Apr 022014


Article by: Kerry Blake

Apache is the most widely used Web server on the Internet. It was developed to work in Unix environment, but was ported to other server operating system like Windows. The Apache web server serves millions of websites and web-applications. A wide range of authentication schemes and a lot of language interfaces support and security features makes it the favorite Web server of millions of users all over the globe.

The stardom and popularity also makes websites that are backed by Apache favorite target among hackers. Websites that are backed by Apache often fall prey for hack attacks not because of security risks and holes in Apache, but mainly because of poorly written code and other security issues associated with Database. Apache and Linux combination provides good security, but things might go wrong if you don’t take the measures. There are several things one need to do to secure Apache. We have compiled a list of simple things you should perform to make you Web server secure.

First thing: Update

Security holes and potential risks are found and fixed in every Apache release. The developer community is constantly working on new security issues and we can’t stress enough how important it is to update.
A good update policy and security policy works hand-in-hand. You should not only update Apache when there is a major release, but also should also install all the patches. It is also wise to update PHP (if you use it) as well when you update Apache.
You can check the current version of Apache by using the following command.

# http -v
Server version: Apache/2.*.** (Unix)
Server built: Mar 12 2014 13:20:23

If it shows that the version of Apache you are running in not up to date, do update.

Apache version and OS

If an error occurs, the server might return information about the error along with the Apache version and details about the OS. A simple 404 page can give crucial information about the Web server and OS. In some cases, it might even return details about Apache modules that are also installed in the server.
To turn this off, open the config. File (httpd.conf) with a text editor and find the string “ServerSignature On.” It should be On by default. Turn it off simply by replacing “On” by “Off.”
Now the HTTP site header and error pages will only show that it runs Apache and will not show the version.

Disable Directory Listing.

If there is no index file in the root directory, Apache will, by default list all the files in the root directory. There are several ways to prevent Apache from listing the files in the root folder. Again you need to add a couple of lines to the config file. There are 2 ways to doing this. Either set the Option Directive to “-Indexes” or “None.” If you don’t have a clue what we are talking about just add the following lines to the config file.

<directory /var/www/html>
Options -Indexes
Order allow,deny
Allow from all

Or use the following code.

Options None
Order allow,deny
Allow from all

In some distributions these directive are already set, but it’s better to check, after all better safe than sorry.

Secure the config file

If you are a newbie and if you have been following the steps above, you should have conceived the fact that, the httpd.conf file is quite important in keeping your server secure. So it is better to hide your file. You can always unhide it when you want.
Use the following command to immunize the config file.

chattr +i /httpd/conf/httpd.conf

From chattr man page:

“A file with the `i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.”

Prevent DoS attack by limiting request size

Most Denial of service attacks could be prevented by not allowing large requests. By default the LimitRequestBody is set unlimited. Depending on your website’s requirement the size could be altered. You could also limit requests to more vulnerable directories like upload folders.

Disable unwanted Modules

By disabling several modules that are not of any use to you, you can reduce the security vulnerability of your server. To find out the list of all the modules in your Web server, you can use the following command.

# grep LoadModule /etc/httpd/conf/httpd.conf

Analise all the modules in the output list and figure out the ones that are unnecessary. You don’t even have to delete the lines. Just add “#” at the beginning and it will become deactivated after you restart the service.

Do not run Apache as root

Apache should not run as root. It is always good to run Apache as a separate user. It will run as daemon or nobody by default. Set up a non-privileged account dedicated for Apache. Never set Apache User or Group to root.

# vi httpd.conf
Group apache
User apache

Choose the right hosting provider

This doesn’t have anything to do with fiddling with your Web server. Some of the most popular web hosting services are from the America or Europe. Popular doesn’t mean, highly secure. You don’t necessarily have to buy your web hosting from these hosting providers. If you don’t live in the U.S., you can find a lot of reliable, affordable, and secure hosting providers in your own country. Do you live in Australia? Look for an Australian website hosting provider like EZI Hosting and choose the most popular hosting providers whose IP addresses are not often attacked by hackers.

Apache Website: http://httpd.apache.org/

Popular Posts:

Flattr this!

  2 Responses to “8 Simple To Follow Tips To Secure Your Apache Web Server”

  1. In addition to all of the above, I would also run the server under chrooted jail.

    ex: ChrootDir /var/www/html

  2. Another good security practice is to install mod_security. It is very useful Apache module that provides protection from various attacks against web applications and allows us to monitor traffic on a real time basis.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>