By default Apache web server does not come with all the securities enabled. We have to enable enhanced securities before making it live & accessible to the outside world.
Remove Server Version Banner :
Modify httpd.conf and add following directives and save it :
ServerTokens Prod.
ServerSignature Off.
Disable directory browser listing :
Edit httpd.conf, use following :
Options -Indexes.
Order allow,deny.
Disable Etags :
Edit httpd.conf.
FileETag None.
Run Apache from non-privileged account on Linux :
Create a user and group called apache :
#groupadd apache.
# useradd –G apache apache.
Change apache installation directory ownership to newly created non-privileged user :
# chown –R apache:apache /opt/apache.
Protect apache binary and configuration directory permission :
# chmod –R 750 bin conf.
System Settings Protection :
Edit httpd.conf and match with below :
Options -Indexes.
AllowOverride None.
Disable Trace HTTP Request :
By default users can trace your server with commands but if you want to hide it you can disable tracing :
TraceEnable off.
Clickjacking Attack :
To prevent other site owners to embed your website into an iframe add following directive in httpd.conf
Header always append X-Frame-Options SAMEORIGIN.
Cross Site Scripting (XSS) protection :
Some hackers may try to execute Javascript from a remote site but pointed to your server. To prevent that you can enforce same origin policy, which means Javascript can be executed only if initiated on your server :
Header set X-XSS-Protection “1; mode=block”.
By default Apache timeout value is 300 seconds that you can change :
Edit httpd.conf.
Timeout 60.
SSL Cipher : is an encryption algorithm and if you want that your server should only use high SSL encryption security level then change it like below :
Modify SSLCipherSuite directive in httpd-ssl.conf as mentioned below :
SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4.
Disable SSL v2 :
According to https://www.sslshopper.com if your website uses SSL You also need to disable insecure protocols like SSL 2.0 and weak ciphers or you will fail a PCI compliance scan. Strangely, most versions of Apache have SSL 2.0 enabled by default.
Modify SSLCipherSuite directive in httpd-ssl.conf as mentioned below to disable it :
SSLProtocol –ALL +SSLv3 +TLSv1.