Apache is a widely used web server that requires proper configuration to ensure security. Without proper settings, it can be vulnerable to attacks, leading to data breaches and disruptions. Securing Apache involves controlling access, disabling unnecessary features, and enabling encryption.

Limiting the server's exposure includes restricting access to directories and only enabling required modules. This reduces the attack surface and helps protect sensitive resources.

Regular updates, encryption, and firewalls further mitigate risks. By keeping the server up to date and applying security tools, you can safeguard against evolving threats.

Steps to secure Apache web server:

  1. Disable unnecessary modules.

    Use apachectl -M or httpd -M to list all currently enabled modules.

    sudo a2dismod autoindex
    sudo systemctl restart apache2
    
    Module autoindex disabled.
  2. Set strict permissions for directories and files.

    Restrict file permissions to only allow access to the www-data or apache user. This ensures critical files are not accessible to unauthorized users.

    sudo chown -R www-data:www-data /var/www/html
    sudo find /var/www/html -type d -exec chmod 750 {} \;
    sudo find /var/www/html -type f -exec chmod 640 {} \;
    
    Permissions set to www-data for /var/www/html
  3. Hide the Apache version and OS details in headers.

    Modify the Apache configuration file, usually apache2.conf or httpd.conf, to prevent exposure of sensitive details.

    ServerSignature Off
    ServerTokens Prod
    sudo systemctl restart apache2
  4. Enforce HTTPS and disable HTTP.
    sudo a2enmod ssl
    sudo a2ensite default-ssl.conf
    sudo systemctl restart apache2
    
    Enabling site default-ssl.

    Use free tools like Let's Encrypt to obtain SSL certificates for encrypting traffic.

  5. Configure a web application firewall (WAF) using ModSecurity.
    sudo apt-get install libapache2-mod-security2
    sudo systemctl restart apache2
    
    ModSecurity for Apache enabled.

    Use the default configuration for basic protection, and customize rules as necessary.

  6. Limit HTTP request methods to only those required.
    <LimitExcept GET POST>
    Require all denied
    </LimitExcept>
  7. Restrict server access using IP whitelisting.
    <Directory /var/www/admin>
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.100
    </Directory>
    sudo systemctl restart apache2
  8. Enable logging and review logs regularly.
    sudo tail -f /var/log/apache2/access.log
    
    192.168.1.10 - - [13/Oct/2024:10:15:10 +0000] "GET /index.html HTTP/1.1" 200 345

    Use tools like Fail2ban to automate the banning of suspicious IPs based on log activity.

  9. Set limits on request sizes and connection rates.
    LimitRequestBody 1048576
    DOSHashTableSize 3097
    DOSPageCount 2
  10. Regularly apply updates and security patches.
    sudo apt-get update && sudo apt-get upgrade apache2

    Ensure that all Apache and module versions are regularly updated to include the latest security patches.

Discuss the article:

Comment anonymously. Login not required.