Basic Hardening and Best Practices in Web Server Security with Apache
Apache is a Web server that is widely used in the Web development industry because of its community, performance and easy configuration, so it still leaves some breaches by default that can compromise the operation and security of your application. I’m going to list some security tips that you can use to give your server a bit more security and avoid code theft, directory listing, and so on.
Removing the version and information from the Web Server.
Edit the apache configuration file
Vim /etc/apache2/apache2.conf for Debian
Vim /etc/httpd/conf/httpd.conf for CentOS RHEL Linux
Look for the “ServerSignature” and “Server Tokens” line and change the values to “Off”
Disabling directory listing
You can check the Webserver file listing if Apache is not properly configured. This security flaw can lead to access to database configuration files, theft of code, and vital server information. To cover this failure we will again access the configuration file apache apache2.conf or httpd.conf and search for
<Directory / var / www / html>
Edit the file httpd.conf or apache2 and at the end of the file add the line:
Do this reload the Apache settings
Service http restart
Service apache2 restart
Disabling Unnecessary Modules
As good information security guides say, it is ideal to run on a server as little as possible, thus reducing the risk of attacks and exploits on service vulnerabilities that you did not even know existed there.
You can get a list of modules available on the system in the / etc / apache2 / mods-available directory
Ls -l / etc / apache2 / mods-available
Now take a look at the / etc / apache2 / mods-enabled directory. In this directory there are symbolic links of the modules allocated in the mods-available folder. See everyone you use in your business and remove the rest
Rm -r LinkDoModulo
Managing server logs
It is routine for every system administrator to monitor the services logs, in order to anticipate errors, fix failures, access monitoring, performance and so on.
The apache access logs are saved in: / var / log / httpd / access_log
The Web Server error logs are written to: / var / log / httpd / error_log
Example: # tail -f / var / httdp / error_log
Creating the apache user and group
Useradd -d / var / www / -g apache -s / bin / nologin apache
Now edit the file httpd.conf or apache2.conf
And look for the user and group that apache will use to communicate with the server
Using Mod Security
Modsecurity works as a web application firewall for your web server that can assist you in protecting your site against DOS and DDoS attacks. It is not the complete solution, but it is a great facilitator.
Sudo apt-get install libapache2-modsecurity
Sudo a2enmod mod-security
Sudo /etc/init.d/apache2 force-reload
Yum install mod_security
Systemctl mod_security enabled
Service httpd restart