Secure & Harden Apache webserver with following best practices to keep your web application secure.

The Web Server is a crucial part of web-based applications. Having misconfigured and the default configuration can expose sensitive information, and that’s a risk.

As a website owner or administrator, you should regularly perform security scans against your website to find for online threats so you can take action before a hacker does.

Let’s go through essential configurations to keep your Apache webserver.

Following all configuration is in httpd.conf of your apache instance.

Note: take a backup of the necessary configuration file before modification, so restoration is easy when things go wrong.

Disable Trace HTTP Request

The default TraceEnable on permits TRACE, which disallows any request body to accompany the request.

TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client.

TraceEnable on allows for Cross-Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information.

Solution

Address this security issue by disabling the TRACE HTTP method in Apache Configuration.

You can do by Modifying/Adding below directive in your httpd.conf of your Apache Web Server.

TraceEnable off

Run as separate User & Group

By default, Apache is configured to run with nobody or daemon.

Don’t set User (or Group) to root unless you know exactly what you are doing, and what the dangers are.

Solution

Running Apache in its own non-root account is good. Modify User & Group Directive in httpd.conf of your Apache Web Server

User apache 
Group apache

Disable Signature

The Off setting, which is the default, suppresses the footer line.

The On setting simply adds a line with the server version number and ServerName of the serving virtual host.

Solution

It’s good to disable Signature, as you may not wish to reveal Apache Version you are running.

ServerSignature Off

Disable Banner

This directive controls whether the Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Solution

ServerTokens Prod

Restrict Access to a Specific Network or IP

If you wish your site to be viewed only by specific IP address or network, you can modify your site Directory in httpd.conf

Solution

Give the network address in the Allow directive.

<Directory /yourwebsite>    
Options None    
AllowOverride None    
Order deny,allow    
Deny from all    
Allow from 10.20.0.0/24  
</Directory>

Give the IP address in the Allow directive.

<Directory /yourwebsite>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.20.1.56
</Directory>

Use only TLS 1.2

SSL 2.0, 3.0, TLS 1, 1.1 reportedly suffers from several cryptographic flaws.

Need help with configuring SSL? refer to this guide.

Solution

SSLProtocol -ALL +TLSv1.2

Disable Directory Listing

If you don’t have index.html under your WebSite Directory, the client will see all files and sub-directories listed in the browser (like ls –l output).

Solution

To disable directory browsing, you can either set the value of Option directive to “None” or “-Indexes”

<Directory />
Options None
Order allow,deny
Allow from all
</Directory>

OR

<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>

Remove unnecessary DSO Modules

Verify your configuration to remove redundant DSO modules.

There are many modules activated by default after installation. You can remove which you don’t need.

Disable Null and Weak Ciphers

Allow only strong ciphers, so you close all the doors who try to handshake on lower cipher suites.

Solution

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Stay Current

As Apache is an active open-source, the easiest way to improve the security of Apache Web Server is to keep the latest version. New fixes and security patches are added in every release. Always upgrade to the latest stable version of Apache.

Above are just a few of the essential configuration, and if you are looking for in-depth, then you can refer my step-by-step security & hardening guide.