IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [apache]

Questions about the security of Apache open source software, especially Apache HTTP Server

The Apache Software Foundation maintain a number of open source software, notably including the Apache HTTP Webserver -

Apache has been the most popular web server on the Internet since April of 1996.

http://www.apache.org/

519 questions
124
votes
7 answers

Is using Git for deploying a bad practice?

I tend to use Git for deploying production code to the web server. That usually means that somewhere a master Git repository is hosted somewhere accessible over ssh, and the production server serves that cloned repository, while restricting access…
Septagram
  • 1,343
  • 2
  • 9
  • 5
105
votes
11 answers

Best practices for Apache Server hardening?

What are some best practices, recommendations, required reading for securing an Apache Server?
Eric Warriner
  • 3,251
  • 3
  • 24
  • 20
71
votes
3 answers

What was the aim of this invalid HTTP request that tells a story about goats in the request URI?

I currently run an Apache HTTP server, and have set up monitoring to receive emails whenever an error appears in the error logs. I get the usual trying to find if I'm using HTTP 1.0 and trying to see if I'm using off the shelf software like…
Crazy Dino
  • 1,517
  • 11
  • 12
61
votes
3 answers

What kind of attack is prevented by Apache2's error code AH02032 ("Hostname provided via SNI and hostname provided via HTTP are different")?

I saw in my Apache2 server logs messages like [ssl:error] [pid 28482] AH02032: Hostname xxx.yyy.zzz.www:443 provided via SNI and hostname xxx.yyy.zzz.www provided via HTTP are different One of these error message was triggered by a request from…
jk - Reinstate Monica
  • 1,658
  • 1
  • 11
  • 18
60
votes
7 answers

Testing for HTTP TRACE method

How can I test for HTTP TRACE on my web-server? I need to train a Tester how to verify that the HTTP TRACE method is disabled. Ideally I need a script to paste into Firebug to initiate a https connection to return the web server response to a HTTP…
Andrew Russell
  • 3,633
  • 1
  • 20
  • 29
48
votes
5 answers

Should I close port 80 forever and ever since the 2018 Google-indicated web-security initiatives?

I often establish Ubuntu-LAMP environments on which I host a few Drupal web applications that I myself own (I don't provide any hosting services and never done so in the past). Whenever I establish such an environment, the most fundamental security…
user123574
47
votes
3 answers

Security implications of stolen .git/objects/ files

As a security in-charge, I just noticed that one of our production web apps was attacked by some hackers. The attacker accessed the .git/objects/ files. I already modified .htaccess to make .git and its content inaccessible. The attacker may get…
Rudrakshya Barman
  • 563
  • 3
  • 6
43
votes
4 answers

How do I secure Apache against the Bash Shellshock vulnerability?

I have an Apache webserver running, and with the recent news of the Shellsock exploit against bash I was wondering if my webserver is vulnerable. I don't think it is, but I want to make sure I'm not mistaken. I don't use any bash CGI intentionally…
user56147
  • 431
  • 1
  • 4
  • 4
37
votes
9 answers

Use additional "password" in Referer to hide private site?

I have a private (= I'm the only user) site at example.com/private/. Nothing else is published at this host (it's my domain). I don't want anyone to know that there is anything at example.com, especially not my private site. Now let's say Alice…
unor
  • 1,769
  • 1
  • 19
  • 38
32
votes
2 answers

HSTS extra security over HTTPS

Is HSTS good to use even if my servers are configured to use HTTPS (when HTTP is used, the rewrite rules in Apache turns it into HTTPS)? Also should HSTS be used even on resources like CSS and images, or just when the content type is text/html?
Novice User
  • 2,088
  • 7
  • 26
  • 38
28
votes
3 answers

Is it practical to pre-blacklist certain GeoIP regions?

In recent events, a server I've been managing with has been under a few attacks, a risk you take when hosting a web-server. The firewall has been set up properly to only allow connections through the ports used. The thing is, there was brief…
Lighty
  • 2,368
  • 1
  • 23
  • 36
27
votes
3 answers

Is there a way to mitigate BEAST without disabling AES completely?

It seems that the easiest way to protect users against the BEAST attack on TLS <= 1.0 is to prefer RC4 or even disable all other (CBC) cipher suites altogether, e.g. by specifying something like SSLCipherSuite RC4-SHA:HIGH:!ADH in the Apache…
lxgr
  • 4,094
  • 3
  • 28
  • 37
26
votes
6 answers

Is HTTPS required for local network server to server communication

I am building web applications for my customer's company. At the server side, there will be 2 kinds of server to server network communication. Separated REST API servers making requests among each other. Communication from application load…
asinkxcoswt
  • 375
  • 1
  • 3
  • 7
25
votes
8 answers

Can I detect web app attacks by viewing my Apache log file?

I occasionally get clients requesting I look at their access_log file to determine if any web attacks were successful. What tools are helpful to discern attacks?
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
25
votes
1 answer

Why am I receiving HTTP GETs for a domain I don't own?

I am running a Centos7 web server. I noticed a few strange HTTP GET requests like these: 94.185.83.100 - - [29/Feb/2016:23:29:00 +0530] "GET http://testp1.piwo.pila.pl/testproxy.php HTTP/1.1" 404 390 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0)…
Sriram
  • 373
  • 3
  • 6
1
2 3
34 35