5.15 Ensure the IP Addresses for Listening for Requests Are Specified - 'httpd.conf Listen 0.0.0.0:80 does not exists'

Information

The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen for requests. Rather than be unrestricted to listen on all IP addresses available to the system, the specific IP address or addresses intended should be explicitly specified. Specifically, a Listen directive with no IP address specified, or with an IP address of zeros should not be used.

Rationale:

Having multiple interfaces on web servers is fairly common, and without explicit Listen directives, the web server is likely to be listening on an inappropriate IP address / interface that was not intended for the web server. Single homed system with a single IP addressed are also required to have an explicit IP address in the Listen directive, in case additional interfaces are added to the system at a later date.

Solution

Perform the following to implement the recommended state:

Find any Listen directives in the Apache configuration file with no IP address specified, or with an IP address of all zeros similar to the examples below. Keep in mind there may be both IPv4 and IPv6 addresses on the system.

Listen 80
Listen 0.0.0.0:80
Listen [::ffff:0.0.0.0]:80

Modify the Listen directives in the Apache configuration file to have explicit IP addresses according to the intended usage. Multiple Listendirectives may be specified for each IP address & Port.

Listen 10.1.2.3:80
Listen 192.168.4.5:80
Listen [2001:db8::a00:20ff:fea7:ccea]:80

Default Value:

Listen 80

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1), CSCv7|9.2

Plugin: Unix

Control ID: be925383a0bf91fa1225da4479110217ca8b65d521019823570523913270827a