• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Secure & Harden Apache webserver with following best practices to keep your web application secure.

    The Web Server is a crucial part of web-based applications. Having misconfigured and the default configuration can expose sensitive information, and that’s a risk.

    As a website owner or administrator, you should regularly perform security scans against your website to find for online threats so you can take action before a hacker does.

    Let’s go through essential configurations to keep your Apache webserver.

    Following all configuration is in httpd.conf of your apache instance.

    Note: take a backup of the necessary configuration file before modification, so restoration is easy when things go wrong.

    Disable Trace HTTP Request

    The default TraceEnable on permits TRACE, which disallows any request body to accompany the request.

    TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client.

    TraceEnable on allows for Cross-Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information.

    Solution

    Address this security issue by disabling the TRACE HTTP method in Apache Configuration.

    You can do by Modifying/Adding below directive in your httpd.conf of your Apache Web Server.

    TraceEnable off

    Run as separate User & Group

    By default, Apache is configured to run with nobody or daemon.

    Don’t set User (or Group) to root unless you know exactly what you are doing, and what the dangers are.

    Solution

    Running Apache in its own non-root account is good. Modify User & Group Directive in httpd.conf of your Apache Web Server

    User apache 
    Group apache

    Disable Signature

    The Off setting, which is the default, suppresses the footer line.

    The On setting simply adds a line with the server version number and ServerName of the serving virtual host.

    Solution

    It’s good to disable Signature, as you may not wish to reveal Apache Version you are running.

    ServerSignature Off

    Disable Banner

    This directive controls whether the Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules.

    Solution

    ServerTokens Prod

    Restrict Access to a Specific Network or IP

    If you wish your site to be viewed only by specific IP address or network, you can modify your site Directory in httpd.conf

    Solution

    Give the network address in the Allow directive.

    <Directory /yourwebsite>    
    Options None    
    AllowOverride None    
    Order deny,allow    
    Deny from all    
    Allow from 10.20.0.0/24  
    </Directory>

    Give the IP address in the Allow directive.

    <Directory /yourwebsite>
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 10.20.1.56
    </Directory>

    Use only TLS 1.2

    SSL 2.0, 3.0, TLS 1, 1.1 reportedly suffers from several cryptographic flaws.

    Need help with configuring SSL? refer to this guide.

    Solution

    SSLProtocol -ALL +TLSv1.2

    Disable Directory Listing

    If you don’t have index.html under your WebSite Directory, the client will see all files and sub-directories listed in the browser (like ls –l output).

    Solution

    To disable directory browsing, you can either set the value of Option directive to “None” or “-Indexes”

    <Directory />
    Options None
    Order allow,deny
    Allow from all
    </Directory>

    OR

    <Directory />
    Options -Indexes
    Order allow,deny
    Allow from all
    </Directory>

    Remove unnecessary DSO Modules

    Verify your configuration to remove redundant DSO modules.

    There are many modules activated by default after installation. You can remove which you don’t need.

    Disable Null and Weak Ciphers

    Allow only strong ciphers, so you close all the doors who try to handshake on lower cipher suites.

    Solution

    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

    Stay Current

    As Apache is an active open-source, the easiest way to improve the security of Apache Web Server is to keep the latest version. New fixes and security patches are added in every release. Always upgrade to the latest stable version of Apache.

    Above are just a few of the essential configuration, and if you are looking for in-depth, then you can refer my step-by-step security & hardening guide.