Apache Web Server Security & Hardening Tips

Apache is one of the best, popular, fast, free & open-source Web Server. It is also often described as one of the most secure web servers. As a server administrator, make sure one have harden the web server to prevent attacks. In this article, I shall describe some configuration changes that will harden your Apache’s configuration.

1)Keep up to Date

The most important thing to prevent damage, make sure the apache web server is up to date because the apache community is working hardly to prevent security issue and releasing new version based on Security fix & new features.
# yum update httpd

2)Hide Apache version

It seems that the default Apache configuration will expose Apache Version and OS type. Exposing version means you are helping hacker to speedy the reconnaissance process.

To hide this information from browsers, you will need to make some changes in Apache’s main configuration file.Open configuration file (/etc/httpd/conf/httpd.conf) with any editor and search for “ServerSignature“, its by default On. We need to Off these server signature and the second line “ServerTokens Prod” tells Apache to return only Apache as product in the server response header on the every page request, It suppress the OS, major and minor version info.
# vi /etc/httpd/conf/httpd.conf
ServerSignature Off
ServerTokens Prod
Save the file and restart the Apache service to reflect these changes:
# systemctl restart httpd

3)Disable Directory Listing

By default Apache list all the content of Document root directory in the absence of index file. Disable directory listing in a browser so the visitor doesn’t see what all file and folders you have under root or subdirectory. If this is enabled, then a hacker can easily view any file, analyze it, and obtain sensitive information about an application of your Apache server.

You could turn off directory listing by using Options directive in configuration file for a specific directory.
# vi /etc/httpd/conf/httpd.conf

Options -Indexes

4) Disable Etag

In Apache, ETags are made out of three components: the INode, MTime, and Size. Enabling Etag helps remote attackers to obtain sensitive information like inode number, multipart MIME boundary, and child process through Etag header. Disabling Etag is required to fix PCI compliance.
Open /etc/httpd/conf/httpd.conf and add the following directive, save the file and restart the Apache service to reflect these changes.
# vi /etc/httpd/conf/httpd.conf
FileETag None
# systemctl restart httpd

5)Disable Unnecessary Modules

Please note, by default Apache comes with lots of unnecessary installed modules. So it’s recommended to disable all those modules that are not in use. You can list all the compiled modules of web server, using following command;
# grep LoadModule /etc/httpd/conf.modules.d/00-base.conf

To disable the particular module, you can insert “#” at the beginning of that line and restart the service.

6)Run Apache as separate user and group

With a default installation Apache run as nobody or daemon. For security reason it is recommended to run Apache its own user account which will help us to track the particular user activity when we are facing some load issues on server.
# groupadd apache
# useradd -d /var/www/ -g apache -s /bin/nologin apache
Modify Apache user and group on Apache config file
# vi /etc/httpd/conf/httpd.conf
User apache
Group apache

7)Ensure that files outside the webroot are not served

We need to restrict the user access to root directory and We can allow the user to access appropriate Directory blocks. Secure the root directory by setting the following in the configuration file /etc/httpd/conf/httpd.conf

[Apache 2.2]

   Options None
   Order deny,allow
   Deny from all

[Apache 2.4]

   Require all denied

Options None – Set this to None, which will not enable any optional extra features.
Order deny,allow – This is the order in which the “Deny” and “Allow” directives should be processed. This processes the “deny” first and “allow” next.
Deny from all – This denies request from everybody to the root directory. There is no Allow directive for the root directory. So, nobody can access it.

8)Turn off support for .htaccess files if unused

Using .htaccess file inside a specific subdirectory under the home-directory of a user (or anywhere outside), users can overwrite the default apache directives. It is not recommended to allow users to use the .htaccess file and override apache directives. To do this, set “AllowOverride None” in the root directory.

  AllowOverride None
 

9)Don’t allow apache to follow symbolic links

You can disable FollowSymLinks with the Options directive from the httpd.conf configuration file and may also disable this for a particular directory only.
Options -FollowSymLinks

10)Disable other Options

Following are the available values for Options directive:
Options All – All options are enabled (except MultiViews). If you don’t specify Options directive, this is the default value.
Options ExecCGI – Execute CGI scripts (uses mod_cgi)
Options FollowSymLinks – If you have symbolic links in this directory, it will be followed.
Options Includes – Allow server side includes (uses mod_include)
Options IncludesNOEXEC – Allow server side includes without the ability to execute a command or cgi.
Options Indexes – Disable directory listing
Options MultiViews – Allow content negotiated multiviews (uses mod_negotiation)
Options SymLinksIfOwnerMatch – Similar to FollowSymLinks. But the server will only follow symbolic links for which the target file or directory is owned by the same user id as the link.
We can turn off server side includes (mod_include) and CGI execution if not needed. For that we need to modify main configuration file /etc/httpd/conf/httpd.conf.
Options -Includes
Options -ExecCGI

11)Limit HTTP Request Body, Field & Size

Apache has several directives that allow you to limit the size of a request, LimitRequestBody can also be useful for mitigating the effects of a denial of service attack. You can limit the requests size by using the Apache directive LimitRequestBody in combination with the Directory tag. This directive is set to unlimited by default. You can set the value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request body. You can set this limit according to your site needs.
Add the following line:

    LimitRequestBody 204800

Save the file and restart Apache.
Please note the directives LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, and LimitXMLRequestBody should be carefully configured to limit resource consumption triggered by client input.

12)Install/Enable mod_security

Mod-Security is an open-source web Application Firewall. It includes different functionalities like filtering, server identity masking, and null byte attack prevention. Real-time traffic monitoring is also allowed through this module. One of the biggest strengths of ModSecurity is virtual patching. You are protected against application vulnerabilities for which you are not yet able to patch.With ModSecurity, you can protect and harden your website against unwanted malicious traffic and reduce the size of the possible attack vector.
You can do the following with mod_security:

• Simple filtering
• Regular Expression based filtering
• URL Encoding Validation
• Unicode Encoding Validation
• Auditing
• Null byte attack prevention
• Upload memory limits
• Server identity masking
• Built in Chroot support

Install mod_security

# yum install mod_security
# /etc/init.d/httpd restart
When the installation is complete, you will find the configuration file tools in /etc/httpd/conf.d.

13)Protect DDOS attacks and Hardening

Although a complete protection against a DDOS attack is not at all possible with the below methods, you can still survive against small bandwidth attacks. Protecting your server from large and huge ddos attacks are beyond the scope of apache (and any web server for that matter). This is primarily because web servers are not made to solve that problem, and cannot go beyond a certain extent to protect themselves against such attacks. Here are some directives which can help you to have a control on it.
Timeout : We can set RequestReadTimeout for client, If the client fails to send headers or body within the configured time, a 408 REQUEST TIMEOUT error is sent. Default value is 300secs
KeepAlive=on : Keep more than one request per connection
KeepAliveTimeout : Number of seconds to wait for the next request from the same client on the same connection. Default value is 5 secs.
MaxKeepAliveRequests: The maximum number of requests to allow during a persistent connection. Set to 0 to allow an unlimited amount. Default value is 100.
MaxRequestWorkers : It allow the server to handle the maximum number of simultaneous connections without running out of resources. Default value is 250.
LimitRequestFields: This directive allows the server administrator to modify the limit on the number of request header fields allowed in an HTTP request. Default value is 100.
LimitRequestFieldSize : This directive allows the server administrator to set the limit on the allowed size of an HTTP request header field. Default value is 8190 bytes.

14)Secure with SSL Certificates

Having SSL is an additional layer of security you are adding into Web Application. Suppose you have a website in which people login by proving their Login credentials or you have an ECommerce website where people provides their bank details or Debit/Credit card details to purchase products, by default your web server send these details in plain – text format but when you use SSL certificates to your websites, Apache sends all this information in encrypted text. However, default SSL configuration leads to certain vulnerabilities and you should consider tweaking those configurations.

SSL Key

Please note, higher key length you have, the more complex it becomes to break SSL key. The majority of giant Web Companies use 2048 bit key.

Disable SSLv2, SSLv3

SSL 2.0 & 3.0, reportedly suffers from several cryptographic flaws. So please use the following;
SSLProtocol -ALL +TLSv1

Disable Null and Weak Ciphers

SSL Cipher is an encryption algorithm, which is used as a key between two computers over the Internet. Data encryption is the process of converting plain text into secret ciphered codes. It’s based on your web server SSL Cipher configuration the data encryption will take place. Allow only strong ciphers so you close all the doors who try to handshake on lower cipher suites.
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

15)Enable Apache Logging

Apache logging provides detailed information about client requests made on your web server, hence enabling such logging will prove useful when investigating the cause of particular issues.
Apache stores two kinds of logs Error log and Access log.

Apache Error Log

Contains information about errors that the web server encountered when processing requests. Location of error log is set using ErrorLog directive. If you are encountering any issues with Apache, you should first take a look at this file using cat, grep or any other UNIX / Linux text utilities. Default error log file location is “/var/log/httpd/error_log”
#vi /etc/httpd/conf/httpd.conf

     ServerName example.com
     ServerAdmin webmaster@example.com
     DocumentRoot /var/www/example.com
     ErrorLog /var/www/example.com/logs/error.log
 

Apache Access Log

The server access log records all requests processed by the server. The location and content of the access_log are controlled by the CustomLog directive. Default apache access log file location is “/var/log/httpd/access_log”
#vi /etc/httpd/conf/httpd.conf

     ServerName example.com
     ServerAdmin webmaster@example.com
     DocumentRoot /var/www/example.com
     CustomLog /var/www/example.com/logs/access.log