If you think Apache and Linux will deflect all threats without extra security precautions, think again. As Jack Wallen explains, you need to take a number of steps to make sure Apache is a secure Web server.
You’ve installed Apache to serve up your company’s Web site. It’s running smooth as silk, and you know you have the safety net of Linux to catch you. But after a couple of weeks, things start to go wrong. Why? It’s Apache and Linux… What could go wrong? Plenty, if you’re not careful. There are ways to make sure Apache is secure, but doing nothing is not one of them. Here are 10 simple ways to make Apache a more secure Web server.
Note: This article is also available as a PDF download.
#1: Update, update, update
Just because it is Apache running on Linux doesn’t mean you shouldn’t bother to update. New holes and security risks are found all the time. You should always develop a sound update policy to keep on top of patches. If you have installed Apache with your distributions package manager, you can make the updates go seamlessly. If you have installed from source, make sure that upgrade is not going to break any modules or dependencies your Web site has. And if you update Apache, make sure PHP (if used) is updated as well.
#2: Use the right user:group
I have seen Apache installed under many groups and/or users. One of the biggest offenders is the root user. This can lead to some serious issues. Or say both Apache and MySQL are run by the same user/group. If there is a hole in one, it can lead to an attack on the other. The best scenario is to make sure Apache is run as the user and group apache. To make this change, open the httpd.conf file and check the lines that read:
Change these entries to:
If you get any errors indicating the group or user do not exist, you’ll have to create them.
#3: Turn off unwanted services
There are a few services and/or features that you will want to turn off or not allow. All of these services can be disabled in the httpd.conf file. Those services/features that could cause the most issues include:
- Directory browsing. This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with “-Indexing”.
- Server side Includes. This is another feature that is disabled within a directory tag (using Options directive) and is set with “-Includes”.
- CGI execution. Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with “-ExecCGI”.
- Symbolic links. Set this inside a (surprise, surprise) directory tag with “-FollowSymLinks”.
- None. You can turn off all options (in the same way you set the above) using “None” with the Option directive.
#4: Disable unused modules
Apache has a ton of modules. To get an idea how many modules your installation is running, issue the command (as the root user) grep -n LoadModule httpd.conf from within your Apache configuration directory. This command will show you every module Apache is loading, along with the line number it falls on. To disable the modules you don’t need, simply comment them out with a single # character at the beginning of the module line.
#5: Restrict access
Say you have an intranet that contains critical company information. You will want to deny anyone outside your private network from seeing this information. To do this, you can restrict access to your internal network by adding the following inside a directory tag in your httpd.conf file:
Order Deny, Allow
Deny from all
Allow from 192.168.1.0/16
where 192.168.1.0/16 is the configuration matching your internal network. As with all modifications to the httpd.conf file, make sure you restart Apache so the changes take effect.
#6: Limit request size
Denial of service attacks are always a possibility when you allow large requests on Apache. Apache has a directive, LimitRequestBody, that is placed within a Directory tag. The size of your limit will depend upon your Web site’s needs. By default, LimitRequestBody is set to unlimited.
#7: Employ mod_security
One of the most important Apache modules is mod_security. This module handles many tasks, including simple filtering, regular expression filtering, URL encoding validation, and server identity masking. The mod_security installation and setup is a bit beyond a one-paragraph description. But you can begin by adding the “unique_id” and “security2” directives in the Apache modules section. Once you have added the entries, run the command service apache2 configtest. If you get returned Syntax OK you’re good to go.
#8: Do not allow browsing outside the document root
Allowing browsing outside the document root is inviting trouble. Unless you have a specific need to allow it, disable this feature. First, you’ll need to edit the document root Directory entry like so:
Order Deny, Allow
Deny from all
Now, if you need to add options to any directory within the document root, you will have to add a new Directory entry for each one.
#9: Hide Apache’s version number
The best offense is a good defense. And one of the best defenses is to obfuscate as much information about your service as you can. One crucial bit of information to hide is the Apache version number. By hiding it, you keep unwanted users from knowing how to quickly hack your Web server. To hide Apache’s version number, add the following in your document root Directory tag:
#10: Immunize httpd.conf
One of the best security measures is to hide your httpd.conf file from prying eyes. If people who shouldn’t see your httpd.conf file can’t see it, they can’t change it. To immunize the httpd.conf file, set the immutable bit with the following command:
chattr +i /path/to/httpd.conf
where /path/to/httpd.conf is the path to your Apache configuration file. Now it will be very difficult for anyone to make any changes to httpd.conf.
We’ve looked at 10 quick ways to secure your Apache server. There are actually quite a few more configuration options for Apache. Some are fairly generic, but some are designed for specific purposes. Make sure you employ the most secure Apache options/configurations that suite your Web server needs.