The Apache web server is one of the most popular web servers available for both Windows and Linux/UNIX. At the moment, it is used tohost approximately 40% of websites. It is also often described as one of the most secure web servers. In this article, you can find 10 security tips to harden your Apache configuration and improve Apache security in general.
1. Disable the server-info Directive
If the<Location /server-info>
directivein thehttpd.confconfiguration file is enabled, you can see information about the Apache configuration by accessing the/server-infopage (for example,http://www.example.com/server-info). This could potentially include sensitive information about server settings such as the server version, system paths, database names, library information, and so on.
For example,/server-infoexposes the Apache version along with the OpenSSL version. In the past, an attacker could use this information to find out whether the server uses a version of OpenSSL that is vulnerable to the Heartbleed bug.
You can disable this directive by commenting out the entiremod_info
module in thehttpd.confApache configurationfile:
#LoadModule info_module modules/mod_info.so
2. Disable the server-status Directive
When enabled, the<Location /server-status>
directive lists information about server performance, such as server uptime, server load, current HTTP requests, and client IP addresses. An attacker may use this information to craft an attack against the web server.
You can disable this directive by commenting it out in thehttpd.confApache configurationfile:
#<Location /server-status># SetHandler server-status# Order deny,allow# Deny from all# Allow from .your_domain.com#</Location>
3. Disable the ServerSignature Directive
TheServerSignature
directiveadds a footer to server-generated documents. This footer includes information about your Apache configuration such as the version of Apache and the operating system. To restrict Apache from displaying this sensitive information, you need to disable this directive in yourhttpd.confApache configurationfile:
ServerSignature Off
4. Set the ServerTokens Directive to Prod
TheServerTokens
directive controls the information that is sent back in theServer
response header field. You can use different syntaxes in this directive, as listed in theApacheServerTokens
documentation. TheServerTokens
directive should be set toProd
in order to instruct Apache to return onlyApachein the server response headers. This can be done by including the following directive in yourhttpd.confApache configurationfile:
ServerTokens Prod
5. Disable Directory Listing
Directory listinglets you view complete directory contents. If this option is enabled, an attacker can simply discover and view any file. This could potentially lead to the attacker decompiling and reverse engineering an application in order to obtain the source code. They can then analyze the source code for possible security flaws or obtain more information about an application, such as database connection strings, passwords to other systems, etc. You can disable directory listing by setting theOptions
directivein the Apache httpd.conf file:
<Directory /your/website/directory>Options -Indexes</Directory>
6. Enable Only the Required Modules
A default installation of the Apache HTTP server may include many pre-installed and enabled modules that you do not need. To add insult to injury, some web server administrators have a tendency to take the path of least resistance and enable all the remaining modules inhttpd.conf, so as to ensure that everything works without a hitch. This, however, also opens up the Apache server to any security issues that might exist or be discovered in the future for the enabled modules.
TheApache module documentationlists and explains all the modules available for Apache. Research the modules that you have enabled and make sure that they are really required for the functionality of the website. Unnecessary modules should be disabled by commenting out a specificLoadModule
line.
7. Use An Appropriate User and Group
By default, Apache runs under the daemon user and group. However, it is best practice to run Apache using a non-privileged account. Furthermore, if two processes (such as Apache and MySQL) are running using the same user and group, issues in one process might lead to exploits in the other process. To change Apache user and group, you need to change theUser
andGroup
directives in the Apachehttpd.confconfiguration file.
User apacheGroup apache
8. Restrict Unwanted Services
To secure Apache, you may want to disable certain services, such as CGI execution and symbolic links, if these are not needed. You can disable these services using theOptions
directive in thehttpd.confconfiguration file and you may also disable these services for a particular directory only. The below example shows what you need to include in yourhttpd.confconfiguration file to disable CGI script execution, symbolic links, and server-side includes for your web server root directory and its subdirectories.
<Directory /your/website/directory>Options -ExecCGI -FollowSymLinks -Includes</Directory>
9. Use the ModSecurity WAF
ModSecurityis an open-source module that works as a web application firewall. Different functionalities include filtering, server identity masking, and null-byte attack prevention. This module also lets you perform real-time traffic monitoring.
We recommend that you follow theModSecurity manualto installmod_securityto improve your web server security and protect against a multitude of attacks including distributed denial of service attacks (DDOS). You can also temporarily use ModSecurity to protect against certain attacks likeSQL InjectionandCross-site Scriptinguntil vulnerabilities are fixed by the developer.
10. Enable Logging
Apache logging provides detailed information about client requests made on your web server, hence enabling such logging will prove useful when investigating the cause of particular issues. In order to enable logging themod_log_config moduleneeds to be included from the Apache httpd.conf file. This module provides the TransferLog, LogFormat, and CustomLog directives which are respectively used to create a log file, specify a custom format, and creating and formatting a log file in one step. As seen below, the LogFormat directive is used to specify a custom logging format – in this case the referrer and browser of each request are logged along with the default logging parameters. Then, the CustomLog directive will be used to instruct Apache to use this logging format.
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" detailedCustomLog logs/access.log detailed
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Acunetix
Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.