Secure Apache Webserver

By default Apache web server does not come with all the securities enabled. We have to enable enhanced securities before making it live & accessible to the outside world.

Remove Server Version Banner :

Modify httpd.conf and add following directives and save it :
ServerTokens Prod.
ServerSignature Off.

Disable directory browser listing :
Edit httpd.conf, use following :
Options -Indexes.
Order allow,deny.

Disable Etags :
Edit httpd.conf.
FileETag None.

Run Apache from non-privileged account on Linux :
Create a user and group called apache :
#groupadd apache.
# useradd –G apache apache.

Change apache installation directory ownership to newly created non-privileged user :
# chown –R apache:apache /opt/apache.

Protect apache binary and configuration directory permission :
# chmod –R 750 bin conf.

System Settings Protection :
Edit httpd.conf and match with below :
Options -Indexes.
AllowOverride None.

Disable Trace HTTP Request :
By default users can trace your server with commands but if you want to hide it you can disable tracing :
TraceEnable off.

Clickjacking Attack :
To prevent other site owners to embed your website into an iframe add following directive in httpd.conf
Header always append X-Frame-Options SAMEORIGIN.

Cross Site Scripting (XSS) protection :
Some hackers may try to execute Javascript from a remote site but pointed to your server. To prevent that you can enforce same origin policy, which means Javascript can be executed only if initiated on your server :
Header set X-XSS-Protection “1; mode=block”.

By default Apache timeout value is 300 seconds that you can change :
Edit httpd.conf.
Timeout 60.

SSL Cipher : is an encryption algorithm and if you want that your server should only use high SSL encryption security level then change it like below :
Modify SSLCipherSuite directive in httpd-ssl.conf as mentioned below :

SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4.

Disable SSL v2  :
According to https://www.sslshopper.com if your website uses SSL You also need to disable insecure protocols like SSL 2.0 and weak ciphers or you will fail a PCI compliance scan. Strangely, most versions of Apache have SSL 2.0 enabled by default.

Modify SSLCipherSuite directive in httpd-ssl.conf as mentioned below to disable it :
SSLProtocol –ALL +SSLv3 +TLSv1.

Leave a Reply

Your email address will not be published. Required fields are marked *