Hardening an Apache Server

Apache is a very popular web server for a Linux environment. Just as most services visible on the Internet, you should implement ways of protecting yourself from malicious users. Here I discuss how I harden my Apache installations as installed through the apt-get package management system on Debian (should be the same on Ubuntu as well). This should easily be applied to other distributions but just note that the locations of files are probably different.

1: Disabling unnecessary modules

When you install apache through apt-get on a Debian based server, it comes with a few modules pre-enabled that give an attacker too much information about your system. These are the autoindex and status modules. Here's what they do:

  • autoindex: provides a nice list of all the files in a directory where no index file is given
  • status: gives you a nice little server monitoring web page to visit

There's more than one way to disable these modules. You can either remove the symlink from /etc/apache/mods-enabled/ or use a built in command that does the exact same thing.

a2dismod status
a2dismod autoindex

2: Change some of the default settings

By default, most applications give you settings that let them just work. To secure things up you usually have to edit those config files. Well, apache is no different. Open up /etc/apache2/apache2.conf and change the following:

TIP: use the find function of your editor to quickly find these options
  • ServerSignature Off
    • Stops your error pages from showing your Apache version number
  • ServerTokens Prod
    • Stops HTTP header information from including Apache version information
  • Remove or comment out entire ... "); ?> section
    • You already disabled this module, no need to have it here
  • Remove the Alias /icons/ line along with the directory listing below
    • These icons are only used by the autoindex module, no point in having these here

3: Add some custom configurations

Add these to /etc/apache2/httpd.conf. I'll explain what they do in the comments above each line.

"); ?>

# This is used to prevent the TRACE http method from 
# gathering path information from proxy or cache servers

  "); ?>

     deny from all
  ") ?>


# The '-' disables the following options
#  FollowSymLinks - could allow an attacker to browse
#  outise the doc tree
#
#  Includes - deals with .shtml; prevents server-side includes
#
#  AllowOverride None - prevents developers from changing
#  options with .htaccess files other places in the doc tree

  Options -FollowSymLinks -Includes -Indexes  -MultiViews
  AllowOverride None
  Order allow,deny
  Allow from all
"); ?>

Also, add this to the same file to prevent access to your root directory (/):

"); ?>

    Order deny,allow
    deny from all
"); ?>

4: Change some file permissions

Your public html folder (in Debian by default this is /var/www) should be only writable by root. It does still need to be world readable however so apply the following permissions:

chown -R root /var/www
chmod -R 775 /var/www

Summary

This will give you a pretty secure Apache server, but it's by no means complete and depends entirely on what you need to do on your server. This is just a list of my own personal recommendations and is what I use to setup a web server from scratch. The key to staying secure, however, is to keep your systems up-to-date and watch bug tracking mailing lists (Bugtraq for example) for any reports as they often supply workarounds and fixes for these issues.

Tags: