15 Apache Web Server Security and Hardening Best Practices Checklist
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems, including UNIX and Windows. This project aims to provide a secure, efficient, and extensible server that provides HTTP services in sync with the current HTTP standards.
This article will discuss the of 15 Apache Web Server security and hardening best practices checklist
Apache Web Server Security and Hardening Best Practices Checklist
1. Keep the Latest Version
It is essential to keep your Apache web server updated for better performance and security. In order to check whether you are using the latest version of Apache, you can check it with an httpd -v command line. If you do not have the latest version, you can update it using these commands:
# yum update httpd
# apt-get install [add Apache version here]
2. Activate Logging
Logs are composed of log entries; each contains information related to a specific event on the server. Logs tell us the operational and security status of our web server. You should keep an eye on the activity logs of your web server.
In order to view your web server activity logs in Apache, update your mod_log_config module. In this way, you will be able to view your authorized and unauthorized users’ activity.
3. Add an SSL Certificate
An SSL certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection. SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser.
It improves the performance and execution of your web server. You can get a free SSL certificate yourself, or you can contact a good hosting provider to do it for you.
4. Restrict Network Access
If your web server is used by particular users or by a specific network, you can restrict its access to a specific IP address or network. To restrict the access in Apache, go to httpd.conf and update your site Directory.
Mention the allowed network address in the Allow directive.
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.20.0.0/24
Mention the allowed IP address in the Allow directive.
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.20.1.56
5. Deploy ModSecurity
SSL adds security to your web server, but to add more protection to your web server, you should add a firewall. The Web Application Firewall (WAF) for ModSecurity, sometimes called Modsec, is an open source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities and other security features across several different platforms, including Apache HTTP Server, Microsoft IIS, and Nginx. It is free software released under the Apache License 2.0.
# yum install mod_security
# /etc/init.d/httpd restart
6. Enable mod_evasive
If you want to keep your web server safe from DDoS (Distributed Denial of Service) and Brute Force attacks, you should use mod_evasive. This saves Apache Web Services Module blocks the concurrent and failed login attempts as well as monitors for malicious IPs.
To install this utility, update the package repository and install the helper utility with the following commands:
sudo apt update
sudo apt install apache2-utils
To install mod_evasive, use the following command:
sudo apt install libapache2-mod-evasive
You can configure it by following the steps mentioned here.
7. Establish HTTP Limits
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.
- KeepAlive = on
Open terminal, run the following command to open Apache server configuration file and turn on KeepAlive. Then restart the server to enable it.
$ sudo vi /etc/apache2/apache2.conf
KeepAlive On
- KeepAliveTimeout
It is the time in seconds to wait for the next request from the same client on the same connection. By default it is set to 5 seconds.
KeepAliveTimeout 15
- LimitRequestBody
It specifies the limit of total size of the HTTP request body sent from the client. You can set it in range 0 (meaning unlimited) to 2147483647 (2GB). You can set it according to your own requirements, for example in order to restrict the size of the uploaded file to 5M = 5242880 Bytes.
LimitRequestBody 5242880
- LimitRequestFields
It limits the number of HTTP request header fields that will be accepted from the client. By default it is set to 100.
LimitRequestFields 50
- LimitRequestFieldSize
It limits the size of the HTTP request header allowed from the client. By default it is set to 8190 bytes.
LimitRequestFieldSize 4095
- LimitRequestLine
This directive sets the max URL length. For instance, you want to set it to 10000, you can do that by following command:
LimitRequestLine 10000
- MaxClients
This directive controls the maximum total number of threads that may be launched.
MaxClients 150
- MaxKeepAliveRequests
This directive sets the maximum number of requests allowed per persistent connection. It is set to 100 by default.
MaxKeepAliveRequests 50
- MaxRequestWorkers
It sets the maximum number of connections that will be processed simultaneously. Set the number of maximum connections according to your own requirement.
MaxRequestWorkers number
- RequestReadTimeout
It sets the timeout values for completing the TLS handshake, receiving the request headers and/or body from the client. By default, handshake=0, header=20-40, MinRate=500, body=20, MinRate=500. Its syntax is:
RequestReadTimeout [handshake=timeout[-maxtimeout][,MinRate=rate] [header=timeout[-maxtimeout][,MinRate=rate] [body=timeout[-maxtimeout][,MinRate=rate]
- TimeOut
With this directive you can set request timeout in seconds. To set it to 600 seconds:
TimeOut 600
8. Discard Unused Modules
Unused, unmaintained, or expired Apache server modules can be costly as they use more resources as well as they make your web server vulnerable.
First of all, find out your active modules by the LoadModule command. Then sort out the necessary and unnecessary modules of your web server. After figuring out the unused modules, simply add the “#” symbol before each module you want to deactivate and then restart.
9. Update Default User Settings
Leaving default settings and users on any software is a terrible security practice in general. The rationale for this is simple: if you use the Apache default user or group name, the hackers are already aware of those default identities.
You should create a new non-privileged account to run your Apache processes rather than using the defaults. You can create new entities using the # groupadd and # useradd commands. Make sure you change your httpd.conf to reflect the new user and group names you have set.
Also Read
10. Block Directory Access
As we discussed in the previous point, certain directories are also accessible by default. Moreover, if you do not create an index file for your server, users can see everything in your root directory. In order to customize the directory access according to your own preference, you need to specify it.
To block the directory completely, run these commands:
Require all denied
You can also allow directory access to certain folders with these commands.
Require all granted
To allow only the authorized users, run these commands:
Require all granted
To hide your root directory from users, run these commands:
Options -Indexes
11. Hide the ETag
ETag (EntityTag) is a server response header that allows browsers to make conditional requests and perform cache validation efficiently. On the other hand, it poses security risks in case it gets leaked by your code and can result in a cache poisoning attack on your website. So it is better to disable ETag if your website does not need it.
You can hide your ETag by adding FileETag directive to httpd.conf:
FileETag None
12. Disable HTTP Trace
TRACE is permitted by default, which prevents any request body from accompanying the request. With TraceEnable enabled, a hacker may possibly acquire your cookie information and cause a Cross-Site Tracing Issue.
Disable the TRACE HTTP method in Apache Configuration to resolve this security vulnerability. You may accomplish this by modifying or adding, if not already, the TraceEnable directive to your Apache Web Server’s httpd.conf file.
TraceEnable off
13. Disable .htaccess Override
.htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory and all subdirectories thereof.
If you have access to the httpd main server config file, you should avoid using .htaccess files entirely. The use of .htaccess files causes your Apache HTTP server to slow down. Any directive included in a.htaccess file is preferably placed in a Directory block since it will have the same impact while performing better.
Go to httpd.conf and use the following code to disable .htaccess override.
Options -Indexes
AllowOverride None
14. Disable SSI and CGI
SSI (Server Side Includes) is a simple interpreted server-side scripting language used almost exclusively for the World Wide Web. It is most useful for including the contents of one or more files into a web page on a web server.
Similarly, CGI (Common Gateway Interface) is an interface specification that enables web servers to execute an external program, typically to process user requests. Such programs are often written in a scripting language and are commonly referred to as CGI scripts, but they may include compiled programs.
In order to disable SSI and CGI, add the following commands in the options directive:
- Options All
- Options IncludesNOEXEC
- Options -Includes
- Options -ExecCGI
- Options -Includes -ExecCGI
- Options MultiViews
15. Disable Null and Weak Ciphers
Null and weak ciphers also pose a threat to your Apache Web Server, so try to allow only strong ciphers.
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Final Thoughts
In this article, we discussed the importance of and secured your Apache Web Server. Furthermore, the article highlighted how Apache understands and takes web server security under serious consideration. Apache provides excellent breadth and depth of the best present-day web server security practices.
