Securing Apache2

Enable the default ssl conf.. first easy steps, we'll go deeper later.

ocm@achtung:/etc/apache2/mods-enabled$ sudo ln -sf ../mods-available/ssl.load ./ssl.load
ocm@achtung:/etc/apache2/mods-enabled$ sudo ln -sf ../mods-available/ssl.conf ./ssl.conf
ocm@achtung:/etc/apache2/mods-enabled$ sudo service apache2 restart
 * Restarting web server apache2   .

HAHA not enough.. we have the following error at error.log:

[Thu Feb 23 18:26:57 2012] [error] [client 127.0.0.1] Invalid method in request \x16\x03\x01
[Thu Feb 23 18:28:19 2012] [error] [client 192.168.56.1] Invalid URI in request get index

We enabled listening at secure port but not told our server to encrypt data… it happens, so:
Enable ssl site:
root@achtung:/etc/apache2/sites-enabled# ln -sf ../sites-available/default-ssl ./default-ssl

Create :

rroot@achtung:/etc/apache2# openssl req -new -x509 -nodes -out achtung.crt -keyout achtung.key
Generating a 1024 bit RSA private key
....++++++
.........................................................................++++++
writing new private key to 'achtung.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:clowncomputing.com
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
root@achtung:/etc/apache2#

Edit the conf file in order to point the new cert file(s):

root@achtung:/etc/apache2# vi sites-enabled/default-ssl
        SSLEngine on
        SSLCertificateFile    /etc/apache2/achtung.pem
        SSLCertificateKeyFile /etc/apache2/achtung.crt

Bind to service or only desired ports:

look for the httpd.conf or ports.conf wich helds your "Listen" attribute, and add as many lines as you need to activate listening:

ocm@achtung:/etc/apache2$ vi ports.conf
NameVirtualHost *:80
#Listen 80
Listen localhost:80
Listen achtung.box:80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    #Listen 443
        Listen localhost:443
        Listen achtung.box:443
</IfModule>

<IfModule mod_gnutls.c>
        #Listen 443
        Listen localhost:443
        Listen achtung.box:443
</IfModule>

Restart and check:
ocm@achtung:/etc/apache2$ sudo netstat -tnlp | grep apache
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.56.101:80       0.0.0.0:*               LISTEN      7763/apache2
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      7763/apache2
tcp        0      0 192.168.56.101:443      0.0.0.0:*               LISTEN      7763/apache2
tcp        0      0 127.0.0.1:443           0.0.0.0:*               LISTEN      7763/apache2

More secured than before, but not enough!

Other improvement, certificate creating:
apache cert creation