7 basic tips to improve Apache security
1. Keep Apache up to date
The most important security tip, not just for Apache, but for all services, applications and scripts is to keep them up to date by upgrading whenever a new version comes out. Apache is actively developed and the security issues are fixed in the new releases.
To update the Apache web server to the latest version available execute the following command
yum -y update httpd
2. Hide the Apache version and OS identity
The ServerSignature directive is enabled by default and it displays the version of the Apache installed on your server and the OS you are using. Attackers can easily use this information against your server. In order to hide this important information you need to modify two directives in the Apache configuration file.
Open the Apache configuration file, find the directives and make the following changes.
vi /etc/httpd/conf/httpd.conf ServerSignature Off ServerTokens Prod
3. Disable directory listing
If the directory listing is not disabled, everyone will be able to list the content of the directories under the document root directory. The directory listing can be disabled using ‘Options’ directive in the Apache configuration file.
Open the configuration file with a text editor and add the following directive
<Directory /your/document/root> Options -Indexes </Directory>
Replace ‘/your/document/root’ with the path to the actual document root directory.
4. Install and use the mod_security module
mod_security is very useful Apache module. It will strengthens the security of the Apache web server and protect your website from various attacks, blocking almost all commonly known exploits.
To install and configure mod_security on your CentOS server, please check our installation guide:
– Install mod_security with the OWASP core rule set on a CentOS VPS
5. Disable all unnecessary modules
Apache have a lot of modules and some of them are enabled in the default Apache installation. Not all of them are needed and it is recommended to disable the unused modules. You can use the following command to list all enabled Apache modules
httpd -M Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) auth_basic_module (shared) auth_digest_module (shared) authn_file_module (shared) authn_alias_module (shared) authn_anon_module (shared) ....
You can check the official Apache documentation for the modules to learn more about their functionality.
All unnecessary modules can be disabled by adding the ‘#’ character at the beginning of the LoadModule line in the web server configuration file. For example:
vi /etc/httpd/conf/httpd.conf # LoadModule auth_basic_module modules/mod_auth_basic.so # LoadModule auth_digest_module modules/mod_auth_digest.so
6. Limit Request Size
The ‘LimitRequestBody’ Apache directive can be used to limit the number of bytes that are allowed in a request body. The limit mostly depends on your Web site needs. By default, the ‘LimitRequestBody’ limit is set to unlimited and it can make you a victim of a Denial of service attacks (DOS).
The limit of this Apache directive can be set from 0 (unlimited) to 2147483647 (2GB). For example, if you want to allow file upload with size of 100K to the /var/www/html/upload directory, you can add the following directive in the Apache configuration file.
<Directory "/var/www/html/upload directory"> LimitRequestBody 102400 </Directory>
7. Enable Logging
Log files are always very helpful to get more information about the events that occur on your server. So, it is a good practice to enable Apache logging. It will provide you with more information and details about all client requests made on your web server. In order to enable to Apache logging, you should make sure that the ‘log_config_module’ module is enabled on your server.
httpd -M |grep log_config_module Syntax OK log_config_module (shared)
The ‘log_config_module’ Apache module enables the functionality of the TransferLog, LogFormat, and CustomLog directives that can be used to create a log file.
Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to harden the Apache web server for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.