqlDMSEnable On (default)
    #include " /midtier/Apache/modplsql/conf/dads.conf"
    # include " /midtier/Apache/modplsql/conf/cache.conf"

* Note : There is no need to make any changes for Jserv 10G AS Rel 2 onwards as Jserv is de supported and there will be no Jserv directories/files with the start of this release

3. Utilize RedirectMatch and Rewrite Rules: RedirectMatch and Rewrite Rules were applied when possible to prevent individuals from     accessing restricted areas.

    #RedirectMatch Hardening:
    # Redirect allows you to tell clients about documents which used to exist in
    # your server's namespace, but do not anymore. This allows you to tell the
    # clients where to look for the relocated document.
    # Format: Redirect old-URI new-URL
    #Below lines to be added added
    RedirectMatch ^/dms0 /forbidden.html
    RedirectMatch ^/dms0.*$ /forbidden.html
    RedirectMatch ^/servlet/DMSDUMP /forbidden.html
    RedirectMatch ^/servlet/DMSDUMP.*$ /forbidden.html
    RedirectMatch ^/servlet/Spy.*$ /forbidden.html
    RedirectMatch ^/fcgi-bin/echo /forbidden.html
    RedirectMatch ^/fcgi-bin/echo.*$ /forbidden.html
    RedirectMatch ^/fcgi-bin/echo2 /forbidden.html
    RedirectMatch ^/fcgi-bin/echo2.*$ /forbidden.html

4. When utilizing Allow/Deny rules, use IP addresses: ďDeny from allĒ option is applied to all location and directory directive configurations.
When configuring Location and Directory directives, it is possible to allow or deny access based on hostname, ip address or subnet. To prevent a DNS spoof, use IP addresses when possible for the Allow/Deny rule.

    Step 1
    # Added "Deny from all".
    Order allow,deny
    Deny from all
    # End iAs hardening Part
    Step 2
    <Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    #Allow from localhost
    Allow from required I.Pís
    Allow from localhost

5. Reduce the Timeout setting: Timeout setting is set to 300(5minutes) in httpd.conf file.
One common method of executing a Denial of Service attack is to continually send packets to a webserver. What happens is that the server will create a client to service the request, and will remain available for a period of time (Timeout). Denials of Service attacks rely on this feature and will send a mass of packets to a site, locking all of the clients into a service state. Now, there are no more clients available to service any new requests. This makes a server appear to be unavailable. These services will not become available again until the timeout is reached. Once the timeout is reached, the connection is closed and new requests can be processed.
    This value can be set in the

    step 1:
    # Timeout: The number of seconds before receives and sends time out.
    Timeout 300

6. Configure appropriate logging to identify attacks:
Oracle9iAS server provides a variety of logging services to help identify who has accessed your system, when and
what was their request. These logging features utilize the normal Apache logging parameters and should be
configured to log, at the minimum, server access.
Along with logging, there are many tools available to analyze those logs. These should be considered to assist in
your log file analysis.
We will be using Oracle 10g iAS provided logging services to address this issue.

7. Protect Administrative URIís:Protected administrative URIís by using all rewrite rules.
Within Oracle9iAS, there is a number of URIs that provides administrative or testing functionalities. These URIs will often provide information about various services and will provide information on the server and its configuration. While useful in debugging, this information would assist someone who is trying to determineyour webserver configuration. These tools can often be secured by either using rewrite rules or allow/deny rules. There are definite benefits to each. Rewrite rules will send all requestors, including administrators, to a site/location of your choosing. Unfortunately, some URIs cannot be protected via allow/deny rules. For those URIs, rewrite rules are the only available choice for protecting access.
Below is a list of URIs that should be protected via rewrite rules:

    RewriteEngine On
    RedirectMatch ^/dms0 http://my.server.com/errors/forbidden.html
    RedirectMatch ^/dms0.*$ http://my.server.com/errors/forbidden.html
    RedirectMatch ^/servlet/DMSDUMP http://my.server.com/errors/forbidden.html
    RedirectMatch ^/servlet/DMSDUMP.*$ http://my.server.com/errors/forbidden.html
    RedirectMatch ^/servlet/Spy.*$ http://my.server.com/errors/forbidden.html
    RedirectMatch ^/fcgi-bin/echo http://my.server.com/errors/forbidden.html
    RedirectMatch ^/fcgi-bin/echo.*$ http://my.server.com/errors/forbidden.html
    RedirectMatch ^/fcgi-bin/echo2 http://my.server.com/errors/forbidden.html
    RedirectMatch ^/fcgi-bin/echo2.*$ http://my.server.com/errors/forbidden.html
As the security measures for individual services are discussed, this list will change. Security implementation is application and     customer specific, and the degree of protection implemented will vary based on the application, the customerís security budget, and their tolerance for risk.

This was accomplished in step 4
Example :
    RedirectMatch ^/dms0 /forbidden.html
    RedirectMatch ^/dms0.*$ /forbidden.html
    RedirectMatch ^/servlet/DMSDUMP /forbidden.html
    RedirectMatch ^/servlet/DMSDUMP.*$ /forbidden.html
    RedirectMatch ^/servlet/Spy.*$ /forbidden.html
    RedirectMatch ^/fcgi-bin/echo /forbidden.html
    RedirectMatch ^/fcgi-bin/echo.*$ /forbidden.html
    RedirectMatch ^/fcgi-bin/echo2 /forbidden.html
    RedirectMatch ^/fcgi-bin/echo2.*$ /forbidden.html

8. Remove samples and examples from 10g iAS code tree:Removed all examples and samples from the server.
Oracle9iAS provides a number of samples and examples to assist application developers in designing and
developing new applications. On production servers, these samples/examples should be removed. This will
reduce the number of potential access points to your webserver environment.
The following is a list of samples/examples that should be removed. Note that, depending on the applications you have installed on your system, other samples/examples may exist; these should also be considered for removal.

9. Protect DocumentRoot:
In the ${ORACLE_HOME}/Apache/Apache/conf/httpd.conf file the DocumentRoot directory is set by default to ${ORACLE_HOME}/Apache/Apache/htdocs. This should either be set to the applications DocumentRoot or should be protected in the following manner:
DocumentRoot "${ORACLE_HOME}/Apache/Apache/
    <Directory />
    AllowOverride None
    Order deny,allow
    Deny from all
    <Directory "${ORACLE_HOME}/Apache/Apache/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
Protected DocumentRoot by adding the following line to httpd.conf
    <Directory " /midtier/Apache/Apache/htdocs">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    Deny from all

10. Delete all user and codes which are not used: The only user that is hosted by Oracle Application Server is ias_admin. Password for this user is hosted on the server and is encrypted.

11. Port Management: Port management will be done as part of load balancer configuration.

12. Run the httpd daemon as nobody/nobody: It is possible to start HTTP server as nobody/nobody. However, the script that is used to accomplish this task is not approved by oracle development team. Therefore, this rule was not applied. Please see attached document for more details (TAR 4310861.999)

13. Replace standard error pages with custom error pages: Standard Oracle error pages are being used. However, all information, a potential intruder can use such as Oracle banner, references to server name, references to server version, references to port numbers were removed from these pages.

14. Remove any unnecessary directory references from httpd.conf: Unnecessary directory references removed from httpd.conf.

15. Remove actual server name from the ServerName directive: This will be done as part of load balancer configuration.
One key bit of information that a potential intruder will need to start probing a system is the name of a system.
This is especially true if you are using an external load balancer such as F5 BigIP or Cisco Local Director that
would provide IP masquerading. To avoid giving the system name to a potential intruder, you can use your
application name instead of the actual server name in the
    ${ORACLE_HOME}/Apache/Apache/conf/httpd.conf file:
    ServerName my.app.com
    instead of
    ServerName my.server.com

16. Remove the actual banner from Oracle10giAS: Removed ORACLE banner.
    # Optionally add a line containing the server version and virtual host
    # name to server-generated pages (error documents, FTP directory listings,
    # mod_status and mod_info output etc., but not CGI generated documents).
    # Set to "EMail" to also include a mailto: link to the ServerAdmin.
    # Set to one of: On | Off | EMail
    #Below line should be commented out
    #ServerSignature On
    ServerSignature Off
    ServerTokens Prod
    # End

17. Place all files in a location inaccessible by the DocumentRoot: DocumentRoot is protected.
Place all files in a location in access ible by the Document Root, Alias Match,
Location Match directive sun less explicitly needed

It is critical to remove access to any file unless it is explicitly needed for the external presentation of the application. This
would especially include password files to protect directories, configuration files, log files or any other file that is not
necessarily needed for the external presentation of the application. By removing access to all files except for the ones
explicitly needed, the administrator is controlling the view of the user. The most secure directory is one that doesnít exist.
By making the directories inaccessible, they will not exist to the external user.

18. Remove any unnecessary Directives: Removed /docs, /icons, and /soap directives.
    #Below lines should be commented out
    #Alias /icons/ " /midtier/Apache/Apache/icons/"
    #Alias /javacachedocs/ " /midtier/javacache/javadoc/"

19. Turn off Indexing of Directories: Directory indexing is turned off.
Turn off Indexing of Directories .
There are two goals when protecting your webserver:
._ Reduce the amount of information available
._ Reduce the amount of access to non application related areas
Directory indexes will display the contents of a directory if there is not an index.htm or similar file available. By
commenting this out, you will prevent an intruder from viewing the files in a directory, potentially finding a file
that may be of use in their quest to access your system. The quickest way to disable this feature is to modify
and comment out the following line:
IndexOptions FancyIndexing
If directory indexing is required, then it is recommended that this be set only at the Directory level using:
<Directory /u01/app/something>
IndexOptions FancyIndexing
In this case, only files in the above location can be browsed.
#IndexOptions FancyIndexing

20. Enterprise manager website (http://<server_name>:1810) is used to manage application servers through the web. This administrative URI is password protected and will be turned off when not in use by administrators.

21. SSL implementation: SSL implementation for securing confidential data will be handled by load balancer SSL off load module.

22. Load Balancing: A CISCO load balancer will be directing user requests to servers.
XSQL/SOAP Security
If application is not utilizing SOAP. All references to SOAP have been removed from httpd.conf, XSQLConfig.xml files.