Hackers are constantly discovering ways to gain access to Web servers to send spam, launch synchronized attacks on other servers, steal personal information and deface websites. Because Apache is the most commonly used Web server software, hackers focus many of their efforts on trying to discover vulnerabilities they can leverage on an Apache server. After you install Apache from the default APT package on Debian or Ubuntu, or from the default Yum package on Red Hat, CentOS or Fedora, you can strengthen the security of your installation with these seven tips to harden your Apache Web server.
1. Keep Your OS Updated. The Apache community is very active and alert to security issues. Make sure that you frequently apply patches for your operating system, which will include security patches for Apache. Update your installation with either Apt or Yum:
apt-get update && apt-get upgrade (Debian/Ubuntu)
yum update (RHEL/CentOS/Fedora)
2. Suppress OS Information When Errors Occur. When an error occurs, the default behavior in Apache is to display the Apache version and the operating system flavor and version, for example, "Apache2/2.22 (Debian) Server at 10.16.2.100 Port 80." This gives hackers valuable information they don't need to know. To suppress this information, edit your Apache configuration file:
/etc/apache2/apache2.conf (Debian/Ubuntu)
/etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
Add the following two settings:
ServerSignature Off
ServerTokens Prod
And restart your server:
/etc/init.d/apache2 restart (Debian/Ubuntu)
service httpd restart (RHEL/CentOS/Fedora)
3. Turn Off Directory Listings. If a visitor navigates to a Web page that doesn't have an index.html, index.php or other valid index file, Apache displays a list of all files in the directory to the visitor. The visitor who can click to open each file and use the listing to navigate the file system on the server. Disable this option using an Options directive in your Apache configuration file:
<Directory /var/www>
Options -Indexes
</Directory>
4. Disable the Trace HTTP Request. In a cross-site scripting attack, a hacker can trick the HTTP Trace request into displaying the HTTP cookies to steal the session. Disable the option by editing your Apache configuration file:
/etc/apache2/apache2.conf (Debian/Ubuntu)
/etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
Add the following setting:
TraceEnable Off
And restart your server:
/etc/init.d/apache2 restart (Debian/Ubuntu)
service httpd restart (RHEL/CentOS/Fedora)
5. Protect Your Root Directory. A website visitor should never have access to your root directory. If a hacker finds his way there, protect the directory with the Order option:
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
6. Disable unnecessary modules. More modules mean more ways for a hacker to exploit your system. Generate a list of modules that are enabled: cat /etc/apache2/mods-enabled (Debian/Ubuntu)
grep LoadModule /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
Disable the modules you don't need:
unlink /etc/apache/mods-enabled/<module>.so (Debian/Ubuntu)
vim /etc/httpd/conf/httpd.conf and prefix the LoadModule line with a "#" (RHEL/CentOS/Fedora)
Then restart your server:
/etc/init.d/apache2 restart (Debian/Ubuntu)
service httpd restart (RHEL/CentOS/Fedora)
Some modules you might not need include autoindex, include, imap, info, suexec, and userdir.
7. Limit outgoing connections. An Apache server should have very few instances where it needs to initiate a connection. Use IPTABLES to place Apache output connections in a specific chain, and only accept the connections on valid ports. For example, to reject all outgoing connections except outgoing email on ports 25 and 143 use the following iptables configuration:
iptables --new-chain apache2_out
iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append OUTPUT -m owner --uid-owner <user> -j apache2_out
iptables --append apache2_out -p tcp --syn -d 127.0.0.1 --dport 25 -j RETURN
iptables --append apache2_out -p tcp --syn -d 127.0.0.1 --dport 143 -j RETURN
iptables --append apache2_out -j REJECT
Substitute www-data for <user> on Debian/Ubuntu or nobody for <user> on RHEL/CentOS/Fedora.
Then restart IPTABLES:
/etc/init.d/iptables restart (Debian/Ubuntu)
service iptables restart (RHEL/CentOS/Fedora)
Disclaimer: This article and other articles provided on this electronic medium is not intended to be an advise of any kind, and provided by IIT Inc. as a value to our readers in a form of information and discussion. We recommend verifying this information, and performing your own analysis prior to using any information provided herein.
1. Keep Your OS Updated. The Apache community is very active and alert to security issues. Make sure that you frequently apply patches for your operating system, which will include security patches for Apache. Update your installation with either Apt or Yum:
apt-get update && apt-get upgrade (Debian/Ubuntu)
yum update (RHEL/CentOS/Fedora)
2. Suppress OS Information When Errors Occur. When an error occurs, the default behavior in Apache is to display the Apache version and the operating system flavor and version, for example, "Apache2/2.22 (Debian) Server at 10.16.2.100 Port 80." This gives hackers valuable information they don't need to know. To suppress this information, edit your Apache configuration file:
/etc/apache2/apache2.conf (Debian/Ubuntu)
/etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
Add the following two settings:
ServerSignature Off
ServerTokens Prod
And restart your server:
/etc/init.d/apache2 restart (Debian/Ubuntu)
service httpd restart (RHEL/CentOS/Fedora)
3. Turn Off Directory Listings. If a visitor navigates to a Web page that doesn't have an index.html, index.php or other valid index file, Apache displays a list of all files in the directory to the visitor. The visitor who can click to open each file and use the listing to navigate the file system on the server. Disable this option using an Options directive in your Apache configuration file:
<Directory /var/www>
Options -Indexes
</Directory>
4. Disable the Trace HTTP Request. In a cross-site scripting attack, a hacker can trick the HTTP Trace request into displaying the HTTP cookies to steal the session. Disable the option by editing your Apache configuration file:
/etc/apache2/apache2.conf (Debian/Ubuntu)
/etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
Add the following setting:
TraceEnable Off
And restart your server:
/etc/init.d/apache2 restart (Debian/Ubuntu)
service httpd restart (RHEL/CentOS/Fedora)
5. Protect Your Root Directory. A website visitor should never have access to your root directory. If a hacker finds his way there, protect the directory with the Order option:
<Directory />
AllowOverride None
Order deny,allow
Deny from all
</Directory>
6. Disable unnecessary modules. More modules mean more ways for a hacker to exploit your system. Generate a list of modules that are enabled: cat /etc/apache2/mods-enabled (Debian/Ubuntu)
grep LoadModule /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
Disable the modules you don't need:
unlink /etc/apache/mods-enabled/<module>.so (Debian/Ubuntu)
vim /etc/httpd/conf/httpd.conf and prefix the LoadModule line with a "#" (RHEL/CentOS/Fedora)
Then restart your server:
/etc/init.d/apache2 restart (Debian/Ubuntu)
service httpd restart (RHEL/CentOS/Fedora)
Some modules you might not need include autoindex, include, imap, info, suexec, and userdir.
7. Limit outgoing connections. An Apache server should have very few instances where it needs to initiate a connection. Use IPTABLES to place Apache output connections in a specific chain, and only accept the connections on valid ports. For example, to reject all outgoing connections except outgoing email on ports 25 and 143 use the following iptables configuration:
iptables --new-chain apache2_out
iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append OUTPUT -m owner --uid-owner <user> -j apache2_out
iptables --append apache2_out -p tcp --syn -d 127.0.0.1 --dport 25 -j RETURN
iptables --append apache2_out -p tcp --syn -d 127.0.0.1 --dport 143 -j RETURN
iptables --append apache2_out -j REJECT
Substitute www-data for <user> on Debian/Ubuntu or nobody for <user> on RHEL/CentOS/Fedora.
Then restart IPTABLES:
/etc/init.d/iptables restart (Debian/Ubuntu)
service iptables restart (RHEL/CentOS/Fedora)
Disclaimer: This article and other articles provided on this electronic medium is not intended to be an advise of any kind, and provided by IIT Inc. as a value to our readers in a form of information and discussion. We recommend verifying this information, and performing your own analysis prior to using any information provided herein.
