Tweaking IBM HTTP Server (IHS) for Production Environment

HTTP Server by IBM is often used in combination with IBM WebSphere Application Server. Some of the popular sites using IBM HTTP Server are:

  • Airtel.in
  • Marriott.com
  • Hsbc.co.uk
  • Mercedes-benz.com.eg
  • Argos.co.uk

IHS is based on Apache HTTP Server, however, tweaked by IBM to support enterprise applications and maintenance support. It holds very less market share in web server world but still widely used with WebSphere Application Server.

ihs-market-share

Default IHS configuration supply much sensitive information, which can help hacker to prepare for an attack and interrupt business operation. As an administrator, you should be aware of hardening the IHS configuration to secure the web applications.

In this article, I will explain how to make IHS production ready environment to keep safe & secure.

Few things: –

  • You have IHS installed on Linux environment if not, you can refer installation guide here.
  • You are advised to take a backup of a configuration file.
  • You have HTTP Header extensions in a browser or you can use Header Checker online tool.
  • Due to a length of the article, I will talk about SSL configuration in next post.

Hide Server Banner and Product Info from HTTP Header

Probably one of the first tasks to do while setting up production environment is to mask IHS version and Server Banner in a header. This is not critical but considered low risk as information leakage vulnerability and must do for PCI DSS compliant application.

Let’s take a look at how non-exist (404) request response in the default configuration.

ihs-nonexist-response

Oh no, it reveals I am using IBM HTTP Server along with server IP and port number, which is ugly. Let’s hide them.

Solution: –

  • Add following three directives in httpd.conf file of your IHS.
AddServerHeader Off
ServerTokens Prod
ServerSignature Off
  • Save the file and restart the IHS

Let’s verify by accessing a non-exist file. You may also use HTTP Header tool to verify the response.

ihs-nonexist-response-fixed

Much better! Now it doesn’t give product, server and port information.

Disable Etag

Etag header may reveal inode information and can help hacker to execute NFS attacks. By default IHS reveal the etag and here is how you can remediate this vulnerability.

ihs-etag

Solution: –

  • Add the following directive in a root directory.
FileETag none

For ex:

<Directory />
   Options FollowSymLinks
   AllowOverride None
   FileETag none
</Directory>
  • Restart the IHS server to take effect.

ihs-etag

Run IHS with non-root Account

Default configuration run a web server with root & nobody user which is not advisable as running through privileged account may impact the whole server in case of a security hole. To limit the risk, you may create a dedicated user to run IHS instances.

Solution: –

  • Create user and group called ihsadmin
groupadd ihsadmin
useradd –g ihsadmin ihsadmin

Now, change the IHS folder ownership to ihsadmin so newly created user has full permission on it. Assuming you have installed on default location – /opt/IBM/HTTPServer

chown –R ihsadmin:ihsadmin /opt/IBM/HTTPServer

Let’s change User & Group value in httpd.conf

User ihsadmin
Group ihsadmin

Save the httpd.conf and restart the IHS server. This will help IHS to start as ihsadmin user.

Implement HttpOnly and Secure flag in Cookie

Having cookie secured and httponly will help you in reducing the risk of XSS attacks.

Solution: –

In order to implement this you must ensure mod_headers.so is enabled in httpd.conf.

If not, uncomment the below line in httpd.conf

LoadModule headers_module modules/mod_headers.so

And add below Header parameter

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Save the configuration file and restart the web server.

Mitigate Clickjacking attack

The clickjacking technique is well known where an attacker can trick users to click on a link and execute embedded code without the user’s knowledge.

Solution: –

  • Ensure mod_headers.so is enabled and add below header parameter in httpd.conf file
Header always append X-Frame-Options SAMEORIGIN
  • Save the file and restart the server.

Let’s verify by accessing the URL, it should have X-Frame-Options as shown below.

clickjacking-attack-ihs

Configure Listen Directive

This is applicable if you are having multiple Ethernet interface/IP on the server. It’s advisable to configure absolute IP and Port in Listen directive to avoid DNS requests getting forwarded. This is often seen in shared environment.

Solution: –

  • Add intended IP and Port in httpd.conf under Listen directive. Ex:-
Listen 10.0.0.9:80

Add X-XSS-Protection

You may apply Cross for Site Scripting (XSS) protection by implementing the following header if it’s disabled in the browser by the user.

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>

Disable Trace HTTP Request

Having Trace method enabled in web server may allow Cross Site Tracing Attack and possible to steal cookie information. By default, this is enabled and you can disable them with below parameter.

Solution: –

  • Modify httpd.con file and add below line
TraceEnable off
  • Save the file and restart the IHS instance to take effect.

I hope above tips helps you harden the IBM HTTP Server for a production environment.