Apache Security Notes

Fixing Problems Reported by the Security Scan

There are two (2) separate, independent "vulnerabilites" that the security scan looks for in apache servers. Either or both may be reported for your server. Here are some notes on how to fix them.

1. ApacheServerTokenNotSet

This one is relatively easy to fix.

Open your apache config file (normally httpd.conf).
Look for a line that says something like:
ServerTokens Full

If you find one (or more), change it/them to:
ServerTokens ProductOnly
("ProductOnly" can be abbreviated "Prod")
If you don't find one, add that line (ServerTokens Prod). It can go anywhere in section 1 (Global Environment) or section 2 (Main Server Configuration); typically, it is near the end of section 1 or the beginning of section 2.

It is also recommended that you add a second line: ServerSignature Off although our scans don't check for that.
Make sure there isn't a second ServerToken (or ServerSignature) line further down your config file: a later directive will override the earlier one.
After editing and saving your config file, you need to stop and restart apache to have the change take effect.

2. HTTPTraceEnabled

Fixing this one is often straightforward, but can be more complicated. If your webserver is running the tomcat "java servlet container" (as, for example, some elog installations do), be sure to see the final section. If you think you have fixed apache, but still have "trace enabled" on port 8080, again, check the tomcat notes below.

Update: For apache version 1.3.34 (or later 1.3.x versions), or apache 2.0.55 (or later), this has been made easy. In section 1, just add the line
TraceEnable off
For older versions of apache, see below.

First, you have to make sure you have the apache module 'mod_rewrite' available.

Look for a line like:
LoadModule rewrite_module libexec/mod_rewrite.so
and/or
AddModule mod_rewrite.c
If there is no such line, you will need to add one. But first, you will need to determine if either the static module is built in to your apache, or if the dynamic module is available for loading. If neither is available, you will have to add one or the other. This can mean recompiling apache. This is outside the scope of these notes; consult with whomever installed apache for you.

Once you know that mod_rewrite is available, you need to add this block of lines:
# Block access: SLAC addition RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] # End block access rule
to the Main Server Config (section 3) AND to each and every virtual host defined in your config. Or, if you have the block in the main host config, you can just add the following to the virtual host(s) config(s):
RewriteOptions inherit
If you don't have any virtual hosts, then you only need it in the main server config. If you are using SSL, you most likely have a virtual host defined for that, and will need it there. NOTE: if you are running Apache 2, there is often an SSL virtual host defined by default in a separate file: conf.d/ssl.conf . You'll need to add the lines there, too (or get rid of the virtual host, if you don't need it). Security will normally tell you which port(s) the problem is on; port 443 will indicate it is an SSL host.
For the curious: The first and last lines are just comments; the second line insures that the rewrite module is 'on'; the next line says that any 'trace' (or 'track') request should be rewritten; the fourth line says that what the request should get instead of a trace/track is the 'forbidden' error page.
Again, after saving your modified config file(s), you need to stop and start apache.

Disabling Trace in Tomcat

If you are running tomcat as part of your installation, you may also get a report about "trace enabled" on port 8080 (or similar port). Here is one example of how to fix this (for tomcat 4.0).

Look in your server.xml file for a entry with the matching port number; for example:

    <Connector className="org.apache.catalina.connector.http.HttpConnector"
         port="8080" minProcessors="5" maxProcessors="75"
         enableLookups="true" redirectPort="8443"
         acceptCount="10" debug="0" connectionTimeout="60000"/>

Add one more directive to this statement: allowTrace="false". E.g.,:

    <Connector className="org.apache.catalina.connector.http.HttpConnector"
         port="8080" minProcessors="5" maxProcessors="75" allowTrace="false"
         enableLookups="true" redirectPort="8443"
         acceptCount="10" debug="0" connectionTimeout="60000"/>

Author: John Bartelt