Title
Hardening Oracle HTTP Server (OHS)

Date
2006-04-10

Summary
This document describes some basic Apache/OHS hardening that can be done. Only implement what is needed.

Details
1. Disable perl, if not needed, by commenting out the following in httpd.conf:
#LoadModule perl_module libexec/libperl.so

#<IfModule mod_perl.c>
#    Alias /perl/ "/u01/app/oracle/product/10.1.2/ias_1/Apache/Apache/cgi-bin/"
#</IfModule>

#SetEnv PERL5LIB "/u01/app/oracle/product/10.1.2/ias_1/perl/lib/5.6.1:/u01/app/oracle/product/10.1.2/ias_1/perl/lib/site_perl/5.6.1"

2. Add the following to the bottom of httpd.conf to get rid of HTTPD trace:
RewriteEngine On
RewriteLog /u01/app/oracle/product/10.1.2/ias_1/Apache/Apache/logs/rewrite.log
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

3. Change permissions of the htpasswd from 700 to 500 to restrict access to the executable:
chmod 500 $ORACLE_HOME/Apache/Apache/bin/htpasswd

4. Remove core demo and sample files/directories:
rm -f $ORACLE_HOME/Apache/Apache/fcgi-bin/echo*
rm -rf $ORACLE_HOME/Apache/Apache/fastcgi/examples
rm -rf $ORACLE_HOME/j2ee/home/default-web-app/examples
rm -rf $ORACLE_HOME/webcache/examples

5. Change permissions of files within htdocs:
chmod -R a-w $ORACLE_HOME/Apache/Apache/htdocs

6. Change permissions of various directories to limit access:
chmod 500 $ORACLE_HOME/Apache/Apache/cgi-bin
chmod 500 $ORACLE_HOME/Apache/Apache/fastcgi
chmod 500 $ORACLE_HOME/Apache/Apache/fcgi-bin
chmod 550 $ORACLE_HOME/Apache/Apache/htdocs

7. Remove the JDK demo directory:
rm -rf $ORACLE_HOME/jdk/demo

8. Create index.html files in each default, readable web document directory (there could be more, but what is listed are the defaults):
touch $ORACLE_HOME/Apache/Apache/htdocs/index.html
touch $ORACLE_HOME/Apache/Apache/htdocs/dav_public/index.html
touch $ORACLE_HOME/Apache/Apache/htdocs/error_docs/index.html
touch $ORACLE_HOME/Apache/Apache/htdocs/ohs_images/index.html
touch $ORACLE_HOME/Apache/Apache/htdocs/_pages/index.html
touch $ORACLE_HOME/Apache/Apache/htdocs/Tab_files/index.html
touch $ORACLE_HOME/Apache/Apache/htdocs/unix/index.html
touch $ORACLE_HOME/Apache/Apache/htdocs/win/index.html

9. Limit the web client account access to the content and scripts directories to read and execute:
chmod 500 $ORACLE_HOME/Apache/Apache/cgi-bin
chmod 500 $ORACLE_HOME/Apache/Apache/fastcgi
chmod 500 $ORACLE_HOME/Apache/Apache/fcgi-bin
chmod 550 $ORACLE_HOME/Apache/Apache/htdocs

10. Add a robots.txt to limit requests from public search engines:
echo "User-agent: *" > $ORACLE_HOME/Apache/Apache/htdocs/robots.txt
echo "Disallow: /" >> $ORACLE_HOME/Apache/Apache/htdocs/robots.txt

11. Disable shells as viewers for documents of type application/x-csh, etc., by commenting out the following in httpd.conf:
#AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
(actually, this is not correct, 2008-07-03)

12. Make the following changes to httpd.conf:
OLD: StartServers 5
NEW: StartServers 10

OLD: MaxSpareServers 20
NEW: MaxSpareServers 10

OLD: MaxSpareServers 5
NEW: MaxSpareServers 10

OLD: MaxClients 150
NEW: MaxClients 256

OLD: Options +ExecCGI
NEW: Options -ExecCGI

13. Add the following values to httpd.conf if they are not set, and ensure that they are equal to or greater than the values listed here:
LimitRequestBody 1
LimitRequestBody 2147483647
(which one is correct? 2008-07-03)
LimitRequestFields 1
LimitRequestFieldsize 8190
LimitRequestLine 8190
Timeout 300

14. The following values in httpd.conf should have a minus/dash in front of them:
ExecCGI
FollowSymLinks
IncludesNOEXEC
MultiViews
Indexes

15. Update KeepAlive settings in httpd.conf, where KeepAliveTimeout must be set to a value less than 15 at least:
KeepAlive On
KeepAliveTimeout 15

16. Update ServerTokens in httpd.conf to limit the version displayed:
ServerTokens Prod

17. Update the LogFormat in httpd.conf:
OLD: LogFormat "%h %l %u %t \"%r\" %>s %b" common
NEW: LogFormat "%e %h %l %u %m %t \"%r\" %>s %b" common

18. Remove all Java programs from the $ORACLE_HOME (intentionally not doing a recursive delete; these are the defaults included in all installations):
rm -f $ORACLE_HOME/datadirect/Examples/connector/src/connectorsample/ConnectorSample.java
rm -f $ORACLE_HOME/datadirect/Examples/connector/src/connectorsample/ConnectorSampleBean.java
rm -f $ORACLE_HOME/datadirect/Examples/connector/src/connectorsample/ConnectorSampleHome.java
rm -f $ORACLE_HOME/datadirect/Examples/JNDI_FILESYSTEM_Example.java
rm -f $ORACLE_HOME/datadirect/Examples/JNDI_LDAP_Example.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/cal/Entries.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/cal/Entry.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/cal/JspCalendar.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/cal/TableBean.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/checkbox/CheckTest.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/colors/ColorGameBean.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/dates/JspCalendar.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/error/Smart.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/num/NumberGuessBean.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/sessions/DummyCart.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/BBoardServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/ConfigServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/CookieExample.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/Counter.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/DateServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/DemoUtil.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/FingerServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/HelloWorldExample.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/HelloWorldServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/LinkCheckerServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/ParameterBean.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/RedirectServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/RequestHeaderExample.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/RequestInfoExample.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/RequestParamExample.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/SessionExample.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/SessionServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/SimpleServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/SnoopServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/SurveyServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/ToJSPServlet.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/WEB-INF/classes/UpperCaseFilter.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/examples/jsp/plugin/applet/Clock2.java
rm -f $ORACLE_HOME/j2ee/home/default-web-app/examples/jsp/taglib/loop/taglib/LoopTag.java
rm -f $ORACLE_HOME/javavm/jahome/ClassProcessor.java
rm -f $ORACLE_HOME/javavm/jahome/ClassProcessorTest.java
rm -f $ORACLE_HOME/javavm/jahome/ClassProperties.java
rm -f $ORACLE_HOME/javavm/jahome/Dumper.java
rm -f $ORACLE_HOME/javavm/jahome/ForEachClass.java
rm -f $ORACLE_HOME/javavm/jahome/Installer.java
rm -f $ORACLE_HOME/javavm/jahome/MacroUse.java
rm -f $ORACLE_HOME/javavm/jahome/MinimizeNcompListAndDumpTC.java
rm -f $ORACLE_HOME/javavm/jahome/PackageDisableNcomp.java
rm -f $ORACLE_HOME/javavm/jahome/PackageValidateAll.java
rm -f $ORACLE_HOME/javavm/jahome/SQL.java
rm -f $ORACLE_HOME/javavm/jahome/TransitiveClosureDumper.java
rm -f $ORACLE_HOME/webcache/examples/EncodeBase64.java
rm -f $ORACLE_HOME/webcache/examples/Invalidate.java
rm -f $ORACLE_HOME/webcache/examples/WCSInvalidate.java
rm -f $ORACLE_HOME/webcache/examples/SyncObject.java
rm -f $ORACLE_HOME/webcache/examples/SSLVerifier.java

Applicable Versions
Oracle Application Server 9i
Oracle Application Server 10g (10.1.2)
Ahmed Aboulnaga

.com .com