Apache Web Server Security Tips

Apache, Nginx etc... realted help

Apache Web Server Security Tips

Postby techguru » Tue Nov 24, 2015 10:44 am

Apache is one of the most widely spread Open Source web server for web hosting in Internet due to its stability, robustness and rich variety of modules and features. Due to its popularity, Apache comes with pre-build binary packages for almost all major Linux distributions and can also be installed on other Operating Systems such as Unix, Windows, Mac OSX, BSD etc. However, a basic installation of Apache on Linux systems, by default, doesn’t offer a full protection against attackers, so a few security measures must be taken in order to protect your machines, web servers and web documents against such types of malicious attacks.

This article will provide you a few tips on how you can secure and protect Apache Web Server installed on Debian-based Linux distributions.

1. Disable Trace HTTP Request
The default TraceEnable on permits TRACE, which disallows any request body to accompany the request. TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client.

TraceEnable on allows for Cross Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information.

Solution: –
Address this security issue by disabling the TRACE HTTP menthod in Apache Configuration. You can do by Modifying/Adding below directive in your httpd.conf of your Apache Web Server.

Code: Select all
# vi httpd.conf
TraceEnable off


2. Run as separate User & Group
By default, apache is configured to run with nobody or daemon. Don’t set User (or Group) to root unless you know exactly what you are doing, and what the dangers are.

Solution: –

It is good to run Apache in it’s own non-root account. Modify User & Group Directive in httpd.conf of your Apache Web Server

# vi httpd.conf
User apache
Group apache


3. Disable Signature
The Off setting, which is the default, suppresses the footer line. The On setting simply adds a line with the server version number and ServerName of the serving virtual host.

Solution: –

It’s good to disable Signature, as you may not wish to reveal Apache Version you are running.

Code: Select all
# vi httpd.conf
ServerSignature Off


4. Disable Banner
This directive controls whether Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Solution: –

Code: Select all
# vi httpd.conf
ServerTokens Prod


5. Restrict Access to a Specific Network or IP
If you wish your site to be viewed only by specific IP address or network, you can modify your site Directory in httpd.conf

Solution: –

Give the network address in the Allow directive.

# vi httpd.conf <Directory /yourwebsite> Options None AllowOverride None Order deny,allow Deny from all Allow from 10.20.0.0/24 </Directory>
Give the IP address in the Allow directive.

<Directory /yourwebsite>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.20.1.56
</Directory>


6. Use only TLS, Disable SSLv2, SSLv3
SSL 2.0, reportedly suffers from several cryptographic flaws.

Solution: –

Code: Select all
# vi httpd.conf
SSLProtocol -ALL +TLSv1


7. Disable Directory Listing
If you don’t have index.html under your WebSite Directory, client will see all files and sub-directories listed in ths browser (like ls –l output).

Solution: –

To disable directory browsing, you can either set the value of Option directive to “None” or “-Indexes”

Code: Select all
<Directory />
Options None
Order allow,deny
Allow from all
</Directory>

(or)

Code: Select all
<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>


8. Remove unnecessary DSO Modules
Solution: –

Verify your configuration to remove unnecessary DSO modules. There are many modules activated by default after installation. You can remove which you don’t need.

9. Disable Null and Weak Ciphers
Solution: –

Code: Select all
# vi httpd.conf
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


10. Stay Current with stable version
As Apache is an active open source, the easiest way to improve the security of Apache Web Server https://httpd.apache.org/download.cgiis to keep latest version. New fixes and security patches are added in every release. Always upgrade to the latest stable version of Apache.
techguru
 
Posts: 3
Joined: Sat Nov 21, 2015 9:16 am

Return to Web Servers

Who is online

Users browsing this forum: No registered users and 1 guest

cron