Apache is a widely used web server that requires proper configuration to ensure security. Without proper settings, it can be vulnerable to attacks, leading to data breaches and disruptions. Securing Apache involves controlling access, disabling unnecessary features, and enabling encryption.
Limiting the server's exposure includes restricting access to directories and only enabling required modules. This reduces the attack surface and helps protect sensitive resources.
Regular updates, encryption, and firewalls further mitigate risks. By keeping the server up to date and applying security tools, you can safeguard against evolving threats.
Steps to secure Apache web server:
- Disable unnecessary modules.
Use apachectl -M or httpd -M to list all currently enabled modules.
sudo a2dismod autoindex sudo systemctl restart apache2 Module autoindex disabled.
- Set strict permissions for directories and files.
Restrict file permissions to only allow access to the www-data or apache user. This ensures critical files are not accessible to unauthorized users.
sudo chown -R www-data:www-data /var/www/html sudo find /var/www/html -type d -exec chmod 750 {} \; sudo find /var/www/html -type f -exec chmod 640 {} \; Permissions set to www-data for /var/www/html
- Hide the Apache version and OS details in headers.
Modify the Apache configuration file, usually apache2.conf or httpd.conf, to prevent exposure of sensitive details.
ServerSignature Off ServerTokens Prod sudo systemctl restart apache2
- Enforce HTTPS and disable HTTP.
sudo a2enmod ssl sudo a2ensite default-ssl.conf sudo systemctl restart apache2 Enabling site default-ssl.
Use free tools like Let's Encrypt to obtain SSL certificates for encrypting traffic.
- Configure a web application firewall (WAF) using ModSecurity.
sudo apt-get install libapache2-mod-security2 sudo systemctl restart apache2 ModSecurity for Apache enabled.
Use the default configuration for basic protection, and customize rules as necessary.
- Limit HTTP request methods to only those required.
<LimitExcept GET POST> Require all denied </LimitExcept>
- Restrict server access using IP whitelisting.
<Directory /var/www/admin> Order Deny,Allow Deny from all Allow from 192.168.1.100 </Directory> sudo systemctl restart apache2
- Enable logging and review logs regularly.
sudo tail -f /var/log/apache2/access.log 192.168.1.10 - - [13/Oct/2024:10:15:10 +0000] "GET /index.html HTTP/1.1" 200 345
Use tools like Fail2ban to automate the banning of suspicious IPs based on log activity.
- Set limits on request sizes and connection rates.
LimitRequestBody 1048576 DOSHashTableSize 3097 DOSPageCount 2
- Regularly apply updates and security patches.
sudo apt-get update && sudo apt-get upgrade apache2
Ensure that all Apache and module versions are regularly updated to include the latest security patches.
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.