Apache hardening

Discussion in 'ISPConfig 3 Priority Support' started by ganewbie, Oct 9, 2016.

  1. ganewbie

    ganewbie Member HowtoForge Supporter

    Hello,
    I was trying to follow some instructions to improve the server security yet I am not sure why it is not working.
    I have "Apache/2.2.22 (Debian)"
    Debian 7.11
    What I was trying to insert into apache2.conf is as follows:

    Code:
    # START - Disable server signature #
    # ServerSignature Off
    # END - Disable server signature #
    
    # START - Security Headers - X-Content-Type: nosniff
    # X-Content-Type-Options: nosniff
    # END - Security Headers - X-Content-Type: nosniff
    
    # START - Security Headers - X-Frame-Options
    # X-Frame-Options: SAMEORIGIN
    # END - Security Headers - X-Frame-Options
    
    # START - Security Headers - X-XSS-Protection
    # Header always set X-XSS-Protection: 1; mode=block
    # X-Xss-Protection "1; mode=block"
    # END - Security Headers - X-XSS-Protection
    Whenever I added those line I can not reload apache.
    [FAIL] Reloading web server config: apache2 failed!
    What am I doing wrong?

    Here is the only error I find in logs:
    [Sun Oct 09 11:39:02 2016] [error] python_init: Python version mismatch, expected '2.7.2+', found '2.7.3'.

    [Sun Oct 09 11:39:02 2016] [error] python_init: Python executable found '/usr/bin/python'.

    [Sun Oct 09 11:39:02 2016] [error] python_init: Python path being used '/usr/lib/python2.7/:/usr/lib/python2.7/plat-linux2:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
    Thanks in advance,
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    All lines in the above config are commented out, so it should not have any influence on the apache config. My guess is that you changed something else as well (might be days before) without restarting apache at that time which now causes apache to fail.
     
  3. ganewbie

    ganewbie Member HowtoForge Supporter

    Hi Till,
    Thanks for the quick response, my apologies that I posted what is there now to get the apache working here is what I want to do that breaks and that is the reason I comment them out.
    Code:
    # START - Disable server signature #
    ServerSignature Off
    # END - Disable server signature #
    
    # START - Security Headers - X-Content-Type: nosniff
    X-Content-Type-Options: nosniff
    # END - Security Headers - X-Content-Type: nosniff
    
    # START - Security Headers - X-Frame-Options
    X-Frame-Options: SAMEORIGIN
    # END - Security Headers - X-Frame-Options
    
    # START - Security Headers - X-XSS-Protection
    Header always set X-XSS-Protection: 1; mode=block
    # X-Xss-Protection "1; mode=block"
    # END - Security Headers - X-XSS-Protection
    Concerning the X-XSS-Protection, I am alternating between two rules
    Code:
    Header always set X-XSS-Protection: 1; mode=block
    or
    Code:
    X-Xss-Protection "1; mode=block"
    but no luck with either.
    Thanks,
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you enable mod_header in apache? It might also be that there are other modules necessary or that the config options are not available in your apache version. You should check in the apache manual which modules and apache versions are required for these commands and if your setup has these modules and the right apache version installed.
     
    ganewbie likes this.

Share This Page