---
id: f3031876-3b45-42e6-94a7-2c932a3b81df
---

# Apache HTTP Server - SSRF Attempts
---

A server-side request forgery (SSRF) is a type of attack that exploits vulnerabilities in web applications to gain unauthorized access to resources on the server. In the context of Apache HTTP Server, this incident type refers to attempts to exploit SSRF vulnerabilities in the server. Attackers can use SSRF to bypass security controls, access sensitive information, and launch further attacks on the system. This incident type requires immediate attention and remediation to prevent further unauthorized access and data breaches.

### Parameters
```shell
export PATH_TO_ERROR_LOGS="PLACEHOLDER"

export PATH_TO_ACCESS_LOGS="PLACEHOLDER"

export PATH_TO_APACHE_CONFIG="PLACEHOLDER"

export APACHE_PORT="PLACEHOLDER"

export ALLOWED_IP_RANGE="PLACEHOLDER"

export PATH_TO_APACHE_HTTP_SERVER_FILES="PLACEHOLDER"

export PATH_TO_APACHE_HTTP_SERVER_CONFIGURATION_FILE="PLACEHOLDER"
```

## Debug

### Check the list of enabled Apache HTTP Server modules
```shell
apachectl -M
```

### Check Apache HTTP Server error logs for any related errors or warnings
```shell
grep -iE "(error|warning).*SSRF" ${PATH_TO_ERROR_LOGS}
```

### Check if mod_proxy is enabled
```shell
apachectl -M | grep -i "proxy"
```

### Check Apache HTTP Server version
```shell
httpd -v
```

### Check Apache HTTP Server configuration file syntax
```shell
apachectl configtest
```

### Check Apache HTTP Server access logs for suspicious requests
```shell
grep -i "SSRF" ${PATH_TO_ACCESS_LOGS}
```

### Check the Apache HTTP Server proxy-related configuration settings
```shell
grep -iE "(proxy_pass|proxy_set_header)" ${PATH_TO_APACHE_CONFIG}
```

### Check the network connections on the server
```shell
netstat -anp | grep -iE "apache|httpd" | grep -iE "ESTABLISHED|TIME_WAIT"
```

## Repair

### Restrict access to the vulnerable Apache HTTP server by adding a firewall that filters incoming and outgoing traffic to only allow necessary traffic.
```shell


#!/bin/bash



# Define variables

APACHE_PORT=${APACHE_PORT} # replace with the actual port number used by Apache HTTP server

ALLOWED_IP=${ALLOWED_IP_RANGE} # replace with the IP range that should be allowed to access the server



# Add firewall rules to restrict access to Apache HTTP server

sudo iptables -A INPUT -p tcp --dport $APACHE_PORT -s $ALLOWED_IP -j ACCEPT

sudo iptables -A INPUT -p tcp --dport $APACHE_PORT -j DROP

sudo iptables -A OUTPUT -p tcp --sport $APACHE_PORT -d $ALLOWED_IP -j ACCEPT

sudo iptables -A OUTPUT -p tcp --sport $APACHE_PORT -j DROP


```

### Configure the Apache HTTP server to run as a non-privileged user with restricted access to system resources to limit the impact of any successful SSRF attacks.
```shell


#!/bin/bash



# Stop the Apache HTTP server

sudo systemctl stop apache2



# Create a new user account for the Apache HTTP server

sudo useradd -r -s /sbin/nologin apache



# Set the ownership of the Apache HTTP server files to the new user account

sudo chown -R apache:apache ${PATH_TO_APACHE_HTTP_SERVER_FILES}



# Modify the Apache HTTP server configuration file to run as the new user account

sudo sed -i 's/User www-data/User apache/g' ${PATH_TO_APACHE_HTTP_SERVER_CONFIGURATION_FILE}

sudo sed -i 's/Group www-data/Group apache/g' ${PATH_TO_APACHE_HTTP_SERVER_CONFIGURATION_FILE}



# Restart the Apache HTTP server

sudo systemctl start apache2


```

A server-side request forgery (SSRF) is a type of attack that exploits vulnerabilities in web applications to gain unauthorized access to resources on the server. In the context of Apache HTTP Server, this incident type refers to attempts to exploit SSRF vulnerabilities in the server. Attackers can use SSRF to bypass security controls, access sensitive information, and launch further attacks on the system. This incident type requires immediate attention and remediation to prevent further unauthorized access and data breaches.


A DoS (Denial of Service) attack on a Tomcat server occurs when attackers flood the server with an overwhelming amount of traffic, causing the server to become unresponsive and unable to handle legitimate requests. This attack results in service disruptions, making the server unavailable to users. The goal of the DoS attack is to make the targeted service unavailable to its users, causing inconvenience or financial losses to the organization that operates the server.


DoS Attack on Tomcat Server

This incident type refers to frequent mismatches between the virtual hosts configured on an Apache server. This can cause issues with routing traffic to the intended web application or website, resulting in downtime or other problems. It is important to address these mismatches promptly to ensure the proper functioning of the server and any associated applications.


Virtual Host Mismatches on Apache Server.

This incident type refers to an unauthorized access to directories in Apache HTTPD, which is a widely used web server software. It means that someone was able to access files or directories that they were not supposed to, without having proper authorization. This type of incident can potentially lead to sensitive data being exposed or even stolen, and can compromise the security of the server and the applications running on it.


Unauthorized Directory Access in Apache HTTPD.

The Slowloris Attack is a type of Denial of Service (DoS) attack that exploits a vulnerability in the Apache web server. It works by sending HTTP requests to the server and keeping those connections open for as long as possible, thereby using up all the available resources of the server and rendering it unresponsive to legitimate requests. As a result, the server becomes slow or unresponsive, causing downtime for the affected website or service. This type of attack can be detected and mitigated by implementing specific security measures and tools.


Slowloris Attack Detected on Apache server.

This incident type refers to the detection of SQL injection attempts in Apache web server logs. SQL injection is a type of cyber attack that exploits vulnerabilities in web applications allowing attackers to execute malicious SQL statements. In this incident, attackers are attempting to inject SQL code into the URI (Uniform Resource Identifier) of an Apache web server, potentially compromising the server's security and exposing sensitive information.


Apache SQL Injection Attempts in URI Incident

```shell
export PATH_TO_ERROR_LOGS="PLACEHOLDER"

export PATH_TO_ACCESS_LOGS="PLACEHOLDER"

export PATH_TO_APACHE_CONFIG="PLACEHOLDER"

export APACHE_PORT="PLACEHOLDER"

export ALLOWED_IP_RANGE="PLACEHOLDER"

export PATH_TO_APACHE_HTTP_SERVER_FILES="PLACEHOLDER"

export PATH_TO_APACHE_HTTP_SERVER_CONFIGURATION_FILE="PLACEHOLDER"
```


### Check the list of enabled Apache HTTP Server modules

```shell
apachectl -M
```

### Check Apache HTTP Server error logs for any related errors or warnings

```shell
grep -iE "(error|warning).*SSRF" ${PATH_TO_ERROR_LOGS}
```

### Check if mod\_proxy is enabled

```shell
apachectl -M | grep -i "proxy"
```

### Check Apache HTTP Server version

```shell
httpd -v
```

### Check Apache HTTP Server configuration file syntax

```shell
apachectl configtest
```

### Check Apache HTTP Server access logs for suspicious requests

```shell
grep -i "SSRF" ${PATH_TO_ACCESS_LOGS}
```

### Check the Apache HTTP Server proxy-related configuration settings

```shell
grep -iE "(proxy_pass|proxy_set_header)" ${PATH_TO_APACHE_CONFIG}
```

### Check the network connections on the server

```shell
netstat -anp | grep -iE "apache|httpd" | grep -iE "ESTABLISHED|TIME_WAIT"
```


### Restrict access to the vulnerable Apache HTTP server by adding a firewall that filters incoming and outgoing traffic to only allow necessary traffic.

```shell


#!/bin/bash



# Define variables

APACHE_PORT=${APACHE_PORT} # replace with the actual port number used by Apache HTTP server

ALLOWED_IP=${ALLOWED_IP_RANGE} # replace with the IP range that should be allowed to access the server



# Add firewall rules to restrict access to Apache HTTP server

sudo iptables -A INPUT -p tcp --dport $APACHE_PORT -s $ALLOWED_IP -j ACCEPT

sudo iptables -A INPUT -p tcp --dport $APACHE_PORT -j DROP

sudo iptables -A OUTPUT -p tcp --sport $APACHE_PORT -d $ALLOWED_IP -j ACCEPT

sudo iptables -A OUTPUT -p tcp --sport $APACHE_PORT -j DROP


```

### Configure the Apache HTTP server to run as a non-privileged user with restricted access to system resources to limit the impact of any successful SSRF attacks.

```shell


#!/bin/bash



# Stop the Apache HTTP server

sudo systemctl stop apache2



# Create a new user account for the Apache HTTP server

sudo useradd -r -s /sbin/nologin apache



# Set the ownership of the Apache HTTP server files to the new user account

sudo chown -R apache:apache ${PATH_TO_APACHE_HTTP_SERVER_FILES}



# Modify the Apache HTTP server configuration file to run as the new user account

sudo sed -i 's/User www-data/User apache/g' ${PATH_TO_APACHE_HTTP_SERVER_CONFIGURATION_FILE}

sudo sed -i 's/Group www-data/Group apache/g' ${PATH_TO_APACHE_HTTP_SERVER_CONFIGURATION_FILE}



# Restart the Apache HTTP server

sudo systemctl start apache2


```


Apache HTTP Server - SSRF Attempts

Overview

Parameters

Debug

Check the list of enabled Apache HTTP Server modules

Check if mod_proxy is enabled

Check Apache HTTP Server version

Check Apache HTTP Server configuration file syntax

Check Apache HTTP Server access logs for suspicious requests

Check the network connections on the server

Repair

Restrict access to the vulnerable Apache HTTP server by adding a firewall that filters incoming and outgoing traffic to only allow necessary traffic.

Configure the Apache HTTP server to run as a non-privileged user with restricted access to system resources to limit the impact of any successful SSRF attacks.

Learn more

Related Runbooks

DoS Attack on Tomcat Server

Virtual Host Mismatches on Apache Server.

Unauthorized Directory Access in Apache HTTPD.

Slowloris Attack Detected on Apache server.

Support