Introduction: Over the years internet and the internet based applications had revolutioned our life.

They had created many new global business opportunities for enterprises conducting online business. However, the security risks associated with conducting e-business have resulted in security becoming a ma or factor for online success or failure. !ny high-profile hacking attack has proven that web security still remains a serious issue for any business thats running its operations online. "eb servers are one of the most targeted public faces of an organi#ation, because of the sensitive data they usually host. Hence, securing web server is as important as securing the website or web application itself. $f we have a secure web application and an insecure web server, or vice versa, it still puts business at a huge risk. Therefore, it is important for us to have a secured web server.

What is a Web Server%% ! "eb &erver can be defined as an HTT' protocol dependant server used for re-direction of the client re(uests to the appropriate application servers. )ollowing is the pictorial representation of the purpose of a web server:

*Security Implementation in Apache Web Server: +elow is the schematic representation of the communication with a secured web server.

The security implementation inside the web server is implemented in two different steps:1) $nstallation of &&, -ertificate 2) +y following the security guide lines Installation of certificate:- The installation of the &&, certificates for apache servers involves the following stages: .. 2. 3. 4. -reate a -ertificate &igning /e(uest 0-&/1 !pply online $nstalling your -ertificate 5isplaying your &ecure &ite &eal

1.

)or a webserver generate a -&/ and a private key, use the following command:

my-server.csr

openssl req -config openssl.cnf -new -out

2. /emoves the pass phrase from the private key because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key using the command:

rsa -in privkey.pem -out my-server.key

3. 6se the below command to generate the self signed certificate 0later replace this with the certificate from -ertifying !uthority1

x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365

4. -reate an Apac e!conf!ssl directory and move my-server.key and cert into it

7. Open the httpd.conf file and add the following lines:

"oad#odule ssl$module modules!mod$ssl.so

8.

!dd the following to the end of

ttpd.conf:

%%"#utex sem %%"&andom%eed startup 'uiltin %%"%ession(ac e none %%""og logs!%%".log %%""og"evel info )*irtual+ost, %%"-ngine .n %%"(ertificate/ile conf!ssl!my-server.cert %%"(ertificate0ey/ile conf!ssl!my-server.key

)!*irtual+ost,

&estart t e Apac e server and access t e applications wit

t e %%" mode.

)ollowing are some of the tips and guidelines implementing, will help our apache servers to be more and more secured:.1 21 6pdate the !pache &erver with the latest security patched and fi9 pack. 0stable version of !pache1 Hide the !pache :ersion number, and other sensitive information as below inside httpd.conf:

%erver%ignature .ff %erver1okens 2rod Note3 %erver%ignature .ff tells apac e not to display t e server version on error pages4 or ot er pages it generates. %erver1okens 2rod tells apac e to only return Apac e in t e %erver eader4 returned on every page request.
31 ;any at times the apache installation run as anonyms or root, make sure that the apache is running under its own user account and group. <ou can check this information in httpd.conf:

5ser apac e 6roup apac e

41 ;ake sure that apache doesnt use=access any of the files outside its web root directory 0this is the location where we have all of apache files1:

)7irectory !,

.rder 7eny4Allow 7eny from all .ptions 8one Allow.verride 8one )!7irectory, )7irectory !we', .rder Allow47eny Allow from all )!7irectory,

71 $n typical operation, !pache is started by the root user. &et the right permissions on &erver/oot 5irectories as follows:

mkdir !usr!local!apac e cd !usr!local!apac e mkdir 'in conf logs c own 0 . 'in conf logs c grp 0 . 'in conf logs c mod 955 . 'in conf logs

6: **&erver &ide $ncludes 0&&$1 presents an administrator with several potential security risks like increased load on the server, etc. Hence, turn off server side includes by .ptions directive inside a 7irectory tag inside the httpd.conf file. &et Options to either 8one or ;<ncludes.

>1

!llowing users to e9ecute ***-?$ scripts in any directory should only be considered if: accidentally e9pose your

@ <ou trust your users not to write scripts which will deliberately or system to an attack.

@ <ou consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant. @ <ou have no users, and nobody ever visits your server

A1 "atch logs to keep up-to-date about what is actually going on against your server you have to check the ,og )iles. They will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present.

c own -& root3root !usr!local!apac e c mod -& o-rwx !usr!local!apac e Note3 !usr!local!apac e is Apac e installation directory
B1 ,ower the time out and restrict re(uest body re(uests as follows:

1imeout =5 "imit&equest>ody ?0=@596

.rder 7eny4Allow 7eny from all Allow from ?A9.0.0.?

Note: **&erver &ide $nclude page is typically an HT;, page with embedded command0s1 that are e9ecuted by the "eb server.

***-?$ program is any program designed to accept and return data that confirms to the -?$ specification. The program could be written in any programming language, including -, 'erl, Dava, or :isual +asic. -?$ programs are the most common way for "eb servers to interact dynamically with users

References: .1 21 31
1

http:==httpd.apache.org=docs=2.C=misc=securityEtips.html http:==www.google.com http:==www.modssl.org=docs=2.A=sslEreference.html