Open Source

DIY: Harden Apache web servers with these tips

Apache is the perfect web server for DIYers who want to offer a robust web service without breaking their bank. Here are eight ways to make your Apache web server even more secure.

Apache is one of the most widely used web servers on the planet... and with good reason. Not only is it incredibly powerful and flexible, it's also free. That cost to feature ratio makes for an attractive package for the DIY crowd.

Apache is also really secure out of the box. But for those who live on the edge of paranoia, it's nice to know there are ways to make an already secure web server even more secure. Here are some tips that you can employ quickly to harden your already running Apache server.

Hide the banner

Apache announces itself with the help of a banner file. By announcing itself, this allows hackers to more easily target attacks. So instead of blindly announcing what piece of software is handing out content, let's obfuscate it by turning off SecuritySignature.

  1. Open a terminal window.
  2. Open the Apache configuration file (in Ubuntu this is /etc/apache/apache2.conf).
  3. Search for a line containing ServerSignature. If found, set to off.
  4. Search for ServerTokens. If found, set to ProductOnly.

Now, restart Apache with the command /etc/init.d/apache restart. Apache is no longer broadcasting itself as the web server. If you want to test this, issue the command curl -I http://DOMAIN, where DOMAIN is the domain serving up your website.

Deny All

The best way to secure access to Apache is to deny access to everything and everyone and then allow access only where needed. This is done by modifying the directory containers; specifically, you'll want to start with the main <Directory /> container and make sure it looks like:

<Directory />

Order deny,allow

Deny from all

</Directory>

Now create new containers for the directories that you need to give access to. These can look like:

<Directory "/var/www/XXX">

Order allow,deny

Allow from all

</Directory>

where XXX is a specific directory that must be accessed. Once you've done this, restart Apache and enjoy a stronger web server.

Trace HTTP requests

Trace HTTP requests are another possible security issue. These requests echo back all received information, which can be used to trick Apache into printing HTTP cookies and hijacking HTTP sessions. This is known as the Cross Site Scripting attack (or XSS).

In order to disable this feature, set the TraceEnable directive in /etc/apache/apache2.conf to off. After you change the setting and the file saved, restart Apache, and you should be good to go.

Disable Directory Indexing

The Directory Indexing feature prints out the contents of directories (this is especially true where there is no index.html or index.php file in the directory). On a Ubuntu server, there are enabled modules in the /etc/apache/mods-enabled directory. The modules to be removed are: autoindex.load and autoindex.conf. You can remove those files with the following commands:

sudo rm -rf /etc/apache2/mods-enabled/autoindex.load
sudo rm -rf /etc/apache2/mods-enabled/autoindex.conf

For other distributions look for the "index" option in the particular directory container and remove the option. A directory container starts with <Directory> and ends with </Directory>. Within those tags you will find the line: Options index FollowSymLinks... . Just remove the "index" option, save the file, and restart Apache.

Disable WebDAV

WebDAV is a popular protocol that allows for the sharing of data (such as calendars) and allows for web-based email. If these features are not needed, I highly recommend disabling this protocol from your Apache server. To do this, issue the following commands and then restart Apache:

sudo rm /etc/apache2/mods-enabled/dav.load
sudo rm /etc/apache2/mods-enabled/dav_fs.conf
sudo rm /etc/apache2/mods-enabled/dav_fs.load
sudo rm /etc/apache2/mods-enabled/dav_lock.load

Use SSL

I won't go into the setting up and configuring of SSL (we'll get into that later), but when you need secure http, you must use SSL.

Keep up to date

When an update is released for Apache, it is often for security purposes. Keep your eye on updates and make sure that Apache installation is as up to date as possible. This is critical.

Unlike the proprietary world, the open source world tends to find and fix bugs quickly, so shortly after a bug is found, you can bet the developers will be working on a fix right away. On a piece of software as important as Apache, those bug fixes will be rushed out to the repositories much faster than, say, a piece of desktop software.

Watch your log files

In the /var/log/apache2 directory, these logs are available: access.log and error.log. These logs, in particular, are always important to watch. If there seems to be an issue with Apache, I like to use the tail command on either of these log files (using the command sudo tail -f /var/log/apache2/access.log) to watch the logs as events are recorded.

What are your favorite methods?

This list could go on and on, but these are my go-to methods for hardening an Apache web server. Add to this list by posting your favorite method for making Apache more secure in the discussion.

Also read: 10 things you should do to secure Apache.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

3 comments
mark
mark

I use squid to reverse proxy to my home hosted domains. I currently have it setup on a virtual machine reversing to a dedicated web server, but this is going to change when I migrate the dedicated machines sites to hosted machines on the new server I have. There are a couple of tips in this that I am going to use on the web servers, but I am going to be studying up more on squid and use that to restrict what people can access on the other end.

sysop-dr
sysop-dr

If you use apache, use it on Linux and install and setup SELinux to only let apache serve servable files and not config files. And then use Bastille to set your security settings after going through and setting the policies you want to enforce. Then get a certificate and only allow encrypted access to your server. If you use a login on your website and you are not doing this stop everything you are doing and do this now. With Apache it's a simple rewrite rule. Hope this helps.

Neon Samurai
Neon Samurai

Are there any specific messages you watch your logs for? I've found "blocked by config" and URL requests for things like phpmyadmin or similar popular breakin targets can help. (It would be more accurate to suggest these steps to harden against "criminals" or "crackers" if you must have a fancy term. Hackers won't be targetting your Apache and breaking into your server without prior permission and that's really only if they are of the Security Hacker minority.)