5.9 Ensure Old HTTP Protocol Versions Are Disallowed - Rewrite module not loaded

Information

The Apache modules 'mod_rewrite' and 'mod_security' can be used to disallow old and invalid HTTP versions. The HTTP version 1.1 RFC is dated June 1999 and has been supported by Apache since version 1.2, so it should no longer be necessary to allow ancient versions of HTTP prior to 1.1. Refer to the Apache documentation on 'mod_rewrite' for more details: [http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html](http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html)

Rationale:

Many malicious automated programs, vulnerability scanners, and fingerprinting tools send requests using old HTTP versions to see how the web server responds. These requests are usually part of the attacker's enumeration process.

Solution

Perform the following to implement the recommended state:
1. Load the 'mod_rewrite' module for Apache by doing either one of the following:

* Build Apache with mod_rewrite statically loaded during the build by adding the --enable-rewrite option to the ./configure script.

./configure --enable-rewrite

* Or, dynamically load the module with the LoadModule directive in the httpd.conf configuration file.

LoadModule rewrite_module modules/mod_rewrite.so

2. Add the 'RewriteEngine' directive to the configuration within the global server context with the value of 'on' so the rewrite engine is enabled.

RewriteEngine On

3. Locate the main Apache configuration file such as 'httpd.conf', and add the following rewrite condition to match HTTP/1.1 and the rewrite rule to the top server level configuration to disallow other protocol versions.

RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

4. By default, 'mod_rewrite' configuration settings from the main server context are not inherited by virtual hosts. Therefore, it is also necessary to add the following directives in each section to inherit the main server settings:

RewriteEngine On
RewriteOptions Inherit

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|9.1, CSCv7|9.2

Plugin: Unix

Control ID: 8bf8fc6260052ae290440593d7af5676f39020c55b86cb11bdf09b00291bfae3