Tips for secure Apache in Linux box

We as a whole know about Apache web server, it is an exceptionally mainstream webserver to have your web documents or your site on the web. Here are a few steps which can assist you with securing Apache web server on your Linux server.

Here in this instructional exercise, I’ll cover some principle tips to make sure about your web server. Before you apply this modification in your web server, you ought to have a few fundamentals of the Apache worker.

  • Document root Directory: /var/www/html or /var/www
  • Main Configuration file: /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora) and /etc/apache2/apache2.conf (Debian/Ubuntu).
  • Default HTTP Port: 80 TCP
  • Default HTTPS Port: 443 TCP
  • Test your configuration file settings and syntax: httpd -t
  • Access Log files of Web Server: /var/log/httpd/access_log
  • Error Log files of Web Server: /var/log/httpd/error_log

Hide Apache Version and OS Identity from Errors

At the point when you install Apache with source or some other bundle installers like yum, it shows the form of your Apache web server introduced on your worker with the Operating system name of your server in Errors. It likewise shows the data about Apache modules introduced in your server.

In the above picture, you can see that Apache is showing its version with the OS running in your server. This can be a significant security danger to your web server just as your Linux box as well. To forestall Apache to not to show this data to the world, we need to roll out certain improvements in Apache fundamental arrangement record.

Open the conf file with vim manager and quest for “ServerSignature”, its naturally On. We need to Off this server signature and the second line “ServerTokens Prod” advises Apache to restore just Apache as an item in the server reaction header on each page demand, It smothers the OS, major and minor form version information.

# vim /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
# vim /etc/apache2/apache2.conf (Debian/Ubuntu)
ServerSignature Off
ServerTokens Prod

Restart apache server:

# service httpd restart (RHEL/CentOS/Fedora)
# service apache2 restart (Debian/Ubuntu)

Disable Directory Listing

By default Apache list all the content of Document root directory within the absence of index file. Please see the image below.

We can close up directory listing by using Options directive within the configuration file for a selected directory. For that, we’d like to form an entry in httpd.conf or apache2.conf file.

<Directory /var/www/html>
    Options -Indexes
</Directory>

Keep updating Apache time to time

Apache developer community is continuously performing on security issues and releasing its updated version with new security options. So it’s always recommended to use the newest version of Apache as your web server.

To check Apache version: you’ll check your current version with httpd -v or apache2 -v command.

#httpd -v (RHEL/CentOS/Fedora)
#apache2 -v (Debian/Ubuntu)

Output:

Server version: Apache/2.2.15 (Unix/Ubuntu)
Server built: 2020-08-12T21:33:25

You can update your apache web server with the following command.

# yum update httpd (RHEL/CentOS/Fedora)
# apt-get install apache2 (Debian/Ubuntu)

It is additionally prescribed to remain your Kernel and OS refreshed to the most up to date stable deliveries in case you’re not running a particular application which works just on explicit OS or Kernel.

Disable Unused Modules

It’s in every case great to minor the probabilities of being a casualty of any web assault. So it’s prescribed to impair each one of those modules that aren’t being used as of now. you’ll list all the aggregated modules of a web server, utilizing the resulting command.

# grep LoadModule /etc/httpd/conf/httpd.conf

# have to place corresponding `LoadModule' lines at this location so the
# LoadModule foo_module modules/mod_foo.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
....
....

Above is that the rundown of modules that are empowered naturally yet frequently not required: mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex. To cripple the genuine module, you’ll embed a “#” toward the beginning of that line and restart the apache.

Run Apache as separate Group and User

With a defaulting establishment, Apache runs its cycle with user no one or daemon. For security reasons, it’s prescribed to run Apache in its non-super user. For instance: http-web-user.

# groupadd http-web-user
# useradd -d /var/www/ -g http-web-user -s /bin/nologin http-web-user

Now you would like to inform Apache to run with this new user and to try to so, we’d like to form an entry in /etc/httpd/conf/httpd.conf and restart the service.

Open /etc/httpd/conf/httpd.conf with vim editor and look for keyword “User” and “Group” and there you’ll get to specify the username and group name to use.

User http-web-user
Group http-web-user

Use Allow and Deny to Restrict access to server dir

We can restrict access to directories with “Allow” and “Deny” options in httpd.conf file. Here during this example, we’ll be securing root directory, for that by setting the subsequent within the httpd.conf file.

<Directory />
   Options None
   Order deny,allow
   Deny from all
</Directory>
  • Options “None” – This option will disallow users to allow any optional features.
  • Order deny, allow – This is the direction in which the “Deny” and “Allow” directives will be prepared. Here it will “deny” primary and “allow” next.
  • Deny from all – This will deny the request from everybody to the root directory, no one will be able to access root dir.

Install mod_security Modules to Secure Apache server

These two modules “mod_security” and “mod_evasive” are very fashionable modules of Apache in terms of security.

Mod_security

Where mod_security works as a firewall for our web app and lets us watch the traffic on real-time support. It also helps us to guard our web app or web server from brute force attacks. you’ll simply install mod_security on your server with the assistance of your default package installers.

Install mod_security on Ubuntu/Debian
$ sudo apt install libapache2-mod-security2 -y
$ sudo service apache2 restart
Install mod_security on RHEL/CentOS/Fedora/
# yum install mod_security
# /etc/init.d/httpd restart

Disable Apache’s following of Symbolic Links

By default Apache follows symlinks, we will close up this feature with FollowSymLinks with Options directive. And to try to so we’d like to form the subsequent entry within the main configuration file.

Options -FollowSymLinks

Also, if a specific client or site need FollowSymLinks to empower, we will just work a standard out “.htaccess” file from that site.

# Enable symbolic links
Options +FollowSymLinks

Note: To empower modify administers inside “.htaccess” file “AllowOverride All” should be available inside the main conf file.

Disable Server Side Includes and CGI

We can close up server-side includes (mod_include) and CGI execution if not needed and to try to so we’d like to switch the most configuration file.

Options -Includes
Options -ExecCGI

We can do that for a specific directory too with Directory tag. Here during this example, we are turning off Includes and Cgi file executions for “/var/www/html/website1” directory.

<Directory "/var/www/html/web1">
    Options -Includes -ExecCGI
</Directory>

Limit Request Body Size

By default Apache has no limit on the entire size of the HTTP request i.e. unlimited and once you allow large requests on an internet server its possible that you simply might be a victim of Denial of service attacks. we will Limit the requests size of an Apache directive “LimitRequestBody” with the directory tag.

You can set the worth in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed during a request body. you’ll set this limit consistent with your site needs, Suppose you’ve got a site where you allows uploads and you would like to limit the upload size for a specific directory.

Here during this example, user_uploads may be a directory which contains files uploaded by users. We are putting a limit of 500K for this.

<Directory "/var/www/myweb1/user_uploads">
   LimitRequestBody 512000
</Directory>

Protect from DDOS attacks

Well, it’s true that you simply cannot completely protect your internet site from DDoS attacks. Here are some directives which may assist you to possess control thereon.

  • TimeOut: This directive allows you to line the quantity of your time the server will await certain events to finish before it fails. Its default value is 300 secs. It’s good to stay this value low on those sites which are subject to DDOS attacks. This value depends on quite request you’ve aged your website. Note: It could pose problems with come CGI scripts.
  • MaxClients: This directive allows you to line the limit on connections which will be served simultaneously. Every new connection is going to be queued up after this limit. it’s available with Prefork and Worker both MPM. The default value of it’s 256.
  • KeepAliveTimeout: Its the quantity of your time the server will await a subsequent request before closing the connection. The default value is 5 secs.
  • LimitRequestFields: It helps us to line a limit on the amount of HTTP request’s header fields which will be accepted from the clients. Its default value is 100. it’s recommended to lower this value if DDoS attacks are occurring as a result of numerous HTTP request headers.
  • LimitRequestFieldSize: It helps us to line a size limit on the HTTP request header.

Setup Apache Logging

Apache allows you to log independently of your OS logging. it’s knowing to enable Apache logging, because it provides more information, like the commands entered by users that have interacted together with your Web server.

To do so you would like to incorporate the mod_log_config module. There are three main logging-related directives available with Apache.

  1. TransferLog: Generating a log file.
  2. LogFormat: Defining a custom format.
  3. CustomLog: Generating and formatting a log file.

You can likewise utilize them for a particular site, you just had the chance to determine it inside the virtual host area. for example, here is that my site virtual host arrangement with logging empowered.

<VirtualHost *:80>
   DocumentRoot /var/www/html/example.com/
   ServerName www.example.com
   DirectoryIndex index.htm index.html index.php
   ServerAlias example.com
   ErrorDocument 404 /story.php
   ErrorLog /var/log/httpd/example.com_error_log
   CustomLog /var/log/httpd/example.com_access_log combined
</VirtualHost>

Securing Web traffic with SSL Certificates

Last, but not the smallest amount SSL certificates, you’ll secure your all the communication in an encrypted manner over the web with SSL certificate. Suppose you’ve got an internet site during which people login by proving their Login credentials otherwise you have an E-Commerce website where people provides their bank details or Debit/Credit card details to get products, by default your web server send these details in plain – text format but once you use SSL certificates to your websites, Apache sends all this information in encrypted text.

You can purchase SSL certificates from numerous different SSL providers like godaddy.com. If you’re running a really small web business and don’t willing to get an SSL certificate you’ll still assign a Self-signed certificate to your website. Apache uses the mod_ssl module to support SSL certificate.

# openssl genrsa -des3 -out example.com.key 1024
# openssl req -new -key example.com.key -out exmaple.csr
# openssl x509 -req -days 365 -in example.com.com.csr -signkey example.com.com.key -out example.com.com.crt

Once your certificate has been created and signed. Now you would like to feature this in Apache configuration. Open the most configuration file with vim editor and add the subsequent lines and restart the service.

<VirtualHost 172.16.25.125:443>
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/example.com.crt
        SSLCertificateKeyFile /etc/pki/tls/certs/example.com.key
        SSLCertificateChainFile /etc/pki/tls/certs/sf_bundle.crt
        ServerAdmin admin@example.com
        ServerName example.com
        DocumentRoot /var/www/html/example/
        ErrorLog /var/log/httpd/example.com-error_log
        CustomLog /var/log/httpd/example.com-access_log common
</VirtualHost>

Open up your web browser, type https://example.com, and you’ll be prepared to see the enhanced self-marked certificate.

Certain are some security points that you can use to secure your Apache web server installation. For more helpful protection tips and ideas, see the official online documentation of Apache HTTP Server.

secure apache