In this artile I am explaining some ways to secure apache.
1 . Stay Updated
Make sure that you are installing latest updates.
2. Hide Apache version
If you do not turn this off, anyone can check which version of apache you are running by just telnet-ing to its port. So always disable this. To do this add the following to your httpd.conf
ServerSignature Off ServerTokens Prod
The ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients. ServerSignature is set to on by default
The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:
3. Apache user:group
It is common that in many servers both apache and (mail server or mysql) running under the user nobody. So if a hacker is through this it is harmful to all services. So make sure that apache is running under its own user. Open httpd.conf and make the following changes.
User apache Group apache
4. Restrict access to outside document root
Do not allow apache to access the files outside document root. So configure it as follows. Assuming the websites are placed in /public_html directory.
<Directory /> Order Deny,Allow Deny from all Options None AllowOverride None </Directory> <Directory /public_html> Order Allow,Deny Allow from all </Directory>
And if you need to set different options for other directory you need to add a new directory entry.
5. Turn off Directory listing
We can set this within a directory tag.Set it as follows.
6. Turn off server side includes.
7. Turn off CGI execution
If you’re not using CGI turn it off. Set Options to either None or -ExecCGI
8. Disable symbolic links
9. Turn off multiple options
You can configure many options in just one line.
Options -ExecCGI -FollowSymLinks -Indexes
If you set “Options None” you can turn off all options.
10. Turn off .htaccess support
Add the following to httpd.conf
If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:
<Files ~ “^\.ht”>
Deny from all
11. Install mod_security and mod_evasive
12. Disable unused modules.
By default there are many unwanted modules in apache. Use
grep LoadModule httpd.conf to see the modules your apache is running. (grep -n will show the number).
Simply comment (#) the modules in httpd.conf you do not want to use.
13.Block external access
If you have an intra-net that contains critical company information. You will want to deny anyone outside your private network. To do this, add the following inside a directory tag in your httpd.conf file:
Order Deny, Allow Deny from all Allow from x.x.x.x/x
Replace x.x.x.xby your intranet network ip.
14. Timeout value
By default it is set to 300 seconds.You can decrease its value as per you need.
15. Don’t allow anyone to modify httpd.conf
Don’t allow any user to modify your httpd.conf . Set immutable attribute to your file
chattr +i httpd.conf
Follow the above steps to secure your apache web server. If you Google you can find many more steps to harden your server.