Hardening and Best Practices in Apache Web Server

 

Basic Hardening and Best Practices in Web Server Security with Apache

Apache is a Web server that is widely used in the Web development industry because of its community, performance and easy configuration, so it still leaves some breaches by default that can compromise the operation and security of your application. I’m going to list some security tips that you can use to give your server a bit more security and avoid code theft, directory listing, and so on.

 

Removing the version and information from the Web Server.

Edit the apache configuration file

Vim /etc/apache2/apache2.conf for Debian

Vim /etc/httpd/conf/httpd.conf for CentOS RHEL Linux

Look for the “ServerSignature” and “Server Tokens” line and change the values ​​to “Off”

ServerSignature Off
ServerTokens Prod

Disabling directory listing

You can check the Webserver file listing if Apache is not properly configured. This security flaw can lead to access to database configuration files, theft of code, and vital server information. To cover this failure we will again access the configuration file apache apache2.conf or httpd.conf and search for

<Directory / var / www / html>
Options -Indexes
</ Directory>

 

Disable Trace

Edit the file httpd.conf or apache2 and at the end of the file add the line:

TraceEnable Off
Do this reload the Apache settings

Service http restart

Service apache2 restart

 

Disabling Unnecessary Modules

As good information security guides say, it is ideal to run on a server as little as possible, thus reducing the risk of attacks and exploits on service vulnerabilities that you did not even know existed there.

You can get a list of modules available on the system in the / etc / apache2 / mods-available directory

Ls -l / etc / apache2 / mods-available

Now take a look at the / etc / apache2 / mods-enabled directory. In this directory there are symbolic links of the modules allocated in the mods-available folder. See everyone you use in your business and remove the rest

Rm -r LinkDoModulo

Managing server logs

It is routine for every system administrator to monitor the services logs, in order to anticipate errors, fix failures, access monitoring, performance and so on.
The apache access logs are saved in: / var / log / httpd / access_log
The Web Server error logs are written to: / var / log / httpd / error_log

Example: # tail -f / var / httdp / error_log

Creating the apache user and group

Groupadd apache

Useradd -d / var / www / -g apache -s / bin / nologin apache

Now edit the file httpd.conf or apache2.conf

And look for the user and group that apache will use to communicate with the server

Nano /etc/httpd/conf/httpd.conf

User apache
Group apache

Using Mod Security

Modsecurity works as a web application firewall for your web server that can assist you in protecting your site against DOS and DDoS attacks. It is not the complete solution, but it is a great facilitator.

Sudo apt-get install libapache2-modsecurity

Sudo a2enmod mod-security

Sudo /etc/init.d/apache2 force-reload

Yum install mod_security

Systemctl mod_security enabled

Service httpd restart

🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s