Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Security and WebSphere Last updated: September 6, 2022
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Tweaking IBM HTTP Server (IHS) for Production Environment

HTTP Server by IBM is often used in combination with IBM WebSphere Application Server. Some of the popular sites using IBM HTTP Server are:

  • Airtel.in
  • Marriott.com
  • Hsbc.co.uk
  • Mercedes-benz.com.eg
  • Argos.co.uk

IHS is based on Apache HTTP Server, however, tweaked by IBM to support enterprise applications and maintenance support. It holds very less market share in web server world but still widely used with WebSphere Application Server.

ihs-market-share

Default IHS configuration supply much sensitive information, which can help hackers to prepare for an attack and interrupt business operations. As an administrator, you should be aware of hardening the IHS configuration to secure the web applications.

In this article, I will explain how to make IHS production-ready environment to keep safe & secure.

Few things: –

  • You have IHS installed on Linux environment if not, you can refer installation guide here.
  • You are advised to take a backup of a configuration file.
  • You have HTTP Header extensions in a browser or you can use Header Checker online tool.
  • Due to a length of the article, I will talk about SSL configuration in next post.

Hide Server Banner and Product Info from HTTP Header

Probably one of the first tasks to do while setting up production environment is to mask IHS version and Server Banner in a header. This is not critical but considered low risk as information leakage vulnerability and must do for PCI DSS compliant application.

Let’s take a look at how non-exist (404) request response in the default configuration.

ihs-nonexist-response

Oh no, it reveals I am using IBM HTTP Server along with server IP and port number, which is ugly. Let’s hide them.

Solution: –

  • Add following three directives in httpd.conf file of your IHS.
AddServerHeader Off
ServerTokens Prod
ServerSignature Off
  • Save the file and restart the IHS

Let’s verify by accessing a non-exist file. You may also use HTTP Header tool to verify the response.

ihs-nonexist-response-fixed

Much better! Now it doesn’t give product, server and port information.

Disable Etag

Etag header may reveal inode information and can help hacker to execute NFS attacks. By default IHS reveal the etag and here is how you can remediate this vulnerability.

ihs-etag

Solution: –

  • Add the following directive in a root directory.
FileETag none

For ex:

<Directory />
   Options FollowSymLinks
   AllowOverride None
   FileETag none
</Directory>
  • Restart the IHS server to take effect.

ihs-etag

Run IHS with non-root Account

Default configuration run a web server with root & nobody user which is not advisable as running through privileged account may impact the whole server in case of a security hole. To limit the risk, you may create a dedicated user to run IHS instances.

Solution: –

  • Create user and group called ihsadmin
groupadd ihsadmin
useradd –g ihsadmin ihsadmin

Now, change the IHS folder ownership to ihsadmin so newly created user has full permission on it. Assuming you have installed on default location – /opt/IBM/HTTPServer

chown –R ihsadmin:ihsadmin /opt/IBM/HTTPServer

Let’s change User & Group value in httpd.conf

User ihsadmin
Group ihsadmin

Save the httpd.conf and restart the IHS server. This will help IHS to start as ihsadmin user.

Implement HttpOnly and Secure flag in Cookie

Having cookie secured and httponly will help you in reducing the risk of XSS attacks.

Solution: –

In order to implement this you must ensure mod_headers.so is enabled in httpd.conf.

If not, uncomment the below line in httpd.conf

LoadModule headers_module modules/mod_headers.so

And add below Header parameter

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Save the configuration file and restart the web server.

Mitigate Clickjacking attack

The clickjacking technique is well known where an attacker can trick users to click on a link and execute embedded code without the user’s knowledge.

Solution: –

  • Ensure mod_headers.so is enabled and add below header parameter in httpd.conf file
Header always append X-Frame-Options SAMEORIGIN
  • Save the file and restart the server.

Let’s verify by accessing the URL, it should have X-Frame-Options as shown below.

clickjacking-attack-ihs

Configure Listen Directive

This is applicable if you are having multiple Ethernet interface/IP on the server. It’s advisable to configure absolute IP and Port in Listen directive to avoid DNS requests getting forwarded. This is often seen in shared environment.

Solution: –

  • Add intended IP and Port in httpd.conf under Listen directive. Ex:-
Listen 10.0.0.9:80

Add X-XSS-Protection

You may apply Cross for Site Scripting (XSS) protection by implementing the following header if it’s disabled in the browser by the user.

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>

Disable Trace HTTP Request

Having Trace method enabled in web server may allow Cross Site Tracing Attack and possible to steal cookie information. By default, this is enabled and you can disable them with below parameter.

Solution: –

  • Modify httpd.con file and add below line
TraceEnable off
  • Save the file and restart the IHS instance to take effect.

I hope above tips helps you harden the IBM HTTP Server for a production environment.

  • Chandan Kumar
    Author
    As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.
Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder