paint-brush
Apache Web Server Hardening: How To Protect Your Server From Attacksby@anees264
5,415 reads
5,415 reads

Apache Web Server Hardening: How To Protect Your Server From Attacks

by AneesJune 29th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Apache Web Server Hardening: How To Protect Your Server From Attacks. The default Apache configuration will expose the server version. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of the server. It is also most vulnerable to cyber-attacks. By applying numerous configuration tweaks we can make Apache withstand malicious attacks up to a limit. Following are some Apache web server hardening tips that you can incorporate to improve security. Following these tips, you can install mod_security from your default package installer.

Company Mentioned

Mention Thumbnail
featured image - Apache Web Server Hardening: How To Protect Your Server From Attacks
Anees HackerNoon profile picture

he web server has a crucial role in web-based applications. Since most of us leave it to the default configuration, it can leak sensitive data regarding the web server.

There are numerous web servers in the market. Apache is one of the most popular and widely used out of all of them. Because of this popularity, it is also most vulnerable to cyber-attacks. 

By applying numerous configuration tweaks we can make Apache withstand malicious attacks up to a limit. Following are some Apache web server hardening tips that you can incorporate to improve security.

Hiding Server Version Banner

One of the first things to be taken care of is hiding the server version banner. 

The default Apache configuration will expose the server version. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of the server.

We can easily fix server version disclosure by following the below steps:

1. Open apache.conf 

# vim /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
# vim /etc/apache2/apache2.conf (Debian/Ubuntu)
Add the following directives to configuration
```
ServerSignature Off
ServerTokens Prod
```  

2. Save the configuration and restart Apache

Even better, we can change the server name to anything else in the server header. In order to achieve this, you need to enable the mod_security module. Then add the following directives to the configuration.


        ServerSignature Off
        ServerTokens Prod

3. Save the configuration and restart Apache

Disable Directory Listing

By Apache’s default configuration, If your web server root directory doesn’t contain index.html, the user can see all files and sub directories listed in the web root.

To disable directory listing we need to set the `Option` directive value as `None` or `-Indexes` in the Apache configuration file.

Example:

<Directory /var/www/html>
    Options -Indexes
</Directory>

Restart apache2

Use mod_security Module

mod_security works as a firewall for web applications.

It can also be used for real-time web application monitoring and logging. You can install mod_security from your default package installer. 

Installation

Debian/Ubuntu

# apt install libapache2-mod-security2
# service apache2 restart

Installation

RHEL/CentOS/Fedora

# yum install mod_security
# systemctl restart httpd.service

Use mod_evasive Module

mod_evasive provides effective actions against Distributed Denial of Service (DDoS/DoS) attack or brute force attack

Its capabilities also extend to work with ipchains, firewalls, routers, and more. mod_evasive reports events via email and syslog facilities.

mod_evasive has a prerequisite. Install the prerequisite by running the following command.

Prerequisites

Debian/Ubuntu

# apt install apache2-utils

RHEL/CentOS/Fedora

# yum install httpd-devel

Installation

Debian/Ubuntu

# apt install libapache2-mod-evasive

RHEL/CentOS/Fedora

# yum install mod_evasive

Configuring mod_evasive

Open mod_evasive configuration file in any text editor. you can find the configuration file in the following path:

Debian/Ubuntu

# vim /etc/apache2/mods-enabled/evasive.conf

RHEL/CentOS/Fedora

# vim /etc/httpd/conf.d/mod_evasive.conf

Find the following lines and uncomment them.

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify [email protected]
DOSLogDir "/var/log/apache2/"

Replace `DOSEmailNotify  [email protected]` with your email address to get a notification on events. Email notifications only work if there’s a functional mail server running on the server.

Save the configuration and restart Apache. Now, mod_evasive is in effect.

Hiding ETag Header

The ETag header involves quite a significant number of sensitive details regarding your server. It's interesting that for PCI-compliance it is required to hide the Etag header.

To achieve this, add the following directive to Apache configuration.

FileETag None

Disable CGI and SSI

SSIs are directives present on web applications used to feed an HTML page with dynamic contents. 

They are also capable of opening your website up to a certain number of security issues if left unchecked. The same case happens for the CGI scripts. So as to prevent hackers from injecting malicious scripts in your code.

Restrict CGI and SSI by adding the following directives to Apache configuration:

Options -Includes
Options -ExecCGI

Setting the HTTP Limits

Setting up some HTTP limits can defend against DDoS (Distributed denial of service) attack, it is really easy if you know the sort of actions to look out for. 

DDoS always tends to happen by hitting repeatedly on your server with very large requests.

The following include some limits you make need to configure:

KeepAlive=on
KeepAliveTimeout
LimitRequestBody
LimitRequestFields
LimitRequestFieldSize
LimitRequestLine
LimitXMLRequestBody
MaxClients
MaxKeepAliveRequests
MaxRequestWorkers
RequestReadTimeout
TimeOut

Enable XSS Protection Header

Cross-site scripting (XSS) is a common vulnerability found in web applications. X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks.

The parameters are:

  • 0 - XSS filter disabled
  • 1 - XSS filter enabled and sanitizes the page if attack detected
  • 1;mode=block - XSS filter enabled and prevents rendering the page if attack detected
  • 1;report=http://reporting.url/ - XSS filter enabled and will report the violation if an attack detected

Add the following entry to your Apache configuration to enable XSS Protection Header.

Header set X-XSS-Protection "1; mode=block"

Restart Apache.

Last but not the least, always keep your web server updated.

I hope these Apache web server security hardening tips come in handy for you!

If you're looking to improve your web security, you can sign up for a free account on Beagle Security. You'll be able to identify vulnerabilities on your website before hackers exploit them. Stay secure!

Previously published at https://beaglesecurity.com/blog/blogs/2020/06/15/Apache-Web-Server-Hardening.html