Apache

How to Secure Apache Web Server On Linux/UNIX

mm
Written by Santosh Prasad

Apache HTTP server is the world’s most famous and used web server to host your web files or your websites on the web. Every Linux administrator should know how to secure Apache web server.

This tutorial will help you to secure your Apache web server by following below tips and and tricks.

1. Remove and Disable Unnecessary Apache Modules

You can disable all those modules that are not in use. It will keep away hackers to attack on your web servers. You can see all installed and enabled modules using “httpd -l” command.

#httpd -l

Compiled in modules:
core.c
mod_authn_file.c
mod_authn_default.c
mod_authz_host.c
mod_authz_groupfile.c
mod_authz_user.c
mod_authz_default.c
mod_auth_basic.c
mod_log_config.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_dir.c
mod_so.c

Now you can disable unwanted module in Apache configuration file putting “#” at the beginning of modules line and restart Apache service.

# vim /etc/httpd/conf/httpd.conf
# LoadModule foo_module modules/mod_foo.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
....

If you are compiling Apache with its source code you can disable it when you do ./configure

./configure \
--enable-ssl \
--enable-so \
--disable-userdir \
--disable-autoindex \
--disable-status \
--disable-env \
--disable-setenvif \
--disable-cgi \
--disable-actions \
--disable-negotiation \
--disable-alias \
--disable-include \
--disable-filter \
--disable-version \
--disable-asis

2. Run Apache with Separate User and Group

When you install Apache by default its process runs with nobody or daemon user. So it is recommended  to run Apache in its own non-privileged account for security reasons. Follow the below steps to do this.

Create Apache User and Group

# groupadd http-web
# useradd -d /var/www/ -g http-web -s /bin/nologin apache

After creating you will need to tell Apache to run with this new user. You will need to update and edit /etc/httpd/conf/httpd.conf file and restart Apache service.

# vim httpd.conf
User apache
Group apache

After updating Apache config file and restart it. You can verify it using below command.

# ps -ef | grep -i http | awk '{print $1}'
root
apache
apache
apache
apache
apache

3. Deny all to Access Root Directory Using Allow and Deny

You can deny to access Root directory using “Allow and Deny” options in httpd.conf file. Follow the below command to deny from all to access “/” directory.

<Directory />
Options None
Order deny,allow
Deny from all
</Directory>

Here :

Options None :- This will not enable any optional extra features.

Order deny,allow :- This is the order in which the “Deny” and “Allow” directives should be processed.  This processes the “deny” first and “allow” next.

Deny from all :- Nobody can access root directory if you defined this.

4. Disable Directory Listing/Browsing

By default when you install Apache it list all the content of Document Root directory if the index file does not exist on document root. You can disable directory listing by using “Options” directive in configuration file for a specific directory. You will need to put below entry in httpd.conf file.

<Directory /var/www/web>
Options -Indexes
</Directory>

5. Disallow .htaccess

Using .htaccess file inside specific directory under document root, users can change and overwrite the default Apache directive. So you should disable this default features. You can do this using “AllowOverride None” options.

<Directory />
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>

6. Hide Apache Version and OS Identity

By default Apache shows the version of your web server and Operating system name in Errors when you install package using source code and yum. These information attract to hackers to attack on your web server. So Apache should not to display these information to the world. You will need to disable “ServerSignature“.

# vim /etc/httpd/conf/httpd.conf

ServerSignature Off

Save and exit and restart Apache service.

# service httpd restart

If you are using Apache on Debian/Ubuntu based system you will need to do this

# vim /etc/apache2/apache2.conf (Debian/Ubuntu)

ServerTokens Prod

Save and exit and restart apache2 service.

# service apache2 restart

7. Keep Apache Updated

Apache developer community release new updated version time to time for security issue. So it always recommended to use the latest Apache version for web server. You can check the Apache version using below command

# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: Feb 25 2017 18:29:28

You can update your Apache version using below command.

# yum update httpd [ For Centos/Redhat/Fedora/]
# apt-get install apache2 [For Ubuntu/Debian]

8. IP Based Restriction for Websites

You can set IP based restrictions for your websites if you want to view only by a specific IP address and network.

For whole network

<Directory /site>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 192.168.0.0/24
</Directory>

For Only on IP

<Directory /site>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 192.168.0.6
</Directory>

9. Configure Apache with mod_security and mod_evasive Modules to Secure Apache

You can use two modules “mod_security” and “mod_evasive” to secure you Apache web server. mod_security works as a firewall for Apache web server and allow to monitor traffic on real time. It also protect websites form brute force attacks. You can just simply install mod_security on your server to enable it.

For RHEL/CentOS/Fedora

# yum install mod_security
# /etc/init.d/httpd restart

For Debian/Ubuntu

$ sudo apt-get install libapache2-modsecurity
$ sudo a2enmod mod-security
$ sudo /etc/init.d/apache2 force-reload

Mod_evasive module protect your web server from DDOS attacks it also help to protect from HTTP brute force attack. To learn more about mod_evasive follow my previous article.

10. Disable Apache’s following of Symbolic Links

When we install Apache by default it follows symlinks, you can turn of this feature with “FollowSymLinks” with Options directive. You can update the Apache main config file to do so.

Options -FollowSymLinks

As per user or website requirements you can enable it just simply write a rule in “.htaccess” file.

# Enable symbolic links
Options +FollowSymLinks

To enable rewrite rules in “.htaccess” make sure “AllowOverride” shoud be “All” in the main Apache configuration file.

<Directory />
Options None
AllowOverride All
Order allow,deny
Allow from all
</Directory>

I hoe this tutorial will help to secure your Apache web server. If you have any queries and problem please comment in comment section.

Thanks:)

About the author

mm

Santosh Prasad

Hi! I'm Santosh and I'm here to post some cool article for you. If you have any query and suggestion please comment in comment section.

Leave a Comment