Disabling unused Apache Modules

Noway2 · 05-13-2012, 07:42 AM

Earlier today, I was reviewing my daily logwatch email and I noticed something unexpected:

Code:

Connection attempts using mod_proxy:
109.73.175.3 -> www.pr0.net:80: 1 Time(s)

This in turn prompted me to look in the Apache logs which showed:

Code:

access_log-20120513:109.73.175.3 - - [12/May/2012:10:38:25 -0400] "CONNECT www.pr0.net:80 HTTP/1.1" 200 125 "-" "-"
access_log-20120513:109.73.175.3 - - [12/May/2012:10:38:25 -0400] "GET http://www.donniepinkston.net/pr0x/azenv.php HTTP/1.1" 404 300 "-" "-"
error_log-20120513:[Sat May 12 10:38:25 2012] [error] [client 109.73.175.3] File does not exist: /var/www/html/pr0x

I hate to admit it, but I am uncertain based upon these logs, especially the first one which had a 200 response code, if they were able to use my Apache as an unintended proxy. This then lead me to look at the list of Apache modules installed by default (list below). It looks like several modules are loaded, but not configured in the default configuration. For example, mod_proxy and its relatives are loaded by default, but unless you configure a proxy in httpd.conf, theoretically don't do anything. I spent some time reviewing this list of modules on Apache's website and many of them look like they have a valid function, e.g. logging, authorization, etc, and it left me not being entirely sure which of these should be disabled. Similarly, Google searching retrieves lots of suggestions to disable unused modules, but doesn't provide a clear answer on which are important to a secure and functioning system.

Any suggestions for which modules should stay and which should go?

Code:

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
#LoadModule ldap_module modules/mod_ldap.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
#LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
#LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so

lithos · 05-13-2012, 08:05 AM

Hi,

maybe a quick explanation of Apache modules will help you out.
Or you can do search on modules.

Noway2 · 05-13-2012, 09:26 AM

Thank you for the reply. I looked up a few of the modules and I am found myself becoming more concerned about deleting a module that is beneficial to the security rather than disabling a service that could be exploited. In essence, I am wondering if say for example I don't use LDAP authentication or database authentication, does it open up a security hole to remove authz_dbm_module and authnz_ldap_module? My suspicion is that it does not.

lithos · 05-13-2012, 10:00 AM

Removing or disabling will not open a security hole. Quite opposite in my opinion.

sundialsvcs · 05-14-2012, 10:02 PM

This is another manifestation of the "kitchen sink problem" that is very frequently found with otherwise sensible and well-intentioned Linux distros: they install everything but the aforesaid sink, just in case somebody out there could possibly need it. (For instance, the default configuration for an early Red Hat system contained a driver for a DECSystem token-ring network card. (And if you have never heard of a token-ring network, you didn't miss much.)

You should "strip" the Apache installation to only those modules which you actually use in some web-site that you know (and intend...) is being run on this computer.

GoodNewsAnybody · 05-20-2012, 02:35 PM

The list looks good on the first look.

A lot of the used modules must be activated or used later in the config (dav, rewrite, alias, basic_auth, digest_auth, status). You could deactivate them, but since they are unconfigured they are not a security risk.

Some modules are fairly essential (like mod_deflate).

My guess would be that the mime modules and the cache modules might be a security risk, but I wouldbe careful when deactivating them.

anomie · 05-20-2012, 11:29 PM

Quote:

Originally Posted by Noway2

Any suggestions for which modules should stay and which should go?

Following an Apache HTTP server 2.0 / 2.2 install, I have a checklist of modules that I always disable (unless I have a very good reason to keep them around).

mod_userdir
mod_info
mod_status
mod_include
mod_proxy* (unless acting as a proxy service)
mod_dav* (unless acting as a webdav service)

That's not a comprehensive list, but it is a solid starting point to knock out some commonly enabled-by-default (and potentially worrisome) modules.

Noway2 · 05-21-2012, 04:44 AM

I would like to thank everyone for the replies. I have been disabling modules and finding that the process is not without risk as Apache will not restart more often than it will after making changes.
So far I have the list pared down to the list below. I think that there are more auth modules than I need, but otherwise most of the extras have been removed.

Code:

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so

Edit: correction, I appear to have done something to completely hose Apache. Now it appears to be running, but won't even find the root index file. ARGH! I may just reconfigure the package and start again.

anomie · 05-21-2012, 04:34 PM

Quote:

Originally Posted by Noway2

I have been disabling modules and finding that the process is not without risk as Apache will not restart more often than it will after making changes.

After making configuration changes, always do a sanity check before restarting Apache.

Code:

# apachectl -t

That can help prevent unexpected outages by parsing your config (without messing with the running daemon) and reporting problems.

Noway2 · 05-21-2012, 07:30 PM

Thank you for the suggestion!