Apache is among the most popular and widely-used web servers available, and also the most secure web server. Currently, Apache is still the leading software for web server all over the world holding a market share of more than 45%. This meaning that web servers of a whopping 80 million websites are Apache-powered. This is very indeed very impressive!
Being an open source software for a web server, Apache is well trusted due to its longevity and reliability, has been available for use by web servers since 1995. Many high-profile websites that also run on Apache servers include Apple, PayPal, and Adobe just to mention a few of the big brands that put their trust on Apache to run the websites.
Despitre my best efforts following this guide does not give a 100% guarantee of Apache being secure, as there no software that can ever be 100% secure from hackers and other security issues could arrise within web applications, out-of-date vulnerable software or server-side misconfiguratuions. However, if you’re looking for an Apache security hardening guide / checklist for web server security, this is an ideal starter guide for this information and I’ll share with you my Apache security hardening tips that I’ve picked up over the years, that will assist in securing your Apache server and help you improve your overall security posture of your web server. However, all work should be audited for confirmation, using automated tools and the organisation should have an understanding of what penetration testing is and how often it should be performed.
If you need to harden the security configuration of your Apache server, the documented guide below will provide best practices to harden Apache and help harden the configuration of your web server.
Updating Your Apache
You definitely know that sites like WordPress and any themes and plugins you have installed require to be updated frequently. Similarly, your web server needs regular updates to maintain efficiency.
If you realize that your website is not running on the most updated version of Apache, endeavor to check it using a command line of httpd -v. In case the version you see after checking does not match with the current version from Apache, just do an update using the following on the command prompt:
# yum update httpd # apt-get install httpd Ubuntu/Debian users - apache
Turn on the Logs
In case you are working with a hosting provider which is managed by WordPress, they will take care of monitoring your server and WordPress for several threat warning signs and vulnerabilities. In the same way, you ought to keep an eye on the traffic of your server as well.
With Apache, It is very easy to gain access into this activity log through updating your “mod_log_config” module. It will basically tell you what the users are doing when they happen to touch your server.
Use a SSL Certificate
Due to the fact that your web server does handle all requests of server/browser to your website, it is very important to provide it with a secure SSL certificate. The good thing about this SSL certificate is that it can be acquired for free using letsencrypt, they have documentation for multiple different Linux distributions.
Configure a WAF (Mod_Security)
After getting the additional protection of the SSL’s encryption, the web server also needs to be fortified with a solid firewall. In the case of Apache, this means you need to turn on the ModSecurity. In order for you to make this installation your server, then execute the following on command prompt:
# yum install mod_security # /etc/init.d/httpd restart
When the firewall becomes live, a number of various malicious activities will be prevented from reaching to your server such as the session hijacking, SQL injection, and cross-site scripting among others.
Install the mod_evasive
Mod_evasive is a module that is usually used to protect an Apache server from the attacks of DDoS and brute force. You should, therefore, ensure this is well enabled. It usually blacklists failed and concurrent and login attempts, and also assist in monitoring for malicious IPs.
Setting the HTTP Limits Also Boosts Apache Security
Attacks of DDoS (known as ‘Distributed denial of service’) are very easily blocked if you have the knowledge of the sort of actions to look out for. DDoS always tend to happen by hitting repeatedly on your server with very large requests. Your ultimate goal should, therefore, be geared towards setting limits which will prevent this from occurring.
The following include some limits you need to establish:
Unused Modules Need to be Deleted
By leaving unmaintained, expired, or even unused modules on the Apache server, you will actually be exposing your website to hackers and thugs by using a point of entry which does not even have to be there.
First and foremost, you ought to find out the modules on your server that are actually active. This is done by using the “LoadModule” command. Once you have done a thorough check through the list and identified the unwanted modules, then you can simply input the symbol “#” before each of module that you need to deactivate and restart the server once you are done.
Make Changes to the Default Group and User
In general, one of the worst security practices are the default users and settings left on any software. It is easy to understand the reason for this: In case you are using an Apache default group or username, be rest assured that hackers are very aware of those default names and they will most likely use what they know to their advantage.
Rather than leaving the defaults on the server in place, always ensure to create a new and non-privileged account for running your Apache processes. By using “# groupadd” and “# useradd” commands, it is easy for you to set the new entities. Always remember to always update your “httpd.conf” by use of the new group and usernames that you have created.
Ensure to Block Directory Access
Provided below is another sample of default settings that ought to be changed. This now pertains to the access which is granted to the directory’s files. This allows anyone on the server to do any explorations wherever they would like.
In order to ensure a block in place totally, you can use the commands as follows:
Require all denied
If you need to enable certain users to access, then use the following procedure:
Require all granted
In case you want to activate access to particular folders in the directory, input the following on the command prompt:
Require all granted
For further tweaks of access rights, you need to read through the Apache module repository.
Do Not Allow Directory Indexing
In case your server happens not to have an index file, users will be in a position to access all the content stored in the root directory of your server. This can obviously cause issue if other files existing within the directory. You, therefore, need to disable this setting by using the following commands:
All Server Details Need To be Hidden
Details of the Apache version used are always readily available in case these settings are still not disabled on the server-side because Apache happens to be an open source software. Hackers are likely to use this sensitive information in figuring out how to get into your server. For this reason, you need to block all this information out.
There are usually two crucial things that need to be disabled. They include:
- The ServerSignature, which refers to the Apache version.
- The ServerTokens, which include the version of Operating System, among other crucial server details.
This kind of information can be accessed by other users so easily just by observing an error page on your site. It is therefore very important to block these pages from being shown. For you to do this, you need to update the “httpd.conf” using the following on a command prompt:
ServerSignature Off ServerTokens Prod
Hiding the ETag Is Very Important
In Apache, the ETag header, unfortunately, involves quite a significant number of very sensitive details pertaining to your server. It is very obvious that anything that dares to share that kind of information externally needs to be hidden. In addition to this, in case you are operating an e-commerce site, all these information needs to be hidden in order to be PCI-compliant.
To achieve this, add the directive
to the command
Disable the Override of “.htaccess”
The “.htaccess” is a very significant file for all WordPress websites. For this particular reason, you should lock it and also ensure that nobody is capable of overriding the configuration settings on your server.
In order to disable this, you should add the following commands at the root of your “httpd.conf”:
Options -Indexes AllowOverride None
Disable CGI and SSI
Enabled files of ‘Server Side Includes’ (SSI) are capable of opening your website up to a certain number of security issues if left unchecked. The same case happens for the CGI scripts. So as to prevent any these scenarios from empowering hackers in injecting malicious scripts in your code or even overloading your server, always remember to restrict anything they are likely to do via the Options directive, or even completely turn them off.
The following include some Options values that you can use:
- “Options All”
- “Options IncludesNOEXEC”
- “Options -Includes”
- “Options -ExecCGI”
- “Options -Includes -ExecCGI”
- “Options MultiViews”
Hide the version of your Apache Server (Server Header)
To do this, you need to access your web server from Firefox. You can activate the Firebug by clicking the icon “Firebug” on the right side at the top. If you would check the Firebug “HTTP response headers”, it can show you the Apache version in addition to the name of your operating system and version. In order to hide this information from the browsers, you will need to make a few changes in the main configuration file of Apache.
You can always do this by doing some edits to the “httpd.conf file”, which is done in the following way:
“sudo nano /etc/httpd/conf/httpd.conf”
The following command line can be added at the end of the file:
ServerSignature Off ServerTokens Prod
After making the changes, save the file and do a restart of the Apache service for these changes to reflect. This is how you restart:
sudo apachectl restart
You can now open Firefox to access your server. Then check the “Firebug HTTP response headers” once again. You will notice that the setting “ServerSignature” to off has hidden the version information from the Server.
Ensure to Secure Your Apache from XSS attacks
Being a common vulnerability of application-layer in Apache server, Cross-site scripting (XSS) usually enables hackers to input client-side scripts into websites accessed by other users. Enabling of the XSS protection is always recommended.
You can easily do this by editing of the “httpd.conf” file as follows:
sudo nano /etc/httpd/conf/httpd.conf
Now include the line:
Header set X-XSS-Protection "1; mode=block"
Now save the changed file and restart the Apache server to make the changes reflect. To restart, use the command “sudo apachectl restart”
After it restarts, go to Firefox and access your website. Check the “Firebug HTTP response headers”. You will notice that “XSS Protection” is enabled and the mode is now blocked.
You can easily protect an Apache server from a majority of common Cross Site Scripting attacks by using the “HttpOnly” and “Secure flags” for cookies.
This can be done by editing the “httpd.conf” file in the following way:
sudo nano /etc/httpd/conf/httpd.conf
You can also make an addition to the following lines:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Now save the changed file and restart the Apache server to make the changes reflect. To restart, use the command
sudo apachectl restart
Harden, Audit and Monitor your Apache Server
You need to pay very special attention to your Apache server for you to harden the security of your website. Issues such as server misconfigurations and leaving of default settings open and in place are likely to expose your website to risk, in the same way as unsafe “PHP coding practices” or even an unpatched system.