Simple Changes to Secure Apache

Home / Coding / Simple Changes to Secure Apache

Keep Updated

apache2You should update your linux settings no less than once a month. This will ensure that you are not running vulnerable technology.

Remove Header Details / Disable Tokens

When Apache web server generates any web pages or error pages, some important information about the version and other details implemented on the system are displayed in the web site server header.

ex: Server: Apache/2.0.53 (Ubuntu) PHP/4.3.10-10ubuntu4 Server at xx.xx.xx.xx Port 80

To ensure that the Apache HTTP web server does not broadcast this message to the whole world publicly and fix possible security issue, modify these two directives ServerTokens and ServerSignature in httpd.conf configuration file.

Edit the /etc/apache2/httpd.conf

Add the following:

ServerSignature Off
ServerTokens Prod

Save and restart the apache web service. You server will then only identify itself as Server: apache

Block libwww-perl

Use mod_rewrite and .htaccess file to block user agent libwww-perl. Open your .htaccess file and add rule as follows:

SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

Set Up mod_security with Apache

Mod security is a free Web Application Firewall (WAF) that works with Apache, Nginx and IIS. It supports a flexible rule engine to perform simple and complex operations and comes with a Core Rule Set (CRS) which has rules for SQL injection, cross site scripting, Trojans, bad user agents, session hijacking and a lot of other exploits. For Apache, it is an additional module which makes it easy to install and configure.

Modsecurity is available in the Debian/Ubuntu repository:

apt-get install libapache2-modsecurity

Edit config at: /etc/modsecurity/modsecurity.conf{-recommended,}

Find this line

SecRuleEngine DetectionOnly

and change it to:

SecRuleEngine On

 

Limit the maximum data that can be posted to your web application. Two directives configure these:

SecRequestBodyLimit
SecRequestBodyNoFilesLimit

The SecRequestBodyLimit directive specifies the maximum POST data size. If anything larger is sent by a client the server will respond with a 413 Request Entity Too Large error. If your web application doesn’t have any file uploads this value can be greatly reduced.

SecRequestBodyLimit 13107200

Similar to this is the SecRequestBodyNoFilesLimit directive. The only difference is that this directive limits the size of POST data minus file uploads– this value should be “as low as practical.”

SecRequestBodyNoFilesLimit 131072

Along the lines of these directives is another one which affects server performance:SecRequestBodyInMemoryLimit. This directive is pretty much self-explanatory; it specifies how much of “request body” data (POSTed data) should be kept in the memory (RAM), anything more will be placed in the hard disk.

SecRequestBodyInMemoryLimit 131072

Enable a Firewall

UFW is the way to go on Ubuntu servers and should be configured to only allow access on ports that are being used.

Recommended Configuration for UFW on Ubuntu Web Servers:

sudo ufw default deny incoming
sudo ufw default allow outgoing
ufw allow http
ufw allow https
ufw allow ssh

Turn it on:

sudo ufw enable

What else?

What are some changes you make to your apache configuration files to ensure their security? Post a comment below!

Join the Discussion. Post a Comment!

%d bloggers like this: