Important tips for securing APACHE Server

Security is up of utmost importance when it comes to data. Whether its data on FTP or on a website and breaches are major concern when our data is on internet. In this tutorial, we are going to discuss some tips which can help us make our Apache server  more secure & less susceptible to security breaches. All these tips have been implemented\checked on CentOS 6 & 7 version on OS but should work on other OS as well, as most of the tips provided are related directly to apache & not the operating system. 

 

Update apache on regular basis

To address any bugs or instability in apache version, we should keep apache installation updated to address any issue & make our apache installation more secure. To update apache using yum, run

$ yum update httpd

 

Run apache as separate user & group

Default user for Apache ‘nobody’ or ‘daemon’ but it would be good if we run it under our own created user. To add a user, run

$ groupadd apache
$ useradd -d /var/www/ -g apache -s /bin/nologin apache

& edit ‘httpd.conf’ to change new user & group. Open ‘httpd.conf’ and look for ‘User’ & ‘Group’ & update them

$ vi /etc/httpd/conf/httpd.conf

User apache
Group apache

 

Disable unnecessary modules

One of the most common cause for web breaches is through the unnecessary modules. With default apache installation, lots of modules are also installed & they are not usually required. So all such modules should be disabled to make our server less susceptible to breaches.

Some of the modules that are not usually required & are loaded into apache are – mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex etc. Refer to apache official documentation to make sure that you are actually not removing a module that is required. To remove a module. either install apache using source file and load only required modules or if you are have a working server, you can run the following command

$ grep LoadModule /etc/httpd/conf/httpd.conf

& just put ‘#’ (comment it) in front of the unnecessary modules. Restart apache service to implement changes.

 

Block unwanted services

Certain services such as symbolic links and CGI execution are often not required but are enabled on apache servers. Disable suc services, to do so edit ‘httpd.conf’ & add the following lines

<Directory /var/www/example.com>
Options -ExecCGI -FollowSymLinks -Includes
</Directory>

 

Restrict access to root directory

Root directory for the apache should always be secure. To secure it, open ‘httpd.conf’ & add the following lines

<Directory />
Options None
Order deny,allow
Deny from all
</Directory>

 

Disable directory listing

In the absence of index file, apache lists all the files & directory which is again a serious security threat as it can grant access to whole directory. So directory listing should always be disabled, it can be done by making the following entry in ‘/etc/httpd/conf/httpd.conf’ file,

<Directory /var/www/html>
Options -Indexes
</Directory>
ServerSignature Off
ServerTokens Prod

 

Prohibit access to .htaccess

.htaccess files is used to modify the behavior of our site. htaccess file can be used to overwrite the default apache directives. Access to .htaccess should be prohibited. We can do this by adding following lines in our ‘httpd.conf’ file

<Directory />
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>

 

Enable mod_security & mod_evasive

mod_security & mod_evasive, are important modules when it comes to securing apache servers. mod_security works as a firewall for web applications and allows to monitor traffic on a real time basis. It also helps to protect websites or web server from brute force attacks.

mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack. It takes one request to process and processes it. It prevents DDOS attacks from doing as much damage.

We can install mod_security by using yum

$ yum install mod_security

& mod_evasive can be installed from source.

 

Limit large requests

By default, apache puts no restriction on request size of the, which can make website susceptible to DOS (Denial of service ) attack. So we must limit the size for our website directory. We can set the value in bytes from 0 (unlimited) to 2147483647(2GB).

An example of doing so is mentioned below

<Directory “/var/www/example.com/upload”>
LimitRequestBody 102400
</Directory>

Here, we restricted users to upload files of size more than 1 Mb to ‘/var/www/example.com/upload’

 

Secure apache with SSL certificates

SSL certificate encrypts the data in transit & even if there is a breach, data breached will be of no use to hacker as it will be encrypted. Securing web-server with an SSL certificate is especially necessary when we are dealing with sensitive information on our website like account information etc.

 

Enable logging

Apache logging provides detailed information about client requests made on our web server, so logging must be enabled as it will help in investigating an issue. Logging in apache is achieved by mod_log_config module.

To enable website-wise logging, we must provide ‘ErrorLog’ & ‘CustomLog’ directive for the site while creating an entry in ‘httpd.conf’.

<VirtualHost *:80>
DocumentRoot /var/www/html/example.com/
ServerName www.example.com
ServerAlias example.com
ErrorLog /var/log/httpd/example.com_error_log
CustomLog /var/log/httpd/example.com_access_log combined
</VirtualHost>

Using these tips you can make Apache server more secure & less susceptible to breaches.

Shujat Husain

A continuous learner with several years of experience in linux environment. I love to read, learn & write about Linux & new technologies. And I also write at linuxtechlab.com

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us