Apache is one of the most widely used web servers on the planet… and with good reason. Not only is it incredibly powerful and flexible, it’s also free. That cost to feature ratio makes for an attractive package for the DIY(Do-It-Yourself) crowd.
Apache is also really secure out of the box. But for those who live on the edge of paranoia, it’s nice to know there are ways to make an already secure web server even more secure. Here are some tips that you can employ quickly to harden your already running Apache server.
Hide the banner
Apache announces itself with the help of a banner file. By announcing itself, this allows hackers to more easily target attacks. So instead of blindly announcing what piece of software is handing out content, let’s obfuscate it by turning off SecuritySignature.
- Open a terminal window.
- Open the Apache configuration file (in Ubuntu this is /etc/apache/apache2.conf).
- Search for a line containing ServerSignature. If found, set to off.
- Search for ServerTokens. If found, set to ProductOnly.
Now, restart Apache with the command /etc/init.d/apache restart. Apache is no longer broadcasting itself as the web server. If you want to test this, issue the command curl -I http://DOMAIN, where DOMAIN is the domain serving up your website.
Deny All
The best way to secure access to Apache is to deny access to everything and everyone and then allow access only where needed. This is done by modifying the directory containers; specifically, you’ll want to start with the main <Directory /> container and make sure it looks like:
<Directory />
Order deny,allow
Deny from all
</Directory>
Now create new containers for the directories that you need to give access to. These can look like:
<Directory "/var/www/XXX">
Order allow,deny
Allow from all
</Directory>
where XXX is a specific directory that must be accessed. Once you’ve done this, restart Apache and enjoy a stronger web server.
Trace HTTP requests
Trace HTTP requests are another possible security issue. These requests echo back all received information, which can be used to trick Apache into printing HTTP cookies and hijacking HTTP sessions. This is known as the Cross Site Scripting attack (or XSS).
In order to disable this feature, set the TraceEnable directive in /etc/apache/apache2.conf to off. After you change the setting and the file saved, restart Apache, and you should be good to go.
Disable Directory Indexing
The Directory Indexing feature prints out the contents of directories (this is especially true where there is no index.html or index.php file in the directory). On a Ubuntu server, there are enabled modules in the /etc/apache/mods-enabled directory. The modules to be removed are: autoindex.load and autoindex.conf. You can remove those files with the following commands:
sudo rm -rf /etc/apache2/mods-enabled/autoindex.load
sudo rm -rf /etc/apache2/mods-enabled/autoindex.conf
For other distributions look for the “index” option in the particular directory container and remove the option. A directory container starts with <Directory> and ends with </Directory>. Within those tags you will find the line: Options index FollowSymLinks… . Just remove the “index” option, save the file, and restart Apache.
Disable WebDAV
WebDAV is a popular protocol that allows for the sharing of data (such as calendars) and allows for web-based email. If these features are not needed, I highly recommend disabling this protocol from your Apache server. To do this, issue the following commands and then restart Apache:
sudo rm /etc/apache2/mods-enabled/dav.load
sudo rm /etc/apache2/mods-enabled/dav_fs.conf
sudo rm /etc/apache2/mods-enabled/dav_fs.load
sudo rm /etc/apache2/mods-enabled/dav_lock.load
Use SSL(Security Socket Layer)
I won’t go into the setting up and configuring of SSL, but when you need secure http, you must use SSL.
Keep up to date
When an update is released for Apache, it is often for security purposes. Keep your eye on updates and make sure that Apache installation is as up to date as possible. This is critical Unlike the proprietary world, the open source world tends to find and fix bugs quickly, so shortly after a bug is found, you can bet the developers will be working on a fix right away. On a piece of software as important as Apache, those bug fixes will be rushed out to the repositories much faster than, say, a piece of desktop software.
Watch your log files
In the /var/log/apache2 directory, these logs are available: access.log and error.log. These logs, in particular, are always important to watch. If there seems to be an issue with Apache, I like to use the tail command on either of these log files (using the command sudo tail -f /var/log/apache2/access.log) to watch the logs as events are recorded.
*****************************