Hello Linux-fanatics, previously we have discussed how we can install & configure apache web server & then secure it using a SSL certificate. Apache is used for web hosting for millions of websites (I am not exaggerating)  & is target of millions of hacks taking place on daily basis. So being sysadmins, we must know how we can secure our apache servers as securing our precious data is of utmost importance in today's world.

Listed below are some points that we can use to secure our web-servers;-

  • Disable unnecessary modules

This is one of the most common cause for web attacks. By default, apache enables lots of modules but we usually don’t need them. We must disable all these unnecessary modules to make our server less susceptible to threats.

Some of the modules that are not usually needed are mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex etc. If you are not sure which  modules are of use to you, refer to Apace Module Documentation & remove them during installation if you are using source files or if you have a working server, you  can run the following command

$ grep LoadModule /etc/httpd/conf/httpd.conf

& just put ‘#’ (comment it) in front of the unnecessary modules. Restart apache service to implement changes.

 

  • Disable directory listing

In the absence of index file, apache lists all the files & directory which is again a serious security threat as it can enable access to places we don’t want anyone to enter. So we must disable directory listing, it can be done by making the following entry in ‘/etc/httpd/conf/httpd.conf’ file,

<Directory /var/www/html>

Options -Indexes

</Directory>

 

  • Hide apache identity i.e. version & OS identity

By default, apache shows its version, OS & php versions. This makes an attacker task much less easier since he has the version & he can devise an attack plan based on vulnerabilities of these version. To disable this, we need to make changes to ‘ServerSignature’ & ‘ ServerTokens’ parameters in ‘httpd.conf’,

ServerSignature Off

ServerTokens Prod

 

  • Enable mod_security & mod_evasive

Both these modules, mod_security & mod_evasive, are very good modules when it comes to securing our apache servers. mod_security works as a firewall for our web applications and allows us to monitor traffic on a real time basis. It also helps us to protect our websites or web server from brute force attacks.

mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack. It takes one request to process and processes it. It prevents DDOS attacks from doing as much damage.

We can install mod_security by using yum

$ yum install mod_security

& mod_evasive can be installed from source.

 

  • Limit large requests

By default, apache puts no restriction on request size, which an attacker can use to put your website under DOS (Denial of service ) attack. So we must limit the size for our website directory. We can set the value in bytes from 0 (unlimited) to 2147483647(2GB).

An example of doing so is mentioned below

<Directory "/var/www/test1.com/upload">

LimitRequestBody 204800

</Directory>

Here, we restricted users to upload files of size more than 2 Mb to ‘/var/www/test1.com/upload

 

  • Run apache as separate user & group

Apache usually runs with users ‘nobody’ or ‘daemon’ but it’s a good practise to run with its own user,

$ groupadd apache
$ useradd -d /var/www/ -g apache -s /bin/nologin apache

& edit ‘httpd.conf’ to reflect new user & group. Open file & search for ‘User’ & ‘Group’ & change them

$ vi /etc/httpd/conf/httpd.conf

User apache
Group apache

 

  • Block unwanted services

Certain services such as CGI execution and symbolic links are usually not required. So we must disable them. Open ‘httpd.conf’ & add the following lines

<Directory /var/www/test1.com>

Options -ExecCGI -FollowSymLinks -Includes

</Directory>

 

  • Restrict access to root directory

We must also secure our root directory. Open ‘httpd.conf’ & add the following lines

<Directory />

Options None

Order deny,allow

Deny from all

</Directory>

 

  • Don’t allow access to .htaccess

.htaccess files is used to modify the behaviour of our site, using it we can  customize error pages, password protect our site, deny access based on IP, change index.html page, redirect to another page etc.

.htaccess file can be used to overwrite the default apache directives. So we should not allow users to access .htaccess & override directive. We do this by adding following lines in our ‘htpd.conf’ file

<Directory />

Options None

AllowOverride None

Order allow,deny

Allow from all

</Directory>

 

  • Enable logging

Apache logging provides detailed information about client requests made on our web server, so logging must be enabled as it will help in investigating an issue. Logging in apache is achieved by mod_log_config module.

To enable website-wise logging, we must provide ‘ErrorLog’ & ‘CustomLog’ directive for the site while creating an entry in ‘httpd.conf’.

<VirtualHost *:80>

DocumentRoot /var/www/html/test1.com/

ServerName www.test1.com

ServerAlias test1.com

ErrorLog /var/log/httpd/test1.com_error_log

CustomLog /var/log/httpd/test1.com_access_log combined

</VirtualHost>

 

  • Update apache on regular basis

Apache continuously works on resolving any bugs or security vulnerabilities & keep updating  apache to address these issue, so we must keep our apache updated to latest version to make our server more secure. You can update your apache using yum

$ yum update httpd

 

  • Secure apache with SSL certificates

Securing web-server with an SSL certificate is necessary when we are dealing with sensitive information on our website like account information etc. SSL certificate encrypts the data & even if data is hacked, it will be of no use to hacker as it will be encrypted. You can refer to our tutorial for creating a Self signed SSL certificate.

 

These were some tips on how you can secure apache server. Please do mention any queries/suggestions in the comment box down below.

If you think we have helped you or just want to support us, please consider these :-

Connect to us: Facebook | Twitter

| Google Plus

Become a Supporter - Donate us some of you hard earned money: [paypal-donation]

Linux TechLab is thankful for your continued support.