Tweaking IBM HTTP Server (IHS) for Production Environment
HTTP Server by IBM is often used in combination with IBM WebSphere Application Server. Some of the popular sites using IBM HTTP Server are:
IHS is based on Apache HTTP Server, however, tweaked by IBM to support enterprise applications and maintenance support. It holds very less market share in web server world but still widely used with WebSphere Application Server.
Default IHS configuration supply much sensitive information, which can help hackers to prepare for an attack and interrupt business operations. As an administrator, you should be aware of hardening the IHS configuration to secure the web applications.
In this article, I will explain how to make IHS production-ready environment to keep safe & secure.
Few things: –
- You have IHS installed on Linux environment if not, you can refer installation guide here.
- You are advised to take a backup of a configuration file.
- You have HTTP Header extensions in a browser or you can use Header Checker online tool.
- Due to a length of the article, I will talk about SSL configuration in next post.
Hide Server Banner and Product Info from HTTP Header
Probably one of the first tasks to do while setting up production environment is to mask IHS version and Server Banner in a header. This is not critical but considered low risk as information leakage vulnerability and must do for PCI DSS compliant application.
Let’s take a look at how non-exist (404) request response in the default configuration.
Oh no, it reveals I am using IBM HTTP Server along with server IP and port number, which is ugly. Let’s hide them.
- Add following three directives in httpd.conf file of your IHS.
AddServerHeader Off ServerTokens Prod ServerSignature Off
- Save the file and restart the IHS
Let’s verify by accessing a non-exist file. You may also use HTTP Header tool to verify the response.
Much better! Now it doesn’t give product, server and port information.
Etag header may reveal inode information and can help hacker to execute NFS attacks. By default IHS reveal the etag and here is how you can remediate this vulnerability.
- Add the following directive in a root directory.
<Directory /> Options FollowSymLinks AllowOverride None FileETag none </Directory>
- Restart the IHS server to take effect.
Run IHS with non-root Account
Default configuration run a web server with root & nobody user which is not advisable as running through privileged account may impact the whole server in case of a security hole. To limit the risk, you may create a dedicated user to run IHS instances.
- Create user and group called ihsadmin
groupadd ihsadmin useradd –g ihsadmin ihsadmin
Now, change the IHS folder ownership to ihsadmin so newly created user has full permission on it. Assuming you have installed on default location – /opt/IBM/HTTPServer
chown –R ihsadmin:ihsadmin /opt/IBM/HTTPServer
Let’s change User & Group value in httpd.conf
User ihsadmin Group ihsadmin
Save the httpd.conf and restart the IHS server. This will help IHS to start as ihsadmin user.
Implement HttpOnly and Secure flag in Cookie
Having cookie secured and httponly will help you in reducing the risk of XSS attacks.
In order to implement this you must ensure mod_headers.so is enabled in httpd.conf.
If not, uncomment the below line in httpd.conf
LoadModule headers_module modules/mod_headers.so
And add below Header parameter
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Save the configuration file and restart the web server.
Mitigate Clickjacking attack
The clickjacking technique is well known where an attacker can trick users to click on a link and execute embedded code without the user’s knowledge.
- Ensure mod_headers.so is enabled and add below header parameter in httpd.conf file
Header always append X-Frame-Options SAMEORIGIN
- Save the file and restart the server.
Let’s verify by accessing the URL, it should have X-Frame-Options as shown below.
Configure Listen Directive
This is applicable if you are having multiple Ethernet interface/IP on the server. It’s advisable to configure absolute IP and Port in Listen directive to avoid DNS requests getting forwarded. This is often seen in shared environment.
- Add intended IP and Port in httpd.conf under Listen directive. Ex:-
You may apply Cross for Site Scripting (XSS) protection by implementing the following header if it’s disabled in the browser by the user.
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule>
Disable Trace HTTP Request
Having Trace method enabled in web server may allow Cross Site Tracing Attack and possible to steal cookie information. By default, this is enabled and you can disable them with below parameter.
- Modify httpd.con file and add below line
- Save the file and restart the IHS instance to take effect.
I hope above tips helps you harden the IBM HTTP Server for a production environment.