The Apache web server must restrict inbound connections from nonsecure zones.

From Apache Server 2.4 UNIX Site Security Technical Implementation Guide

Part of SRG-APP-000315-WSR-000004

Associated with: CCI-002314

AS24-U2-000680_rule The Apache web server must restrict inbound connections from nonsecure zones.

Vulnerability discussion

Remote access to the Apache web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and must be capable of restricting access from what the DoD defines as nonsecure zones. Nonsecure zones are defined as any IP, subnet, or region that is defined as a threat to the organization. The nonsecure zones must be defined for public web servers logically located in a DMZ, as well as private web servers with perimeter protection devices. By restricting access from nonsecure zones, through the internal web server access list, the Apache web server can stop or slow denial-of-service (DoS) attacks on the web server.

Check content

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # httpd -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" If "IP Address Restrictions" are not configured or IP ranges configured to "Allow" are not restrictive enough to prevent connections from nonsecure zones, this is a finding.

Fix text

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # httpd -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Configure the "httpd.conf" file to include restrictions. Example: Require not host phishers.example.com moreidiots.example

Pro Tips

Powered by sagemincer