Archive for April, 2012

Here are some simple ways to make Apache a more secure Web server.

#1: Update, update, update

Just because it is Apache running on Linux doesn’t mean you shouldn’t bother to update. New holes and security risks are found all the time. You should always develop a sound update policy to keep on top of patches. If you have installed Apache with your distributions package manager, you can make the updates go seamlessly. If you have installed from source, make sure that upgrade is not going to break any modules or dependencies your Web site has. And if you update Apache, make sure PHP (if used) is updated as well.

#2: Use the right user:group

I have seen Apache installed under many groups and/or users. One of the biggest offenders is the root user. This can lead to some serious issues. Or say both Apache and MySQL are run by the same user/group. If there is a hole in one, it can lead to an attack on the other. The best scenario is to make sure Apache is run as the user and group apache. To make this change, open thehttpd.conf file and check the lines that read:


Change these entries to:

User apache
Group apache

If you get any errors indicating the group or user do not exist, you’ll have to create them.

#3: Turn off unwanted services

There are a few services and/or features that you will want to turn off or not allow. All of these services can be disabled in the httpd.conf file. Those services/features that could cause the most issues include:

  • Directory browsing. This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with “-Indexing”.
  • Server side Includes. This is another feature that is disabled within a directory tag (using Options directive) and is set with “-Includes”.
  • CGI execution. Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with “-ExecCGI”.
  • Symbolic links. Set this inside a (surprise, surprise) directory tag with “-FollowSymLinks”.
  • None. You can turn off all options (in the same way you set the above) using “None” with the Option directive.

#4: Disable unused modules

Apache has a ton of modules. To get an idea how many modules your installation is running, issue the command (as the root user) grep -n LoadModule httpd.conf from within your Apache configuration directory. This command will show you every module Apache is loading, along with the line number it falls on. To disable the modules you don’t need, simply comment them out with a single # character at the beginning of the module line.

#5: Restrict access

Say you have an intranet that contains critical company information. You will want to deny anyone outside your private network from seeing this information. To do this, you can restrict access to your internal network by adding the following inside a directory tag in your httpd.conf file:

Order Deny, Allow
Deny from all
Allow from

where is the configuration matching your internal network. As with all modifications to the httpd.conf file, make sure you restart Apache so the changes take effect.

#6: Limit request size

Denial of service attacks are always a possibility when you allow large requests on Apache. Apache has a directive, LimitRequestBody, that is placed within a Directory tag. The size of your limit will depend upon your Web site’s needs. By default, LimitRequestBody is set to unlimited.

#7: Employ mod_security

One of the most important Apache modules is mod_security. This module handles many tasks, including simple filtering, regular expression filtering, URL encoding validation, and server identity masking. The mod_security installation and setup is a bit beyond a one-paragraph description. But you can begin by adding the “unique_id” and “security2″ directives in the Apache modules section. Once you have added the entries, run the command service apache2 configtest. If you get returned Syntax OK you’re good to go.

#8: Do not allow browsing outside the document root

Allowing browsing outside the document root is inviting trouble. Unless you have a specific need to allow it, disable this feature. First, you’ll need to edit the document root Directory entry like so:

<Directory />
Order Deny, Allow
Deny from all
Options None
AllowOverride None

Now, if you need to add options to any directory within the document root, you will have to add a new Directory entry for each one.

#9: Hide Apache’s version number

The best offense is a good defense. And one of the best defenses is to obfuscate as much information about your service as you can. One crucial bit of information to hide is the Apache version number. By hiding it, you keep unwanted users from knowing how to quickly hack your Web server. To hide Apache’s version number, add the following in your document root Directory tag:

ServerSignature Off
ServerTokens Prod

#10: Immunize httpd.conf

One of the best security measures is to hide your httpd.conf file from prying eyes. If people who shouldn’t see your httpd.conf file can’t see it, they can’t change it. To immunize the httpd.conf file, set the immutable bit with the following command:

chattr +i /path/to/httpd.conf

where /path/to/httpd.conf is the path to your Apache configuration file. Now it will be very difficult for anyone to make any changes to httpd.conf.