what to do for secure Apache ?
-
jacobwallace800
- Posts: 8
- Joined: Wed Jan 21, 2015 4:59 pm
what to do for secure Apache ?
what to do for secure Apache ?
-
chloewilson773
- Posts: 10
- Joined: Thu Jan 22, 2015 3:41 pm
Re: what to do for secure Apache ?
Do for secure Apache
1. Keep up to Date
2. Denial of Service (DoS) attacks
3. Permissions on ServerRoot Directories
4. Server Side Includes
5. CGI in General
6. Non Script Aliased CGI
7. Script Aliased CGI
8. Other sources of dynamic content
9. Dynamic content security
10. Protecting System Settings
11. Protect Server Files by Default
12. Watching Your Logs
13.Merging of configuration sections
1. Keep up to Date
2. Denial of Service (DoS) attacks
3. Permissions on ServerRoot Directories
4. Server Side Includes
5. CGI in General
6. Non Script Aliased CGI
7. Script Aliased CGI
8. Other sources of dynamic content
9. Dynamic content security
10. Protecting System Settings
11. Protect Server Files by Default
12. Watching Your Logs
13.Merging of configuration sections
Re: what to do for secure Apache ?
These main things you should for secure Apache ?
1.installed latest security patches
2.Hide the Apache Version number
3.apache is running under its own user account and group
4.Turn off directory browsing
5.Turn off server side includes
6.Turn off CGI execution
7.Don't allow apache to follow symbolic links
8.Turning off multiple Options
9.Turn off support for .htaccess files
10.Run mod_security
1.installed latest security patches
2.Hide the Apache Version number
3.apache is running under its own user account and group
4.Turn off directory browsing
5.Turn off server side includes
6.Turn off CGI execution
7.Don't allow apache to follow symbolic links
8.Turning off multiple Options
9.Turn off support for .htaccess files
10.Run mod_security
-
maeliejosphe
- Posts: 9
- Joined: Wed Jan 21, 2015 4:15 pm
Re: what to do for secure Apache ?
Apache is the most broadly used Web server on the Internet. It was build to work in UNIX like operating system, but now ported to other server operating systems like Windows.
Apache and Linux mixture provides good quality security, but things might go wrong if you don’t take the measures. There are several things one need to do to secure Apache web server. We have compiled a list of simple points you should consider to make you Apache server secure.
First thing: Update
You should not only update Apache when there is a major release, but also should also set up all the patches. It is also sensible to update PHP (if you use it) as well when you update Apache.
You can check the current version of Apache by using the following command.
# http -v
Server version: Apache/2.*.** (Unix)
Server built: Mar 12 2014 13:20:23
Apache version and OS
If an error occurs, the server might revisit information about the error along with the Apache version and features about the OS.
To turn this off,
open the config. File (httpd.conf) with a text editor and
find the string “ServerSignature On.” It should be On by default.
Turn it off simply by replacing “On” by “Off.”
Now the HTTP site header and error pages will only show that it runs Apache and will not show the version.
Disable Directory Listing.
If there is no index file in the root directory, Apache will, by default list all the files in the root directory. There are a number of ways to avoid Apache from listing the files in the root folder. Again you need to add a pair of lines to the config file. There are 2 ways to doing this. Either set the Option Directive to “-Indexes” or “None.” If you don’t have a clue what we are talking about just add the following lines to the config file.
<directory /var/www/html>
Options -Indexes
Order allow,deny
Allow from all
</directory>
Or use the following code.
<directory></directory>
Options None
Order allow,deny
Allow from all
Secure the config file
You should have imagine the fact that, the httpd.conf file is quite important in keeping your server secure. So it is better to hide your file. You can always unhide it when you want.
Use the following command to vaccinate the config file.
chattr +i /httpd/conf/httpd.conf
From chattr man page:
“A file with the `i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the super user or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.”
Prevent DoS attack by limiting request size
By default the LimitRequestBody is set unlimited. Depending on your website’s requirement the size could be changed. You could also limit requests to more susceptible directories like upload folders.
Disable unwanted Modules
By disabling several modules that are not of any use to you, you can reduce the security weakness of your server. To find out the list of all the modules in your Web server, you can use the following command.
# grep LoadModule /etc/httpd/conf/httpd.conf
Analyze all the modules in the output list and figure out the ones that are unnecessary. You don’t even have to delete the lines. Just add “#” at the beginning and it will become deactivated after you restart the service.
Do not run Apache as root
Apache should not run as root. It is always good to run Apache as a separate user. It will run as daemon or nobody by default. Set up a non-privileged account dedicated for Apache. Never set Apache User or Group to root.
# vi httpd.conf
Group apache
User apache
Apache and Linux mixture provides good quality security, but things might go wrong if you don’t take the measures. There are several things one need to do to secure Apache web server. We have compiled a list of simple points you should consider to make you Apache server secure.
First thing: Update
You should not only update Apache when there is a major release, but also should also set up all the patches. It is also sensible to update PHP (if you use it) as well when you update Apache.
You can check the current version of Apache by using the following command.
# http -v
Server version: Apache/2.*.** (Unix)
Server built: Mar 12 2014 13:20:23
Apache version and OS
If an error occurs, the server might revisit information about the error along with the Apache version and features about the OS.
To turn this off,
open the config. File (httpd.conf) with a text editor and
find the string “ServerSignature On.” It should be On by default.
Turn it off simply by replacing “On” by “Off.”
Now the HTTP site header and error pages will only show that it runs Apache and will not show the version.
Disable Directory Listing.
If there is no index file in the root directory, Apache will, by default list all the files in the root directory. There are a number of ways to avoid Apache from listing the files in the root folder. Again you need to add a pair of lines to the config file. There are 2 ways to doing this. Either set the Option Directive to “-Indexes” or “None.” If you don’t have a clue what we are talking about just add the following lines to the config file.
<directory /var/www/html>
Options -Indexes
Order allow,deny
Allow from all
</directory>
Or use the following code.
<directory></directory>
Options None
Order allow,deny
Allow from all
Secure the config file
You should have imagine the fact that, the httpd.conf file is quite important in keeping your server secure. So it is better to hide your file. You can always unhide it when you want.
Use the following command to vaccinate the config file.
chattr +i /httpd/conf/httpd.conf
From chattr man page:
“A file with the `i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the super user or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.”
Prevent DoS attack by limiting request size
By default the LimitRequestBody is set unlimited. Depending on your website’s requirement the size could be changed. You could also limit requests to more susceptible directories like upload folders.
Disable unwanted Modules
By disabling several modules that are not of any use to you, you can reduce the security weakness of your server. To find out the list of all the modules in your Web server, you can use the following command.
# grep LoadModule /etc/httpd/conf/httpd.conf
Analyze all the modules in the output list and figure out the ones that are unnecessary. You don’t even have to delete the lines. Just add “#” at the beginning and it will become deactivated after you restart the service.
Do not run Apache as root
Apache should not run as root. It is always good to run Apache as a separate user. It will run as daemon or nobody by default. Set up a non-privileged account dedicated for Apache. Never set Apache User or Group to root.
# vi httpd.conf
Group apache
User apache
-
lopezhannah966
- Posts: 14
- Joined: Thu Jan 22, 2015 4:21 pm
Re: what to do for secure Apache ?
Apache's processes are run by default with the user nobody or daemon. It is suggested that Apache be executed in its own non-privileged account for security reasons.
