HTTP Server by IBM is often used in combination with IBM WebSphere Application Server. Some of the popular sites using IBM HTTP Server are:

Airtel.in Marriott.com Hsbc.co.uk Mercedes-benz.com.eg Argos.co.uk

IHS is based on Apache HTTP Server, however, tweaked by IBM to support enterprise applications and maintenance support. It holds very less market share in web server world but still widely used with WebSphere Application Server.

Default IHS configuration supply much sensitive information, which can help hackers to prepare for an attack and interrupt business operations. As an administrator, you should be aware of hardening the IHS configuration to secure the web applications. In this article, I will explain how to make IHS production-ready environment to keep safe & secure. Few things: –

You have IHS installed on Linux environment if not, you can refer installation guide here. You are advised to take a backup of a configuration file. You have HTTP Header extensions in a browser or you can use Header Checker online tool. Due to a length of the article, I will talk about SSL configuration in next post.

Hide Server Banner and Product Info from HTTP Header

Probably one of the first tasks to do while setting up production environment is to mask IHS version and Server Banner in a header. This is not critical but considered low risk as information leakage vulnerability and must do for PCI DSS compliant application. Let’s take a look at how non-exist (404) request response in the default configuration.

Oh no, it reveals I am using IBM HTTP Server along with server IP and port number, which is ugly. Let’s hide them.

Solution: –

Add following three directives in httpd.conf file of your IHS.

Save the file and restart the IHS

Let’s verify by accessing a non-exist file. You may also use HTTP Header tool to verify the response.

Much better! Now it doesn’t give product, server and port information.

Disable Etag

Etag header may reveal inode information and can help hacker to execute NFS attacks. By default IHS reveal the etag and here is how you can remediate this vulnerability.

Solution: –

Add the following directive in a root directory.

For ex:

Restart the IHS server to take effect.

Run IHS with non-root Account

Default configuration run a web server with root & nobody user which is not advisable as running through privileged account may impact the whole server in case of a security hole. To limit the risk, you may create a dedicated user to run IHS instances.

Solution: –

Create user and group called ihsadmin

Now, change the IHS folder ownership to ihsadmin so newly created user has full permission on it. Assuming you have installed on default location – /opt/IBM/HTTPServer Let’s change User & Group value in httpd.conf Save the httpd.conf and restart the IHS server. This will help IHS to start as ihsadmin user.

Having cookie secured and httponly will help you in reducing the risk of XSS attacks.

Solution: –

In order to implement this you must ensure mod_headers.so is enabled in httpd.conf. If not, uncomment the below line in httpd.conf And add below Header parameter Save the configuration file and restart the web server.

Mitigate Clickjacking attack

The clickjacking technique is well known where an attacker can trick users to click on a link and execute embedded code without the user’s knowledge.

Solution: –

Ensure mod_headers.so is enabled and add below header parameter in httpd.conf file

Save the file and restart the server.

Let’s verify by accessing the URL, it should have X-Frame-Options as shown below.

Configure Listen Directive

This is applicable if you are having multiple Ethernet interface/IP on the server. It’s advisable to configure absolute IP and Port in Listen directive to avoid DNS requests getting forwarded. This is often seen in shared environment.

Solution: –

Add intended IP and Port in httpd.conf under Listen directive. Ex:-

Add X-XSS-Protection

You may apply Cross for Site Scripting (XSS) protection by implementing the following header if it’s disabled in the browser by the user.

Disable Trace HTTP Request

Having Trace method enabled in web server may allow Cross Site Tracing Attack and possible to steal cookie information. By default, this is enabled and you can disable them with below parameter.

Solution: –

Modify httpd.con file and add below line

Save the file and restart the IHS instance to take effect.

I hope above tips helps you harden the IBM HTTP Server for a production environment.

IBM HTTP Server Security   Hardening Guide - 77IBM HTTP Server Security   Hardening Guide - 21IBM HTTP Server Security   Hardening Guide - 59IBM HTTP Server Security   Hardening Guide - 80IBM HTTP Server Security   Hardening Guide - 44IBM HTTP Server Security   Hardening Guide - 68