Tagged: Security

AWS Shared Security Model

This is AWS shared responsibility Model-

  • AWS take care for the managed services like RDS. It ask you configure the time for patch update. But it does not for the service for the ec2  Operating system, because client install the OS in ec2. So if you have installed the centos 6 in any ec2, AWS will not perform any update in any package installed OS.
  • Basically, If you have installed the software, then it is your responsibility to secure and update that.

This part is very important to understand in aspect of responsibility.

“If you are on cloud , it doesn’t mean that you are secure and up-to-date. This is actually customer responsibility.”

Apache Web Server Basic Security fixes and Optimisation

If you are utilising the apache web server HTTP for your website hosting and you maintain that server, then you must consider the following points,

  • Turn on LOGS and installing mod_log_config. You can check the list of modules by this command : apache2ctl -M
  • Implement Firewall MOD_SECURITY module
https://modsecurity.org/ is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.
  • Implement mod_evasive module
  • Disable Extra  module which are not utilized to improve performance
  • Cross check  Directory Indexing. apache2.conf | httpd.conf | <vhost>.conf | .htaccess
    Options -Indexes
  • Setup following variables in apache2.conf or httpd.conf
    SET HTTP Limits
    • KeepAlive=on
    • KeepAliveTimeout
    • LimitRequestBody
    • LimitRequestFields
    • LimitRequestFieldSize
    • LimitRequestLine
    • LimitXMLRequestBody
    • MaxClients
    • MaxKeepAliveRequests
    • MaxRequestWorkers
    • RequestReadTimeout
    • TimeOut
  • Disable server signature . Add these lines in apache2.conf |  <vhost>.conf | .htaccess
    ServerSignature Off
    ServerTokens Prod
server signature
  • If web-server language is PHP,  By Default PHP version is available in response header, Remove PHP version from header from php.ini
    • expose_php = Off
  • Add these headers  to prevent XSS

X-Frame-Options: SAMEORIGIN 
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8

Learn More about Apache Opitmization

Monitor and optimize Webserver [apache/nginx]