Open Source

10 things you should do to secure Apache

If you think Apache and Linux will deflect all threats without extra security precautions, think again. As Jack Wallen explains, you need to take a number of steps to make sure Apache is a secure Web server.

If you think Apache and Linux will deflect all threats without extra security precautions, think again. As Jack Wallen explains, you need to take a number of steps to make sure Apache is a secure Web server.


You've installed Apache to serve up your company's Web site. It's running smooth as silk, and you know you have the safety net of Linux to catch you. But after a couple of weeks, things start to go wrong. Why? It's Apache and Linux... What could go wrong? Plenty, if you're not careful. There are ways to make sure Apache is secure, but doing nothing is not one of them. Here are 10 simple ways to make Apache a more secure Web server.

Note: This article is also available as a PDF download.

#1: Update, update, update

Just because it is Apache running on Linux doesn't mean you shouldn't bother to update. New holes and security risks are found all the time. You should always develop a sound update policy to keep on top of patches. If you have installed Apache with your distributions package manager, you can make the updates go seamlessly. If you have installed from source, make sure that upgrade is not going to break any modules or dependencies your Web site has. And if you update Apache, make sure PHP (if used) is updated as well.

#2: Use the right user:group

I have seen Apache installed under many groups and/or users. One of the biggest offenders is the root user. This can lead to some serious issues. Or say both Apache and MySQL are run by the same user/group. If there is a hole in one, it can lead to an attack on the other. The best scenario is to make sure Apache is run as the user and group apache. To make this change, open the httpd.conf file and check the lines that read:

User
Group

Change these entries to:

User apache
Group apache

If you get any errors indicating the group or user do not exist, you'll have to create them.

#3: Turn off unwanted services

There are a few services and/or features that you will want to turn off or not allow. All of these services can be disabled in the httpd.conf file. Those services/features that could cause the most issues include:

  • Directory browsing. This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with "-Indexing".
  • Server side Includes. This is another feature that is disabled within a directory tag (using Options directive) and is set with "-Includes".
  • CGI execution. Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with "-ExecCGI".
  • Symbolic links. Set this inside a (surprise, surprise) directory tag with "-FollowSymLinks".
  • None. You can turn off all options (in the same way you set the above) using "None" with the Option directive.

#4: Disable unused modules

Apache has a ton of modules. To get an idea how many modules your installation is running, issue the command (as the root user) grep -n LoadModule httpd.conf from within your Apache configuration directory. This command will show you every module Apache is loading, along with the line number it falls on. To disable the modules you don't need, simply comment them out with a single # character at the beginning of the module line.

#5: Restrict access

Say you have an intranet that contains critical company information. You will want to deny anyone outside your private network from seeing this information. To do this, you can restrict access to your internal network by adding the following inside a directory tag in your httpd.conf file:

Order Deny, Allow
Deny from all
Allow from 192.168.1.0/16

where 192.168.1.0/16 is the configuration matching your internal network. As with all modifications to the httpd.conf file, make sure you restart Apache so the changes take effect.

#6: Limit request size

Denial of service attacks are always a possibility when you allow large requests on Apache. Apache has a directive, LimitRequestBody, that is placed within a Directory tag. The size of your limit will depend upon your Web site's needs. By default, LimitRequestBody is set to unlimited.

#7: Employ mod_security

One of the most important Apache modules is mod_security. This module handles many tasks, including simple filtering, regular expression filtering, URL encoding validation, and server identity masking. The mod_security installation and setup is a bit beyond a one-paragraph description. But you can begin by adding the "unique_id" and "security2" directives in the Apache modules section. Once you have added the entries, run the command service apache2 configtest. If you get returned Syntax OK you're good to go.

#8: Do not allow browsing outside the document root

Allowing browsing outside the document root is inviting trouble. Unless you have a specific need to allow it, disable this feature. First, you'll need to edit the document root Directory entry like so:

<Directory />
Order Deny, Allow
Deny from all
Options None
AllowOverride None
</Directory>

Now, if you need to add options to any directory within the document root, you will have to add a new Directory entry for each one.

#9: Hide Apache's version number

The best offense is a good defense. And one of the best defenses is to obfuscate as much information about your service as you can. One crucial bit of information to hide is the Apache version number. By hiding it, you keep unwanted users from knowing how to quickly hack your Web server. To hide Apache's version number, add the following in your document root Directory tag:

ServerSignature Off
ServerTokens Prod

#10: Immunize httpd.conf

One of the best security measures is to hide your httpd.conf file from prying eyes. If people who shouldn't see your httpd.conf file can't see it, they can't change it. To immunize the httpd.conf file, set the immutable bit with the following command:

chattr +i /path/to/httpd.conf

where /path/to/httpd.conf is the path to your Apache configuration file. Now it will be very difficult for anyone to make any changes to httpd.conf.

Configuration options

We've looked at 10 quick ways to secure your Apache server. There are actually quite a few more configuration options for Apache. Some are fairly generic, but some are designed for specific purposes. Make sure you employ the most secure Apache options/configurations that suite your Web server needs.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

3 comments
arielicas
arielicas

Thanks Jack for this article. I'm looking for this one. I will apply it our VPS server. Just like to ask if you have experience your server being shutdown every midnight for 20 minutes? Thank you and more power 

MT4 Programming
MT4 Programming

Old post, but the information is still timeless and very useful. Thanks Jack!

mejohnsn
mejohnsn

Surely setting the immutable bit on httpd.conf is mere "security by obscurity". If the server administrator follows the advice of your earlier steps, he won't be able to modify httpd.conf without root privileges anyway. But once an attacker gets root, he can reset the immutable bit. Also, a discussion of which of the recommended setting differ from installation default would be nice, it would improve the article a lot. On Ubuntu, for example, I don't need to follow the step talking about setting user and group, because the default already handles that: a special user/group is created just for running Apache, Apache runs as that, not as root. OTOH, what is a little weird is that httpd.conf (Debian insists on renaming this 'apache2.conf' in their packages) is owned by root. I haven't been able to figure out whether this is a good thing or not.