Shares 33

Secure & Harden Apache web server with following best practices to keep your web application secure.

The Web Server is a crucial part of web-based applications. Having misconfigured and keeping default configuration can expose sensitive information and that’s risk.

As a website owner or administrator, you should regularly perform security scan against your website to find for online threats so you can take action before a hacker does.

Let’s go through essential configurations to keep your Apache web server. Following all configuration is in httpd.conf of your apache instance.

1. Disable Trace HTTP Request

The default TraceEnable on permits TRACE, which disallows any request body to accompany the request. TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client.

TraceEnable on allows for Cross Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information.

Solution:

Address this security issue by disabling the TRACE HTTP method in Apache Configuration. You can do by Modifying/Adding below directive in your httpd.conf of your Apache Web Server.

TraceEnable off

2. Run as separate User & Group

By default, apache is configured to run with nobody or daemon. Don’t set User (or Group) to root unless you know exactly what you are doing, and what the dangers are.

Solution:

It is good to run Apache in its own non-root account. Modify User & Group Directive in httpd.conf of your Apache Web Server

User apache
Group apache

3. Disable Signature

The Off setting, which is the default, suppresses the footer line. The On setting simply adds a line with the server version number and ServerName of the serving virtual host.

Solution:

It’s good to disable Signature, as you may not wish to reveal Apache Version you are running.

ServerSignature Off

4. Disable Banner

This directive controls whether Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Solution:

ServerTokens Prod

5.  Restrict Access to a Specific Network or IP

If you wish your site to be viewed only by specific IP address or network, you can modify your site Directory in httpd.conf

Solution:

Give the network address in the Allow directive.

<Directory /yourwebsite>    
Options None    
AllowOverride None    
Order deny,allow    
Deny from all    
Allow from 10.20.0.0/24  
</Directory>

Give the IP address in the Allow directive.

<Directory /yourwebsite>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.20.1.56
</Directory>

6. Use only TLS, Disable SSLv2, SSLv3

SSL 2.0 & 3.0, reportedly suffers from several cryptographic flaws.

Solution:

SSLProtocol -ALL +TLSv1

7. Disable Directory Listing

If you don’t have index.html under your WebSite Directory, the client will see all files and sub-directories listed in the browser (like ls –l output).

Solution:

To disable directory browsing, you can either set the value of Option directive to “None” or “-Indexes”

<Directory />
Options None
Order allow,deny
Allow from all
</Directory>

(or)

<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>

8. Remove unnecessary DSO Modules

Verify your configuration to remove unnecessary DSO modules. There are many modules activated by default after installation. You can remove which you don’t need.

9. Disable Null and Weak Ciphers

Allow only strong ciphers so you close all the doors who try to handshake on lower cipher suites.

Solution:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

10. Stay Current

As Apache is an active open source, the easiest way to improve the security of Apache Web Server is to keep the latest version. New fixes and security patches are added in every release. Always upgrade to the latest stable version of Apache.

Above are just a few of the essential configuration and if you are looking for in-depth then you can refer my step-by-step security & hardening guide.

Shares 33

Reader Interactions

Comments

Comments

Your email address will not be published. Required fields are marked *