12 Important things to do for securing APACHE Web Server
Last updated on March 12th, 2018 at 08:27 pm
Hello Linux-fanatics, previously we have discussed how we can install & configure apache web server & then secure it using a SSL certificate. Apache is used for web hosting for millions of websites (I am not exaggerating) & is target of millions of hacks taking place on daily basis. So being sysadmins, we must know how we can secure our apache servers as securing our precious data is of utmost importance in today’s world.
Listed below are some points that we can use to secure our web-servers;-
Disable unnecessary modules
This is one of the most common cause for web attacks. By default, apache enables lots of modules but we usually don’t need them. We must disable all these unnecessary modules to make our server less susceptible to threats.
Some of the modules that are not usually needed are mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex etc. If you are not sure which modules are of use to you, refer to Apace Module Documentation & remove them during installation if you are using source files or if you have a working server, you can run the following command
& just put ‘#’ (comment it) in front of the unnecessary modules. Restart apache service to implement changes.
Disable directory listing
In the absence of index file, apache lists all the files & directory which is again a serious security threat as it can enable access to places we don’t want anyone to enter. So we must disable directory listing, it can be done by making the following entry in ‘/etc/httpd/conf/httpd.conf’ file,
Hide apache identity i.e. version & OS identity
By default, apache shows its version, OS & php versions. This makes an attacker task much less easier since he has the version & he can devise an attack plan based on vulnerabilities of these version. To disable this, we need to make changes to ‘ServerSignature’ & ‘ ServerTokens’ parameters in ‘httpd.conf’,
Enable mod_security & mod_evasive
Both these modules, mod_security & mod_evasive, are very good modules when it comes to securing our apache servers. mod_security works as a firewall for our web applications and allows us to monitor traffic on a real time basis. It also helps us to protect our websites or web server from brute force attacks.
mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack. It takes one request to process and processes it. It prevents DDOS attacks from doing as much damage.
We can install mod_security by using yum
& mod_evasive can be installed from source.
Limit large requests
By default, apache puts no restriction on request size, which an attacker can use to put your website under DOS (Denial of service ) attack. So we must limit the size for our website directory. We can set the value in bytes from 0 (unlimited) to 2147483647(2GB).
An example of doing so is mentioned below
Here, we restricted users to upload files of size more than 2 Mb to ‘/var/www/test1.com/upload’
Run apache as separate user & group
Apache usually runs with users ‘nobody’ or ‘daemon’ but it’s a good practise to run with its own user,
& edit ‘httpd.conf’ to reflect new user & group. Open file & search for ‘User’ & ‘Group’ & change them
Block unwanted services
Certain services such as CGI execution and symbolic links are usually not required. So we must disable them. Open ‘httpd.conf’ & add the following lines
Options -ExecCGI -FollowSymLinks -Includes
Restrict access to root directory
We must also secure our root directory. Open ‘httpd.conf’ & add the following lines
Deny from all
Don’t allow access to .htaccess
.htaccess files is used to modify the behaviour of our site, using it we can customize error pages, password protect our site, deny access based on IP, change index.html page, redirect to another page etc.
.htaccess file can be used to overwrite the default apache directives. So we should not allow users to access .htaccess & override directive. We do this by adding following lines in our ‘htpd.conf’ file
Allow from all
Apache logging provides detailed information about client requests made on our web server, so logging must be enabled as it will help in investigating an issue. Logging in apache is achieved by mod_log_config module.
To enable website-wise logging, we must provide ‘ErrorLog’ & ‘CustomLog’ directive for the site while creating an entry in ‘httpd.conf’.
CustomLog /var/log/httpd/test1.com_access_log combined
Update apache on regular basis
Apache continuously works on resolving any bugs or security vulnerabilities & keep updating apache to address these issue, so we must keep our apache updated to latest version to make our server more secure. You can update your apache using yum
Secure apache with SSL certificates
Securing web-server with an SSL certificate is necessary when we are dealing with sensitive information on our website like account information etc. SSL certificate encrypts the data & even if data is hacked, it will be of no use to hacker as it will be encrypted. You can refer to our tutorial for creating a Self signed SSL certificate.
These were some tips on how you can secure apache server. Please do mention any queries/suggestions in the comment box down below.