Security and Hardening Tips for Apache

  1. Use mod_security and mod_evasive Modules to Secure Apache


    Where mod_security works as a firewall for our web applications and allows us to monitor traffic on a real time basis. It also helps us to protect our websites or web server from brute force attacks. You can simply install mod_security on your server with the help of your default package installers.
    Install mod_security on Ubuntu

    These commands will install dependencies:

    sudo apt-get install libxml2 libxml2-dev libxml2-utils
    sudo apt-get install libaprutil1 libaprutil1-dev
    

    If you are using 64 bit Ubuntu run this command:

    ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
    

    This command will install mod security:

    sudo apt-get install libapache-mod-security

    Configuring ModSecurity Rules

    mv /etc/modsecurity/modsecurity.conf-recommended 
    /etc/modsecurity/modsecurity.conf
    

    now for configuring the modsecurity run the following command.

    gedit /etc/modsecurity/modsecurity.conf

    Now find SecRuleEngine by searching in the file and change SecRuleEngine to On .

    SecRuleEngine On

    Mod_evasive

    mod_evasive works very efficiently, it takes one request to process and processes it very well. It prevents DDOS attacks from doing as much damage. This feature of mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack. This module detects attacks with three methods.

    • If so many requests come to a same page in a few times per second.
    • If any child process trying to make more than 50 concurrent requests.
    • If any IP still trying to make new requests when its temporarily blacklisted.
  2. Do not allow browsing outside the document root


    Allowing browsing outside the document root is inviting trouble. Unless you have a specific need to allow it, disable this feature. First, you’ll need to edit the document root Directory entry like so:

    
    
    Order Deny, Allow
    
    Deny from all
    
    Options None
    
    AllowOverride None
    

    Now, if you need to add options to any directory within the document root, you will have to add a new Directory entry for each one.

  3. Hide Apache’s version number


    The best offense is a good defense. And one of the best defenses is to obfuscate as much information about your service as you can. One crucial bit of information to hide is the Apache version number. By hiding it, you keep unwanted users from knowing how to quickly hack your Web server. To hide Apache’s version number, add the following in your document root Directory tag:

    ServerSignature Off
    ServerTokens Prod

  4. Enable Apache Logging


    Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging, because it provides more information, such as the commands entered by users that have interacted with your Web server.

    To do so you need to include the mod_log_config module. There are three main logging-related directives available with Apache.

    • TransferLog: Creating a log file.
    • LogFormat : Specifying a custom format.
    • CustomLog : Creating and formatting a log file.

    You can also use them for a particular website it you are doing Virtual hosting and for that you need to specify it in the virtual host section. For example, here is the my website virtual host configuration with logging enabled.

    
    DocumentRoot /var/www/html/example.com/
    ServerName www.example.com
    DirectoryIndex index.htm index.html index.php
    ServerAlias example.com
    ErrorDocument 404 /story.php
    ErrorLog /var/log/httpd/example.com_error_log
    CustomLog /var/log/httpd/example.com_access_log combined
    
    

  5. Immunize httpd.conf


    One of the best security measures is to hide your httpd.conf file from prying eyes. If people who shouldn’t see your httpd.conf file can’t see it, they can’t change it. To immunize the httpd.conf file, set the immutable bit with the following command:

    chattr +i /path/to/httpd.conf

    where /path/to/httpd.conf is the path to your Apache configuration file. Now it will be very difficult for anyone to make any changes to httpd.conf.

  6. Protect DDOS attacks and Hardening


    Well, it’s true that you cannot completely protect your web site from DDos attacks. Here are some directives which can help you to have a control on it.

    TimeOut : This directive allows you to set the amount of time the server will wait for certain events to complete before it fails. Its default value is 300 secs. It’s good to keep this value low on those sites which are subject to DDOS attacks. This value totally depends on kind of request you are getting on your website. Note: It could pose problems with come CGI scripts.

    • MaxClients : This directive allows you to set the limit on connections that will be served simultaneously. Every new connection will be queued up after this limit. It is available with Prefork and Worker both MPM. The default value of it is 256.
    • KeepAliveTimeout : Its the amount of time the server will wait for a subsequent request before closing the connection. Default value is 5 secs.
    • LimitRequestFields : It helps us to set a limit on the number of HTTP request’s header fields that will be accepted from the clients. Its default value is 100. It is recommended to lower this value if DDos attacks are occurring as a result of so many http request headers.
    • LimitRequestFieldSize : It helps us to set a size limit on the HTTP Request header.
  7. Disable Trace HTTP Request


    The default TraceEnable on permits TRACE, which disallows any request body to accompany the request. TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client.

    TraceEnable on allows for Cross Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information.

    Solution: –

    Address this security issue by disabling the TRACE HTTP menthod in Apache Configuration. You can do by Modifying/Adding below directive in your httpd.conf of your Apache Web Server.

    # vi httpd.conf
    
    TraceEnable off
    

  8. Restrict File/Folder Access


    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/index\.php$
    RewriteCond %{REQUEST_URI} !^/file/(.+)
    RewriteCond %{REQUEST_URI} !^/includes/images/(apple|date)\.jpg$
    RewriteRule (.*) - [F]
    

    This code will only allow access to:

    (apple.jpg, date.jpg) from your /includes/images/ folder.
    Your index.php file.
    Any file from your /file/ directory.

    Otherwise it will forbid access to any other file and will serve 403 Forbidden error.

    PS: You don’t need this code below in your .htaccess file anymore.

    Order Deny,Allow
    Deny from All
    
    <files "index.php">
    Order Deny,Allow
    allow from all
    </files>
    

  9. Enable PHP basedir


    PHP has built in a kind of chroot environment. It is called “basedir”. You can configure PHP scripts to access files only in specific directory similar to chroot. Basically you can configure each site to access only files located in that site directory which is a very good idea from the security point of view.

    You can add the following lines to the website configuration file or to .htaccess file to enable PHP basedir:

    Php_value open_basedir /var/www/foo.bar/:/usr/local/php/

    This will specify that your PHP scripts can access only specified directories.

  10. Update, Update, Update


    Just because it is Apache running on Linux doesn’t mean you shouldn’t bother to update. New holes and security risks are found all the time. You should always develop a sound update policy to keep on top of patches. If you have installed Apache with your distributions package manager, you can make the updates go seamlessly. If you have installed from source, make sure that upgrade is not going to break any modules or dependencies your Web site has. And if you update Apache, make sure PHP (if used) is updated as well.