Kwok with a Blog

The official blog belonging to Anthony Kwok

Webserver Hardening for 2020

Here's another post for web developers. This is a list of some configurations that deter attackers from enumerating data from your webserver.

These configurations are not plug and play. Please understand what they are doing before you blindly copy and paste code. These configurations cover Apache, Nginx, PHP, and Wordpress.

Apache Configurations

# Instead of exposing what version of Apache you're running, this block fixes the issue by stating that you are running some version of Apache

# HTTP TRACE Security Fix TraceEnable off # HTTP TRACE/TRACK Security Fix - This is also required in each VirtualHost <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] </IfModule> # Disable Reporting Apache version via HTTP headers # These are set to On and OS respectively in httpd.conf by default # and should be set correctly or commented out there ServerSignature Off ServerTokens Prod

Adding an HSTS Header, which forces HTTPS when connecting
In Apache, typically you will add the HSTS header by editing this file
"000-default-le-ssl.conf" usually found by going to
"cd /etc/apache2/sites-enabled/"

<IfModule mod_ssl.c>
<VirtualHost *:443>
* SSL settings that aren't shown * 
Header always set Strict-Transport-Security "max-age=31536000"
</VirtualHost>
</IfModule>

Add the 'Header always set Strict-Transport-Security "max-age=31536000"' towards the bottom of the file, right before </Virtualhost>

Nginx Configurations

Modify default.conf or nginx.conf

#Disable unwanted HTTP Requests
if ($request_method !~ ^(GET|HEAD|POST)$ )
{
       return 405;
}

server_tokens off;

Adding an HSTS Header, which forces HTTPS

add_header Strict-Transport-Security "max-age=31536000; preload";

Put that in between the server code block that handles traffic with HTTPS (should see port 443)

PHP Configurations

Disable the expose_php directive

By default, the expose_php directive is enabled. However, you may not want to broadcast the specific PHP version your site is using.
Similarly, some third-party applications require the expose_php directive to be disabled. To disable the expose_php directive, use a text editor to modify your php.ini file as follows:

expose_php = off

With the expose_php directive disabled, PHP will not send the X-Powered-By header. To re-enable the expose_php directive and send the X-Powered-By header, modify your php.ini file as follows:

expose_php = on

Wordpress Configurations

Disable XML-RPC (Put this in your .htaccess file of the root of your Wordpress install)

The reason why one should disable xmlrpc is because XMLRPC is used for pingbacks, trackbacks, remote access via mobile devices and many other features. The pingback feature of WordPress allows DDOS attacks either against the server hosting WordPress or against a third one.

# Block WordPress xmlrpc.php requests                                          
<Files xmlrpc.php>                                                             
order deny,allow                                                               
deny from all                                                                  
allow from 127.0.0.1                                                           
</Files>

DISABLE REST API User Enumeration Vulnerability (Put this in your .htaccess file of the root of your Wordpress install)

WordPress is an open source blogging tool and content management system based on PHP and MySQL. It has many features including a plug-in architecture and a template system. The vulnerability exists because the REST API exposes user data for all users who have authored at least one post of a public post type. This was fixed by showing users that have authored a post of a post type that has `show_in_rest` set to true. To verify this vulnerability, go to http(s)://(yoururlhere)/wp-json/wp/v2/users.

# Block User ID Phishing Requests
<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} ^author=([0-9]*)
    RewriteRule .* http://yoururlhere.com/? [L,R=302]
</IfModule>

I hope you will find these settings to be helpful. I do my best to provide accurate information but if anything is incorrect, please let me know. Verify that your SSL settings are good enough by going to SSL_Labs
Make sure to add an HSTS header to get that A+ rating.