Apache Web Server Security & Hardening Tips for Administrator
Apache is one of the best, popular, fast, free & open-source Web Server which is currently holding 33.56% of market share as per netcraft Feb’2016 survey. As a server administrator, make sure we should hardening the web server to prevent attacks. Here i’m listing most important security tips which will help you to secure your web server against attack and hacking. Make sure you should install Apache before proceeding apache hardening.
1) Keep up to Date
The most important tips to prevent further damage, make sure the apache web server up to date because the apache community is working hardly to prevent security issue and releasing new version based on Security fix & new features.
[Check Apache Version on CentOS, RHEL & Fedora] # httpd -v [Check Apache Version on Debian & Ubuntu] $ apache2 -v [Update Apache Version on CentOS, RHEl & Fedora] # yum update httpd [Update Apache Version on Debian & Ubuntu] $ sudo apt-get install --only-upgrade apache2
2) Protect Denial of Service (DoS) attacks
DDoS is a type of DOS attack which lead to down a machine or entire network resource unavailable to users. It is not possible to prevent such attacks entirely, but we can do certain things to mitigate the problems on Web Server level by adjusting Server configuration settings.Timeout: The number of seconds server will wait (Hold the current request) to close the connection for particular request (if its success, it will close the connection instantly otherwise it will wait until 300 Sec to close the connection. By default it set to 300Sec better we can keep the same. If we Setting this to very low as a few seconds may be appropriate or terminate/close long running CGI scripts.
- RequestReadTimeout : We can set RequestReadTimeout for client, If the client fails to send headers or body within the configured time, a 408 REQUEST TIME OUT error is sent.
- KeepAlive=on : Keep more than one request per connection
- KeepAliveTimeout : Number of seconds to wait for the next request from the same client on the same connection. Default value is 5 secs.
- MaxKeepAliveRequests: The maximum number of requests to allow during a persistent connection. Set to 0 to allow an unlimited amount. Default value is 100.
- MaxRequestWorkers : It allow the server to handle the maximum number of simultaneous connections without running out of resources. Default value is 250.
- LimitRequestFields: This directive allows the server administrator to modify the limit on the number of request header fields allowed in an HTTP request. Default value is 100.
- LimitRequestFieldSize : This directive allows the server administrator to set the limit on the allowed size of an HTTP request header field. Default value is 8190 bytes.
Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 MaxRequestWorkers 250 LimitRequestFields 100 LimitRequestFieldSize 8190
3) Disable unnecessary modules
Disable unnecessary modules, by default it will install/enable certain amount of modules when you installing Apache. Just grep the enabled modules and disable if its not necessary on your environment. Use the below command to check the loaded modules and remove unnecessary modules.
# apachectl -M
4) Run Apache as separate user and group
By default Apache run as nobody or daemon. For security reason it is recommended to run Apache its own user account which will help us to track the particular user activity when we are facing some load issues on server. Like if we put top command, it will show the apache process/activity with corresponding user name.
# groupadd apache # useradd -d /var/www/ -g apache -s /bin/nologin apache
Modify Apache user and group on Apache config file
User apache Group apache
5) Prevent .htaccess file creation outside home directory
Its one of the important security breach, if you allow the user to create .htaccess file outside their home directory, it will overwrite the default apache setting which we configured.
<Directory "/"> AllowOverride None </Directory>
6) Install/Enable mod_security & mod_evasive Module
Install/Enable mod_security & mod_evasive Module which will act as HTTP Web Server firewall. This will help us to Prevent certain attacks for Website & Webserver.
[Install mod_security & mod_evasive Module on CentOS, RHEL & Fedora] # [yum|dnf] install mod_security mod_evasive # service httpd restart # systemctl restart httpd.service [Install mod_security & mod_evasive Module on Debian & Ubuntu] $ sudo apt-get install libapache2-modsecurity libapache2-mod-evasive $ sudo a2enmod mod-security mod-evasive $ sudo service apache2 restart $ sudo systemctl restart apache2.service
7) Restrict access to root Directory
We need to restrict the user access to root directory and We can allow the user to access appropriate Directory blocks.
[Apache 2.2] <Directory /> Options None Order deny,allow Deny from all </Directory> [Apache 2.4] <Directory "/"> Require all denied </Directory>
8) Disable Directory Listing
By default Apache will show/list all the files and folders available under root directory when you don’t have index file. Its security issue, we can disable directory listing by adding below content on Apache conf file.
[Apache 2.2 & 2.4] <Directory "/"> Options -Indexes Order allow,deny Allow from all </Directory>
9) Restrict access .htaccess & .htpasswd file
Restrict/Prevent .htaccess and .htpasswd files from being viewed by Web clients.
<Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy all </Files>
10) Disable HostnameLookups
If HostnameLookups enabled, Apache need to lookup a nameserver for each client request at least once.
11) Disable Apache & OS Version (Set ServerTokens)
By default Apache HTTP Server response header will contains apache, php, OS, etc.., versions details which will shows on your web page which against security issue and anybody can know about your version number. So you need to disable it by adding below lines on apache config file.
ServerSignature Off ServerTokens Prod
12) Enable Necessary Options Directive
The Options directive controls which server features are available in a particular directory.
- All : All options enabled except for MultiViews.
- ExecCGI : Execution of CGI scripts using mod_cgi is permitted.
- FollowSymLinks : The server will follow symbolic links in this directory. This is the default setting.
- Includes : Server-side includes provided by mod_include are permitted.
- IncludesNOEXEC : Server-side includes are permitted, but the #exec cmd and #exec cgi are disabled.
- Indexes Disable directory listing.
- MultiViews : Content negotiated “MultiViews” are allowed using mod_negotiation.
- SymLinksIfOwnerMatch : The server will only follow symbolic links for which the target file or directory is owned by the same user id as the link.
<Directory "/"> Options Indexes FollowSymLinks Order allow,deny Allow from all </Directory>
13) Multi-Processing Modules (MPMs)
Multi-Processing Modules (MPMs) which are responsible for binding to network ports on the machine, accepting requests, and dispatching children to handle the requests. MPM module split as worker, event & prefork module. Make sure your values should be described as below which are default one.
[Prefork MPM] StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 150 MaxRequestsPerChild 0 [Worker MPM] StartServers 2 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxClients 150 MaxRequestsPerChild 0 [Prefork MPM] StartServers 2 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxClients 150 MaxRequestsPerChild 0