Apache Web Server Security & Hardening Tips for Administrator

Apache is one of the best, popular, fast, free & open-source Web Server which is currently holding 33.56% of market share as per netcraft Feb’2016 survey. As a server administrator, make sure we should hardening the web server to prevent attacks. Here i’m listing most important security tips which will help you to secure your web server against attack and hacking. Make sure you should install Apache before proceeding apache hardening.

1) Keep up to Date

The most important tips to prevent further damage, make sure the apache web server up to date because the apache community is working hardly to prevent security issue and releasing new version based on Security fix & new features.

[Check Apache Version on CentOS, RHEL & Fedora]
# httpd -v

[Check Apache Version on Debian & Ubuntu]
$ apache2 -v

[Update Apache Version on CentOS, RHEl & Fedora]
# yum update httpd

[Update Apache Version on Debian & Ubuntu]
$ sudo apt-get install --only-upgrade apache2

2) Protect Denial of Service (DoS) attacks

DDoS is a type of DOS attack which lead to down a machine or entire network resource unavailable to users. It is not possible to prevent such attacks entirely, but we can do certain things to mitigate the problems on Web Server level by adjusting Server configuration settings.Timeout: The number of seconds server will wait (Hold the current request) to close the connection for particular request (if its success, it will close the connection instantly otherwise it will wait until 300 Sec to close the connection. By default it set to 300Sec better we can keep the same. If we Setting this to very low as a few seconds may be appropriate or terminate/close long running CGI scripts.

  • RequestReadTimeout : We can set RequestReadTimeout for client, If the client fails to send headers or body within the configured time, a 408 REQUEST TIME OUT error is sent.
  • KeepAlive=on : Keep more than one request per connection
  • KeepAliveTimeout : Number of seconds to wait for the next request from the same client on the same connection. Default value is 5 secs.
  • MaxKeepAliveRequests: The maximum number of requests to allow during a persistent connection. Set to 0 to allow an unlimited amount. Default value is 100.
  • MaxRequestWorkers : It allow the server to handle the maximum number of simultaneous connections without running out of resources. Default value is 250.
  • LimitRequestFields: This directive allows the server administrator to modify the limit on the number of request header fields allowed in an HTTP request. Default value is 100.
  • LimitRequestFieldSize : This directive allows the server administrator to set the limit on the allowed size of an HTTP request header field. Default value is 8190 bytes.
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
MaxRequestWorkers 250
LimitRequestFields 100
LimitRequestFieldSize 8190

3) Disable unnecessary modules

Disable unnecessary modules, by default it will install/enable certain amount of modules when you installing Apache. Just grep the enabled modules and disable if its not necessary on your environment. Use the below command to check the loaded modules and remove unnecessary modules.

# apachectl -M

4) Run Apache as separate user and group

By default Apache run as nobody or daemon. For security reason it is recommended to run Apache its own user account which will help us to track the particular user activity when we are facing some load issues on server. Like if we put top command, it will show the apache process/activity with corresponding user name.

# groupadd apache
# useradd -d /var/www/ -g apache -s /bin/nologin apache

Modify Apache user and group on Apache config file

User apache
Group apache

5) Prevent .htaccess file creation outside home directory

Its one of the important security breach, if you allow the user to create .htaccess file outside their home directory, it will overwrite the default apache setting which we configured.

<Directory "/">
AllowOverride None

6) Install/Enable mod_security & mod_evasive Module

Install/Enable mod_security & mod_evasive Module which will act as HTTP Web Server firewall. This will help us to Prevent certain attacks for Website & Webserver.

[Install mod_security & mod_evasive Module on CentOS, RHEL & Fedora]
# [yum|dnf] install mod_security mod_evasive
# service httpd restart
# systemctl restart httpd.service

[Install mod_security & mod_evasive Module on Debian & Ubuntu]
$ sudo apt-get install libapache2-modsecurity libapache2-mod-evasive
$ sudo a2enmod mod-security mod-evasive
$ sudo service apache2 restart
$ sudo systemctl restart apache2.service

7) Restrict access to root Directory

We need to restrict the user access to root directory and We can allow the user to access appropriate Directory blocks.

[Apache 2.2]
<Directory />
   Options None
   Order deny,allow
   Deny from all

[Apache 2.4]
<Directory "/">
   Require all denied

8) Disable Directory Listing

By default Apache will show/list all the files and folders available under root directory when you don’t have index file. Its security issue, we can disable directory listing by adding below content on Apache conf file.

[Apache 2.2 & 2.4]
<Directory "/">
  Options -Indexes
  Order allow,deny
  Allow from all

9) Restrict access .htaccess & .htpasswd file

Restrict/Prevent .htaccess and .htpasswd files from being viewed by Web clients.

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all

10) Disable HostnameLookups

If HostnameLookups enabled, Apache need to lookup a nameserver for each client request at least once.

HostnameLookups off

11) Disable Apache & OS Version (Set ServerTokens)

By default Apache HTTP Server response header will contains apache, php, OS, etc.., versions details which will shows on your web page which against security issue and anybody can know about your version number. So you need to disable it by adding below lines on apache config file.

ServerSignature Off
ServerTokens Prod

12) Enable Necessary Options Directive

The Options directive controls which server features are available in a particular directory.

  • All : All options enabled except for MultiViews.
  • ExecCGI : Execution of CGI scripts using mod_cgi is permitted.
  • FollowSymLinks : The server will follow symbolic links in this directory. This is the default setting.
  • Includes : Server-side includes provided by mod_include are permitted.
  • IncludesNOEXEC : Server-side includes are permitted, but the #exec cmd and #exec cgi are disabled.
  • Indexes Disable directory listing.
  • MultiViews : Content negotiated “MultiViews” are allowed using mod_negotiation.
  • SymLinksIfOwnerMatch : The server will only follow symbolic links for which the target file or directory is owned by the same user id as the link.
<Directory "/">
  Options Indexes FollowSymLinks
  Order allow,deny
  Allow from all

13) Multi-Processing Modules (MPMs)

Multi-Processing Modules (MPMs) which are responsible for binding to network ports on the machine, accepting requests, and dispatching children to handle the requests. MPM module split as worker, event & prefork module. Make sure your values should be described as below which are default one.

[Prefork MPM]
    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0

[Worker MPM]
    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0

[Prefork MPM]
    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0


About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

Leave a Reply

Your email address will not be published. Required fields are marked *