WebCitz Blog

Apache Security – 10 Tips for a Secure Installation

Apache Security

Apache is one of the most popular web server applications in use today and has been for a long time. It’s open-source and free to download, which makes it very appealing as an option for those looking to host their websites on a budget. Most of our hosting services use LiteSpeed Web Server instead of Apache, but the overall idea is the same.

Apache falls under the category of “general purpose” software, which means that it can be used by anyone with access to its code or installation scripts. That leaves you open to potential security risks if your server and website isn’t set up securely from the beginning.

In this article, we’ll go over 10 tips for securing your Apache installation so you minimize problems down the road – read on!


Suggestions for Improving the Security of Apache

1.) Disable the server-info directive

If you enable the directive in httpd.conf and visit your Apache configuration page, it will tell you information about what’s happening on this end!

This may include sensitive information regarding your server’s settings, such as what version of software you use and where on the machine these files are stored.

Using this information, an attacker could figure out whether your server is running a vulnerable version of OpenSSL.

Fix this issue by removing the mod_info module in the httpd.conf Apache configuration file:

#LoadModule info_module modules/mod_info.so

2.) Disable the server-status directive

The directive lists information about the performance of your application’s server, such as its uptime and load. This information can be used by attackers to determine when your server is busiest and most vulnerable. You can fix this by commenting it out in the httpd.conf Apache configuration file:

#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
#</Location>

3.) Disable the ServerSignature directive

The ServerSignature directive is a great way to add extra information about your web server, including what version of Apache you’re running and on which operating system.

Apache needs this directive to be disabled to prevent exposure of sensitive information. Use ServerSignature Off in your httpd.conf Apache configuration file.

4.) Set the ServerTokens directive to prod

The ServerTokens directive is used to send back a series of information in the response header field. An Apache ServerTokens directive can have many different syntaxes, including those listed in the documentation.

When the ServerTokens directive is set to Prod, only Apache will be displayed in server response headers. Do this by adding ServerTokens Prod to your httpd.conf Apache configuration file.

5.) Disable directory listing

The directory listing shows you every file in the system, making it easy for an attacker to discover sensitive information. Enabling this option is not worth the risk!

You should always be careful when it comes to your application’s source code. An attacker who obtains access could potentially use that information for malicious purposes, such as analyzing security flaws or the application’s code.

Set the Options directive in the Apache httpd.conf file:

<Directory /your/website/directory>
Options -Indexes
</Directory>

6.) Only enable required modules

The Apache HTTP Server is a powerful tool but it can also be overwhelming if not configured correctly. There are many modules that come pre-installed and enabled by default which you may or may not want to use, so before installing make sure these options do what they need in your environment!

But what would happen if you enabled all these modules without thinking of their effect on httpd? Well, there could be some serious consequences. Enabling these modules is like opening the server up to potential security issues that might exist or be discovered in the future.

One of the best ways to ensure that you have installed all necessary modules for your website is by looking at Apache’s documentation, and possibility the requirements of your applications. Make sure to only use the modules that you need and disable the ones that are not in use.

7.) Use an appropriate user and group

Apache is a powerful and versatile web server, but it’s best practice to use it with a non-privileged account, rather than under daemon (default). This helps keep your system secure by limiting Apache access.

Also, two different processes running with the same user and group can lead to exploits in one of them. Changing Apache user and group requires editing the httpd.conf configuration file to Change User or Group directives.

8.) Restrict unwanted services

If you want to keep your Apache secure, then it’s best not to make any service runs or create symbolic links if they are not needed. Disabling services is easy with the Options directive in httpd.conf, and you can do this for specific directories too!

Here’s an example of what to do:

<Directory /your/website/directory>
Options -ExecCGI -FollowSymLinks -Includes
</Directory>

9.) Use the ModSecurity WAF

ModSecurity is open-source software that can be used as a web application firewall. It has different functionalities including filtering, server identity masking, and Null Byte Attack Injection prevention functions to keep your site safe from hackers!

A great way to improve your web server security and protect against a multitude of attacks is by installing mod_security. This will allow you the opportunity for protection from distributed denial-of-service (DDOS) as well.

10.) Enable logging

In order to investigate the cause of particular issues, you will want apache logging enabled. This provides detailed information about client requests made on your web server and is very helpful when researching an issue.

The mod_log_config module enables you to log Apache actions. To do so, make sure that it’s included in your httpd conf file.


Final Thoughts on Apache Security

It is important to have Apache security in place because it helps protect your web server from unauthorized access. In turn, this even helps keep your website safe from possible attacks.

Not paying attention to Apache security can lead to your website becoming compromised, which could result in data loss or theft. By following the tips outlined in this blog post, you can help ensure that your Apache installation is as secure as possible!

These guidelines are just a starting point, so be sure to research further into the security of your specific web application needs! The most important thing to remember is that security is not a one-time event, it’s an ongoing process. Stay vigilant and keep your site safe!

Disclaimer: WebCitz, LLC does not warrant or make any representations concerning the accuracy, likely results, or reliability of the information found on this page or on any web sites linked to from this page. This blog article was written by Timothy A in his or her personal capacity. The opinion(s) expressed in this article are the author's own and may not reflect the opinion(s) of WebCitz, LLC.