How to secure/harden your apache webserver – quick guide

In this artile I am explaining some ways to secure apache.

1 . Stay Updated

Make sure that you are installing latest updates.

2. Hide Apache version

If you do not turn this off, anyone can check which version of apache you are running by just telnet-ing to its port. So always disable this. To do this add the following to your httpd.conf

 

The ServerSignature  directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients. ServerSignature is set to on by default

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

 

3. Apache user:group

It is common that in many servers both apache and (mail server or mysql) running under the user nobody. So if a hacker is through this it is harmful to all services. So make sure that apache is running under its own user. Open httpd.conf and make the following changes.

 

 

4.  Restrict access to outside document root

Do not allow apache to access the files outside document root. So configure it as follows. Assuming the websites are placed in /public_html directory.

 

And if you need to set different options for other directory you need to add a new directory entry.

5. Turn off Directory listing

We can set this within a directory tag.Set it as follows.

 

6. Turn off server side includes.

 

7. Turn off CGI execution

If you’re not using CGI turn it off. Set Options to either None or -ExecCGI

8. Disable symbolic links

 

9. Turn off multiple options

You can configure many options in just one line.

If you set “Options None” you can turn off all options.

10. Turn off .htaccess support

Add the following to httpd.conf

If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:

AccessFileName .httpdoverride
<Files ~ “^\.ht”>
Order allow,deny
Deny from all
Satisfy All
</Files>

11. Install mod_security and mod_evasive

12. Disable unused modules.

By default there are many unwanted modules in apache. Use

grep LoadModule httpd.conf to see the modules your apache is running. (grep -n will show the number).

Simply comment (#) the modules  in httpd.conf you do not want to use.

13.Block external access

If you have an intra-net that contains critical company information. You will want to deny anyone outside your private network. To do this, add the following inside a directory tag in your httpd.conf file:

 

 

Replace x.x.x.xby your intranet network ip.

14. Timeout value

By default it is set to 300 seconds.You can decrease its value as per you need.

Timeout 60

15. Don’t allow anyone to modify httpd.conf

Don’t allow any user to modify your httpd.conf . Set immutable attribute to your file

 

Follow the above steps to secure your apache web server. If you Google you can find many more steps to harden your server.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">