Documente Academic
Documente Profesional
Documente Cultură
com
Originally published on
LinuxTechLab.com
Hello Linux-fanatics, previously we have discussed how we can install & configure
apache web server & then secure it using a SSL certificate. Apache is used for web
hosting for millions of websites (I am not exaggerating) & is target of millions of hacks
taking place on daily basis. So being sysadmins, we must know how we can secure our
apache servers as securing our precious data is of utmost importance in todays world.
Listed below are some points that we can use to secure our web-servers;-
Some of the modules that are not usually needed are mod_imap, mod_include,
mod_info, mod_userdir, mod_autoindex etc. If you are not sure which modules are of
use to you, refer to Apache Module Documentation & remove them during installation if
you are using source files or if you have a working server, you can run the following
command
& just put # (comment it) in front of the unnecessary modules. Restart apache service
to implement changes.
<Directory /var/www/html>
Options -Indexes
</Directory>
Hide apache identity i.e. version & OS identity
By default, apache shows its version, OS & php versions. This makes an attacker task
much less easier since he has the version & he can devise an attack plan based on
vulnerabilities of these version. To disable this, we need to make changes to
ServerSignature & ServerTokensparameters in httpd.conf,
ServerSignature Off
ServerTokens Prod
<Directory /var/www/test1.com/upload>
LimitRequestBody 204800
</Directory>
Here, we restricted users to upload files of size more than 2 Mb to
/var/www/test1.com/upload
$ groupadd apache
$ useradd -d /var/www/ -g apache -s /bin/nologin apache
& edit httpd.conf to reflect new user & group. Open file & search for User & Group &
change them
$ vi /etc/httpd/conf/httpd.conf
User apache
Group apache
<Directory /var/www/test1.com>
Options -ExecCGI -FollowSymLinks -Includes
</Directory>
.htaccess file can be used to overwrite the default apache directives. So we should not
allow users to access .htaccess & override directive. We do this by adding following lines
in our htpd.conf file
<Directory />
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Enable logging
Apache logging provides detailed information about client requests made on our web
server, so logging must be enabled as it will help in investigating an issue. Logging in
apache is achieved by mod_log_config module.
To enable website-wise logging, we must provide ErrorLog & CustomLog directive for
the site while creating an entry in httpd.conf.
<VirtualHost *:80>
DocumentRoot /var/www/html/test1.com/
ServerName www.test1.com
ServerAlias test1.com
ErrorLog /var/log/httpd/test1.com_error_log
CustomLog /var/log/httpd/test1.com_access_log combined
</VirtualHost>
Update apache on regular basis
Apache continuously works on resolving any bugs or security vulnerabilities & keep
updating apache to address these issue, so we must keep our apache updated to latest
version to make our server more secure. You can update your apache using yum
If you think we have helped you or just want to support us, please consider these :-
Connect to us: Facebook | Twitter | Google Plus
LinuxTechLab.com