Secure & Harden Apache web server with following best practices to keep your web application secure.
The Web Server is a crucial part of web-based applications.
Having misconfigured and keeping default configuration can expose sensitive information, and that’s risk.
As a website owner or administrator, you should regularly perform security scan against your website to find for online threats so you can take action before a hacker does.
Let’s go through essential configurations to keep your Apache web server.
Following all configuration is in
httpd.conf of your apache instance.
Note: take a backup of necessary configuration file before modification, so restoration is easy when things go wrong.
Disable Trace HTTP Request
TraceEnable on permits TRACE, which disallows any request body to accompany the request.
TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client.
TraceEnable on allows for Cross Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information.
Address this security issue by disabling the TRACE HTTP method in Apache Configuration.
You can do by Modifying/Adding below directive in your httpd.conf of your Apache Web Server.
Run as separate User & Group
By default, Apache is configured to run with nobody or daemon.
Don’t set User (or Group) to root unless you know exactly what you are doing, and what the dangers are.
Running Apache in its own non-root account is good. Modify User & Group Directive in httpd.conf of your Apache Web Server
User apache Group apache
The Off setting, which is the default, suppresses the footer line.
The On setting simply adds a line with the server version number and ServerName of the serving virtual host.
It’s good to disable Signature, as you may not wish to reveal Apache Version you are running.
This directive controls whether Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules.
Restrict Access to a Specific Network or IP
If you wish your site to be viewed only by specific IP address or network, you can modify your site Directory in httpd.conf
Give the network address in the Allow directive.
<Directory /yourwebsite> Options None AllowOverride None Order deny,allow Deny from all Allow from 10.20.0.0/24 </Directory>
Give the IP address in the Allow directive.
<Directory /yourwebsite> Options None AllowOverride None Order deny,allow Deny from all Allow from 10.20.1.56 </Directory>
Use only TLS 1.2, Disable SSLv2, SSLv3
SSL 2.0 & 3.0, reportedly suffers from several cryptographic flaws.
Need help with configuring SSL? refer this guide.
SSLProtocol -ALL +TLSv1.2
Disable Directory Listing
If you don’t have index.html under your WebSite Directory, the client will see all files and sub-directories listed in the browser (like ls –l output).
To disable directory browsing, you can either set the value of Option directive to “None” or “-Indexes”
<Directory /> Options None Order allow,deny Allow from all </Directory>
<Directory /> Options -Indexes Order allow,deny Allow from all </Directory>
Remove unnecessary DSO Modules
Verify your configuration to remove redundant DSO modules.
There are many modules activated by default after installation. You can remove which you don’t need.
Disable Null and Weak Ciphers
Allow only strong ciphers, so you close all the doors who try to handshake on lower cipher suites.
As Apache is an active open source, the easiest way to improve the security of Apache Web Server is to keep the latest version. New fixes and security patches are added in every release.
Always upgrade to the latest stable version of Apache.
Above are just a few of the essential configuration, and if you are looking for in-depth, then you can refer my step-by-step security & hardening guide.
Learn more about Apache HTTP here.