Hardening the Apache web server: how to protect your server from attacks

Hardening the Apache web server: how to protect your server from attacks. Apache’s default configuration will expose the server version. This information can help an attacker better understand the systems in use and potentially develop other attacks targeting the specific version of the server. It is also the most vulnerable to cyber attacks. By applying a lot of configuration tweaks, we can make Apache resist malicious attacks up to a limit. Here are some Apache web server hardening tips that you can integrate to improve security. By following these tips, you can install mod_security from your default package installer.

picture
Profile picture of Anees Hacker Noon

Years

human being in love with coding, camera, cats and coffee!

The web server plays a crucial role in web applications. Since most of us leave the default configuration, sensitive data about the web server can be leaked.

There are many web servers on the market. Apache is one of the most popular and widely used of all. Due to this popularity, it is also the most vulnerable to cyber attacks.

By applying a lot of configuration tweaks, we can make Apache resist malicious attacks up to a limit. Here are some Apache web server hardening tips that you can integrate to improve security.

Hide the server version banner

One of the first things to do is hide the server version banner.

Apache’s default configuration will expose the server version. This information can help an attacker better understand the systems in use and potentially develop other attacks targeting the specific version of the server.

picture

We can easily fix the server version disclosure by following the steps below:

1. Open apache.conf

# vim /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
# vim /etc/apache2/apache2.conf (Debian/Ubuntu)
Add the following directives to configuration
```
ServerSignature Off
ServerTokens Prod
```  

2. Save the configuration and restart Apache

picture

Better yet, we can change the server name to anything else in the server header. To do this, you need to enable the mod_security module. Then add the following directives to the configuration.


        ServerSignature Off
        ServerTokens Prod

3. Save the configuration and restart Apache

picture

Deactivate the directory list

By Apache’s default configuration, if the root directory of your web server does not contain index.html, the user can see all of the files and subdirectories listed in the web root.

picture

To disable directory listing, we need to set the value of the `Option` directive to` None` or `-Indexes` in the Apache config file.

Example:

<Directory /var/www/html>
    Options -Indexes

Restart Apache2

picture

Use mod_security module

mod_security works as a firewall for web applications.

It can also be used for real-time web application monitoring and logging. You can install mod_security from your default package installer.

Installation

Debian / Ubuntu

# apt install libapache2-mod-security2
# service apache2 restart

Installation

RHEL / CentOS / Fedora

# yum install mod_security
# systemctl restart httpd.service

Use mod_evasive module

mod_evasive provides effective actions against Distributed Denial of Service (DDoS / DoS) attacks or brute force attacks

Its capabilities also extend to work with ip chains, firewalls, routers, etc. mod_evasive reports events via email and syslog.

mod_evasive has a prerequisite. Install the prerequisite by running the following command.

Preconditions

Debian / Ubuntu

# apt install apache2-utils

RHEL / CentOS / Fedora

# yum install httpd-devel

Installation

Debian / Ubuntu

# apt install libapache2-mod-evasive

RHEL / CentOS / Fedora

# yum install mod_evasive

Configuring mod_evasive

Open the mod_evasive configuration file in any text editor. you can find the configuration file in the following path:

Debian / Ubuntu

# vim /etc/apache2/mods-enabled/evasive.conf

RHEL / CentOS / Fedora

# vim /etc/httpd/conf.d/mod_evasive.conf

Find the following lines and uncomment them.

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify [email protected]
DOSLogDir "/var/log/apache2/"

Replace `DOSEmailNotify [email protected]`with your email address to receive event notification. Email notifications only work if there is a functioning email server running on the server.

Save the configuration and restart Apache. Now mod_evasive is in effect.

Hide ETag header

The ETag header involves quite a lot of sensitive details about your server. Interestingly, for PCI compliance it is necessary to hide the Etag header.

To do this, add the following directive to the Apache configuration.

Disable CGI and SSI

SSI are directives present on web applications used to feed an HTML page with dynamic content.

They are also capable of opening up your website to a number of security issues if left unchecked. The same happens for CGI scripts. In order to prevent hackers from injecting malicious scripts into your code.

Restrict CGI and SSI by adding the following directives to the Apache configuration:

Options -Includes
Options -ExecCGI

Setting HTTP limits

Setting up some HTTP limits can defend you against Distributed Denial of Service (DDoS) attacks, it’s really easy if you know the type of actions to watch out for.

DDoS always tends to happen by repeatedly hitting your server with really big requests.

The following items include some limits that you must configure:

KeepAlive=on
KeepAliveTimeout
LimitRequestBody
LimitRequestFields
LimitRequestFieldSize
LimitRequestLine
LimitXMLRequestBody
MaxClients
MaxKeepAliveRequests
MaxRequestWorkers
RequestReadTimeout
TimeOut

Enable XSS protection header

Cross-site scripting (XSS) is a common vulnerability in web applications. The X-XSS-Protection header can prevent a certain level of XSS (cross-site-scripting) attacks.

The parameters are:

  • 0 – XSS filter disabled
  • 1 – XSS filter activated and sanitizes the page if attack detected
  • 1; mode = block – XSS filter enabled and prevents rendering of the page if attack detected
  • 1; report = http: //reporting.url/ – XSS filter enabled and will report the violation if an attack is detected

Add the following entry to your Apache configuration to enable the XSS protection header.

Header set X-XSS-Protection "1; mode=block"

Restart Apache.

Last but not the least, always keep your web server up to date.

Hope you find these tips on how to strengthen Apache web server security!

If you are looking to improve your web security, you can create a free account at Beagle Security. You will be able to identify vulnerabilities in your website before hackers exploit them. Stay safe!

Previously published on https://beaglesecurity.com/blog/blogs/20/06/15/Apache-Web-Server-Hardening.html

Profile picture of Anees Hacker Noon

Key words

Join Hacker Midi

Create your free account to unlock your personalized reading experience.


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *