Important tips for securing APACHE Server
Security is up of utmost importance when it comes to data. Whether its data on FTP or on a website and breaches are major concern when our data is on internet. In this tutorial, we are going to discuss some tips which can help us make our Apache server more secure & less susceptible to security breaches. All these tips have been implemented\checked on CentOS 6 & 7 version on OS but should work on other OS as well, as most of the tips provided are related directly to apache & not the operating system.
Update apache on regular basis
To address any bugs or instability in apache version, we should keep apache installation updated to address any issue & make our apache installation more secure. To update apache using yum, run
$ yum update httpd |
Run apache as separate user & group
Default user for Apache ‘nobody’ or ‘daemon’ but it would be good if we run it under our own created user. To add a user, run
$ groupadd apache $ useradd -d /var/www/ -g apache -s /bin/nologin apache |
& edit ‘httpd.conf’ to change new user & group. Open ‘httpd.conf’ and look for ‘User’ & ‘Group’ & update them
$ vi /etc/httpd/conf/httpd.conf
User apache |
Disable unnecessary modules
One of the most common cause for web breaches is through the unnecessary modules. With default apache installation, lots of modules are also installed & they are not usually required. So all such modules should be disabled to make our server less susceptible to breaches.
Some of the modules that are not usually required & are loaded into apache are – mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex etc. Refer to apache official documentation to make sure that you are actually not removing a module that is required. To remove a module. either install apache using source file and load only required modules or if you are have a working server, you can run the following command
$ grep LoadModule /etc/httpd/conf/httpd.conf |
& just put ‘#’ (comment it) in front of the unnecessary modules. Restart apache service to implement changes.
Block unwanted services
Certain services such as symbolic links and CGI execution are often not required but are enabled on apache servers. Disable suc services, to do so edit ‘httpd.conf’ & add the following lines
<Directory /var/www/example.com> Options -ExecCGI -FollowSymLinks -Includes </Directory> |
Restrict access to root directory
Root directory for the apache should always be secure. To secure it, open ‘httpd.conf’ & add the following lines
<Directory /> Options None Order deny,allow Deny from all </Directory> |
Disable directory listing
In the absence of index file, apache lists all the files & directory which is again a serious security threat as it can grant access to whole directory. So directory listing should always be disabled, it can be done by making the following entry in ‘/etc/httpd/conf/httpd.conf’ file,
<Directory /var/www/html> Options -Indexes </Directory> ServerSignature Off ServerTokens Prod |
Prohibit access to .htaccess
.htaccess files is used to modify the behavior of our site. htaccess file can be used to overwrite the default apache directives. Access to .htaccess should be prohibited. We can do this by adding following lines in our ‘httpd.conf’ file
<Directory /> Options None AllowOverride None Order allow,deny Allow from all </Directory> |
Enable mod_security & mod_evasive
mod_security & mod_evasive, are important modules when it comes to securing apache servers. mod_security works as a firewall for web applications and allows to monitor traffic on a real time basis. It also helps to protect websites or web server from brute force attacks.
mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack. It takes one request to process and processes it. It prevents DDOS attacks from doing as much damage.
We can install mod_security by using yum
$ yum install mod_security |
& mod_evasive can be installed from source.
Limit large requests
By default, apache puts no restriction on request size of the, which can make website susceptible to DOS (Denial of service ) attack. So we must limit the size for our website directory. We can set the value in bytes from 0 (unlimited) to 2147483647(2GB).
An example of doing so is mentioned below
<Directory “/var/www/example.com/upload”> LimitRequestBody 102400 </Directory> |
Here, we restricted users to upload files of size more than 1 Mb to ‘/var/www/example.com/upload’
Secure apache with SSL certificates
SSL certificate encrypts the data in transit & even if there is a breach, data breached will be of no use to hacker as it will be encrypted. Securing web-server with an SSL certificate is especially necessary when we are dealing with sensitive information on our website like account information etc.
Enable logging
Apache logging provides detailed information about client requests made on our web server, so logging must be enabled as it will help in investigating an issue. Logging in apache is achieved by mod_log_config module.
To enable website-wise logging, we must provide ‘ErrorLog’ & ‘CustomLog’ directive for the site while creating an entry in ‘httpd.conf’.
<VirtualHost *:80> DocumentRoot /var/www/html/example.com/ ServerName www.example.com ServerAlias example.com ErrorLog /var/log/httpd/example.com_error_log CustomLog /var/log/httpd/example.com_access_log combined </VirtualHost> |
Using these tips you can make Apache server more secure & less susceptible to breaches.