Basic Apache security

Published: November 25, 2009Posted in: IT Technology, System administrationTags: , ,

Below are just a few things to consider if you want to make your Apache installation more secure:

Hide your identity

Well, first of all you need to hide details about who you are, or rather what your webserver is. It is a good practice to always run on the latest security patch, but not always feasible. So if you can’t upgrade in time, at least make attackers life harder by hiding details about your server:

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature Off

Allow only basic HTTP methods

HTTP protocol defines GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE and CONNECT methods. Guess how many of those are actually used (intensively). Yup, only two. Most of the webservers would do just fine with only GET and POST methods. You might however find that you need more, so enable them as you see fit. In the example below I only allow two basic, commonly used methods:

<Location />
   <LimitExcept GET POST>
     Order allow,deny
     Deny from all
   </LimitExcept>
 </Location>

Disable old and insecure SSL

Use only new protocols and only strong ciphers.

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Disable modules that you don’t need

Again, this depends on your installation and what you’re actually using, but in most of the cases most of the modules that Apache loads by default are not needed. Search for LoadModule instruction and remove anything you don’t need. Good list to start:

  • mod_imap
  • mod_include
  • mod_info
  • mod_userdir
  • mod_status
  • mod_cgi
  • mod_autoindex
  • mod_dav

Other settings

Reduce timeout, which is 300 seconds by default. Meaning that the server waits for 5 minutes before it decides that the client is no longer there. Reduce it to something sensible, like 20-30 seconds to avoid potential DDoS attacks.

Timeout 20

Disable directory browsing for any directory that has no index file:

Options -Indexes
Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • Live
  • Netvibes
  • NewsVine
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • Twitter
  • Yahoo! Bookmarks

Related posts:

  1. Securing WordPress
  2. Use SSH to upgrade WordPress plugins automatically
  3. Sorting out YUM repositories on CentOS 5.4
  4. Building python 2.6.4 RPM for CentOS 5.4