10g R2 Application Server Apache Hardening Steps
Documents Created by : Bharat Gali
Email : bharat@bharatgali.com
Created date : 17-Nov-2005
Application Server Version : 10.1.2.0.2
Last Revised :22-Apr-2010
*********************************************************************************
Apache Harding Steps.
1.
oracle_apache.conf Hardening
Location:
/midtier/Apache/Apache/conf> cat oracle_apache.conf
-- Comment out the following Conf sections
# Advanced Queuing - AQ XML
#include " /midtier/Apache/Apache/conf/aqxml.conf"
#include " /midtier/Apache/jsp/conf/ojsp.conf"
#Directives needed for OraDAV module
#include " /midtier/Apache/oradav/conf/moddav.conf"
#OiD DAS module
#include " /midtier/ldap/das/oiddas.conf"
#include " /midtier/Apache/modplsql/conf/plsql.conf"
# Oracle uix
#include " /midtier/uix/uix.conf"
2. plsql.conf Hardening
*****IMPORTANT ******
This step(plsql.conf hardening) should not be performed @ the box where Portal instance is installed.
Location:
/midtier/Apache/modplsql/conf> cat plsql.conf
-- Comment out the following Conf sections
# Configure Oracle HTTP Server to load mod_plsql
#LoadModule plsql_module /midtier/Apache/modplsql/bin/modplsql.so
# Load in mod_plsql directives only if mod_plsql is loaded
#<IfModule mod_plsql.c>
#PlsqlLogEnable Off
#PlsqlLogDirectory /midtier/Apache/modplsql/logs
# PlsqlIdleSessionCleanupInterval 15 (default)
# PlsqlDMSEnable On (default)
#include " /midtier/Apache/modplsql/conf/dads.conf"
# include " /midtier/Apache/modplsql/conf/cache.conf"
#</IfModule>
* Note : There is no need to make any changes for Jserv 10G AS Rel 2 onwards as
Jserv is de supported and there will be no Jserv directories/files with the
start of this release
3. Utilize RedirectMatch and Rewrite Rules: RedirectMatch and Rewrite
Rules were applied when possible to prevent individuals from
accessing restricted areas.
#RedirectMatch Hardening:
# Redirect allows you to tell clients about documents which
used to exist in
# your server's namespace, but do not anymore. This allows
you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
#Below lines to be added added
RedirectMatch ^/dms0 /forbidden.html
RedirectMatch ^/dms0.*$ /forbidden.html
RedirectMatch ^/servlet/DMSDUMP /forbidden.html
RedirectMatch ^/servlet/DMSDUMP.*$ /forbidden.html
RedirectMatch ^/servlet/Spy.*$ /forbidden.html
RedirectMatch ^/fcgi-bin/echo /forbidden.html
RedirectMatch ^/fcgi-bin/echo.*$ /forbidden.html
RedirectMatch ^/fcgi-bin/echo2 /forbidden.html
RedirectMatch ^/fcgi-bin/echo2.*$ /forbidden.html
4. When utilizing Allow/Deny rules, use IP addresses: “Deny from all”
option is applied to all location and directory directive configurations.
When configuring Location and Directory directives, it is possible to allow or
deny access based on hostname, ip address or subnet. To prevent a DNS spoof, use
IP addresses when possible for the Allow/Deny rule.
Step 1
# Added "Deny from all".
Order allow,deny
Deny from all
</Directory>
# End iAs hardening Part
Step 2
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
#Allow from localhost
Allow from required I.P’s
Allow from localhost
</Location>
5. Reduce the Timeout setting: Timeout setting is set to 300(5minutes) in
httpd.conf file.
One common method of executing a Denial of Service attack is to continually send
packets to a webserver. What happens is that the server will create a client to
service the request, and will remain available for a period of time (Timeout).
Denials of Service attacks rely on this feature and will send a mass of packets
to a site, locking all of the clients into a service state. Now, there are no
more clients available to service any new requests. This makes a server appear
to be unavailable. These services will not become available again until the
timeout is reached. Once the timeout is reached, the connection is closed and
new requests can be processed.
This value can be set in the
${ORACLE_HOME}/Apache/Apache/conf/httpd.conf
step 1:
# Timeout: The number of seconds before receives and sends
time out.
Timeout 300
6. Configure appropriate logging to identify attacks:
Oracle9iAS server provides a variety of logging services to help identify who
has accessed your system, when and
what was their request. These logging features utilize the normal Apache logging
parameters and should be
configured to log, at the minimum, server access.
Along with logging, there are many tools available to analyze those logs. These
should be considered to assist in
your log file analysis.
We will be using Oracle 10g iAS provided logging services to address this issue.
7. Protect Administrative URI’s:Protected administrative URI’s by using
all rewrite rules.
Within Oracle9iAS, there is a number of URIs that provides administrative or
testing functionalities. These URIs will often provide information about various
services and will provide information on the server and its configuration. While
useful in debugging, this information would assist someone who is trying to
determineyour webserver configuration. These tools can often be secured by
either using rewrite rules or allow/deny rules. There are definite benefits to
each. Rewrite rules will send all requestors, including administrators, to a
site/location of your choosing. Unfortunately, some URIs cannot be protected via
allow/deny rules. For those URIs, rewrite rules are the only available choice
for protecting access.
Below is a list of URIs that should be protected via rewrite rules:
RewriteEngine On
RedirectMatch ^/dms0
http://my.server.com/errors/forbidden.html
RedirectMatch ^/dms0.*$
http://my.server.com/errors/forbidden.html
RedirectMatch ^/servlet/DMSDUMP
http://my.server.com/errors/forbidden.html
RedirectMatch ^/servlet/DMSDUMP.*$
http://my.server.com/errors/forbidden.html
RedirectMatch ^/servlet/Spy.*$
http://my.server.com/errors/forbidden.html
RedirectMatch ^/fcgi-bin/echo
http://my.server.com/errors/forbidden.html
RedirectMatch ^/fcgi-bin/echo.*$
http://my.server.com/errors/forbidden.html
RedirectMatch ^/fcgi-bin/echo2
http://my.server.com/errors/forbidden.html
RedirectMatch ^/fcgi-bin/echo2.*$
http://my.server.com/errors/forbidden.html
As the security measures for individual services are discussed, this list will
change. Security implementation is application and
customer specific, and the degree of protection implemented will vary based on
the application, the customer’s security budget, and their tolerance for risk.
This was accomplished in step 4
Example :
RedirectMatch ^/dms0 /forbidden.html
RedirectMatch ^/dms0.*$ /forbidden.html
RedirectMatch ^/servlet/DMSDUMP /forbidden.html
RedirectMatch ^/servlet/DMSDUMP.*$ /forbidden.html
RedirectMatch ^/servlet/Spy.*$ /forbidden.html
RedirectMatch ^/fcgi-bin/echo /forbidden.html
RedirectMatch ^/fcgi-bin/echo.*$ /forbidden.html
RedirectMatch ^/fcgi-bin/echo2 /forbidden.html
RedirectMatch ^/fcgi-bin/echo2.*$ /forbidden.html
8. Remove samples and examples from 10g iAS code tree:Removed all
examples and samples from the server.
Oracle9iAS provides a number of samples and examples to assist application
developers in designing and
developing new applications. On production servers, these samples/examples
should be removed. This will
reduce the number of potential access points to your webserver environment.
The following is a list of samples/examples that should be removed. Note that,
depending on the applications you have installed on your system, other
samples/examples may exist; these should also be considered for removal.
9. Protect DocumentRoot:
In the ${ORACLE_HOME}/Apache/Apache/conf/httpd.conf file the DocumentRoot
directory is set by default to ${ORACLE_HOME}/Apache/Apache/htdocs. This should
either be set to the applications DocumentRoot or should be protected in the
following manner:
DocumentRoot "${ORACLE_HOME}/Apache/Apache/
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
Or
<Directory "${ORACLE_HOME}/Apache/Apache/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
Protected DocumentRoot by adding the following line to httpd.conf
<Directory " /midtier/Apache/Apache/htdocs">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Deny from all
</Directory>
10. Delete all user and codes which are not used: The only user that is
hosted by Oracle Application Server is ias_admin. Password for this user is
hosted on the server and is encrypted.
11. Port Management: Port management will be done as part of load
balancer configuration.
12. Run the httpd daemon as nobody/nobody: It is possible to start HTTP
server as nobody/nobody. However, the script that is used to accomplish this
task is not approved by oracle development team. Therefore, this rule was not
applied. Please see attached document for more details (TAR 4310861.999)
13. Replace standard error pages with custom error pages: Standard Oracle
error pages are being used. However, all information, a potential intruder can
use such as Oracle banner, references to server name, references to server
version, references to port numbers were removed from these pages.
14. Remove any unnecessary directory references from httpd.conf:
Unnecessary directory references removed from httpd.conf.
15. Remove actual server name from the ServerName directive: This will be
done as part of load balancer configuration.
One key bit of information that a potential intruder will need to start probing
a system is the name of a system.
This is especially true if you are using an external load balancer such as F5
BigIP or Cisco Local Director that
would provide IP masquerading. To avoid giving the system name to a potential
intruder, you can use your
application name instead of the actual server name in the
${ORACLE_HOME}/Apache/Apache/conf/httpd.conf file:
ServerName my.app.com
instead of
ServerName my.server.com
16. Remove the actual banner from Oracle10giAS: Removed ORACLE banner.
Example
# Optionally add a line containing the server version and
virtual host
# name to server-generated pages (error documents, FTP
directory listings,
# mod_status and mod_info output etc., but not CGI generated
documents).
# Set to "EMail" to also include a mailto: link to the
ServerAdmin.
# Set to one of: On | Off | EMail
#Below line should be commented out
#ServerSignature On
ServerSignature Off
ServerTokens Prod
# End
17. Place all files in a location inaccessible by the DocumentRoot:
DocumentRoot is protected.
Place all files in a location in access ible by the Document Root, Alias Match,
Location Match directive sun less explicitly needed
It is
critical to remove access to any file unless it is explicitly needed for the
external presentation of the application. This
would especially include password files to protect directories, configuration
files, log files or any other file that is not
necessarily needed for the external presentation of the application. By removing
access to all files except for the ones
explicitly needed, the administrator is controlling the view of the user. The
most secure directory is one that doesn’t exist.
By making the directories inaccessible, they will not exist to the external
user.
18. Remove any unnecessary Directives: Removed /docs, /icons, and /soap
directives.
#Below lines should be commented out
#Alias /icons/ " /midtier/Apache/Apache/icons/"
#Alias /javacachedocs/ " /midtier/javacache/javadoc/"
19. Turn off Indexing of Directories: Directory indexing is turned off.
Turn off Indexing of Directories .
There are two goals when protecting your webserver:
._ Reduce the amount of information available
._ Reduce the amount of access to non application related areas
Directory indexes will display the contents of a directory if there is not an
index.htm or similar file available. By
commenting this out, you will prevent an intruder from viewing the files in a
directory, potentially finding a file
that may be of use in their quest to access your system. The quickest way to
disable this feature is to modify
${ORACLE_HOME}/Apache/Apache/conf/httpd.conf
and comment out the following line:
IndexOptions FancyIndexing
If directory indexing is required, then it is recommended that this be set only
at the Directory level using:
<Directory /u01/app/something>
IndexOptions FancyIndexing
</Directory>
In this case, only files in the above location can be browsed.
Step:
#IndexOptions FancyIndexing
20. Enterprise manager website (http://<server_name>:1810) is used to
manage application servers through the web. This administrative URI is password
protected and will be turned off when not in use by administrators.
21. SSL implementation: SSL implementation for securing confidential data
will be handled by load balancer SSL off load module.
22. Load Balancing: A CISCO load balancer will be directing user requests
to servers.
XSQL/SOAP Security
If application is not utilizing SOAP. All references to SOAP have been removed
from httpd.conf, XSQLConfig.xml files.