Apache 2 Hardening Tips

Below are some of the tricks I use or found useful to try to mitigate unwanted attention. Whilst this is not a definitive guide these are simple quick things that can be done. This was written for Ubuntu but it can be applied to any OS running Apache 2.

Disable Directory Listings

First directive to change is to stop people browsing through files when a user types in a web address which leads to a folder.

Edit the file /etc/apache2/sites-available/default
changing default for the site config file.
$ sudo service apache2 restart
Find Indexes from the options under the Directory directive and add a subtract sign to disable the option. For example:
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Becomes
<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

mod-evasive

As a last measure from a DDOS attach, Apache has a module which black lists IP addresses temporarily. The default rules are:

  1. Requesting the same page more than a few times per second
  2. Making more than 50 concurrent requests on the same child per second
  3. Making any requests while temporarily blacklisted (on a blocking list)

$sudo apt-get install libapache2-mod-evasive

mod-security

Helps stop some injection and Server Side Includes (SSI) attacks:
$sudo apt-get install libapache2-mod-security2
This has changed in Ubuntu 12.04 to libapache2-modsecurity i.e
$sudo apt-get install libapache2-modsecurity

Remove Server Signature & Information

Turn off server information such as version of Apache and HTTP header server information.

$sudo vi /etc/apache2/conf.d/security

Find the following and change the values to Prod and Off
ServerTokens Prod
ServerSignature Off

Update Apache

Keep the software as up to date as possible. New version come out all the time with various fixes and security patches. Fortunately, Debian based systems such as Ubuntu makes this really easy:
$sudo apt-get update && sudo apt-get dist-upgrade

Last thing to do is to restart the server for the changes to take hold. Any mis-configuration should be reported when the server tries to start back up. It might be easier to restart after each change to make troubleshooting easier.

Below are some use case specific ways to enhance security. If the below changes breaks a site then revert the changes but for most home uses they can generally be turned off.

Disable SSI

Add a minus sign in front of Includes. E.g:
<Directory /var/www/>
Options -Indexes -Includes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Disable CGI

Add / modify ExecCGI in the directory directive:
<Directory /var/www/>
Options -Indexes -Includes -ExecCGI FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Disable Symbolic Links

Remove / add a hyphen to FollowSymLinks to disable sym links (like shorts in Windows terms):
<Directory /var/www/>
Options -Indexes -Includes -ExecCGI -FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Disable All Options

To remove all options above just remove all the options and add the word None
<Directory /var/www/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>

Almost Secure and Perfect Ubuntu Server

Security Tips

20 ways to Secure your Apache Configuration

How to harden Ubuntu 10.04 LTS + LAMP

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Linux, Security, Web Server and tagged , , , , . Bookmark the permalink.

One Response to Apache 2 Hardening Tips

Leave a Reply

Your email address will not be published. Required fields are marked *.

All comments must go through an approval and anti-spam process before appearing on the website. Please be patience and do not re-submit your comment if it does not appear.