Introduction
Apache is one of the most widely-used and popular web servers. It is also one of the most secure web servers available. In this article, I will explain some tips and tricks that will secure your Apache server.
This is a generic ‘quick n dirty’ hardening profile.
Hide version:
|
1 2 |
ServerSignature Off ServerTokens Prod |
Turn Off Server-Side Includes (SSI), CGI Execution, SymLinks, Indexes:
Server-side includes (SSI) are directives present on Web applications that are placed in HTML pages. An SSI attack allows a web application to be exploited by remotely executing arbitrary codes. The attacker can access sensitive information like password files, and execute shell commands. It is recommended that you disable server side includes and CGI execution if they are not needed.
By default Apache follows symbolic links (symlinks). Turning this off is recommended for security.
Directory listing in the absence of an index file is enabled by default in Apache. Directory listing displays all the files from the Apache web root directory. If this is enabled, then a hacker can easily view any file, analyze it, and obtain sensitive information about an application of your Apache server.
|
1 2 3 4 5 |
<Directory /var/www/html/> Options -Indexes -FollowSymLinks -ExecCGI -Includes AllowOverride None Require all granted </Directory> |
Limit Request Size
By default Apache has no limit on the size of the HTTP request. This can allow hackers to send large number of data.
You can limit the requests size by using the Apache directive LimitRequestBody in combination with the Directory tag. This can help protect your web server from a denial of service (DOS) attack.
You can set value from 0 (unlimited) to 2147483647 (2GB) in the main Apache config file.
For example, to limit the request size for the /var/www/html/directory to 200K:
|
1 2 3 |
<Directory /var/www/html> LimitRequestBody 204800 </Directory> |
Disallow Browsing Outside The Document Root
Unless you have a specific need, it is recommended to restrict Apache to being only able to access the document root.
|
1 2 3 4 5 |
<Directory /> Options None Order deny,allow Deny from all </Directory> |
Disable ETag
ETags (entity tags) are a well-known point of vulnerability in Apache web server. ETag is an HTTP response header that allows remote users to obtain sensitive information like inode number, child process ids, and multipart MIME boundary. ETag is enabled in Apache by default.
|
1 |
FileETag None |
HTTP Request Methods and Trace Requests
Apache support the OPTIONS, GET, HEAD, POST, CONNECT, PUT, DELETE, and TRACE method in HTTP 1.1 protocol. Some of these may not be required, and may pose a potential security risk. It is a good idea to only enable HEAD, POST, and GET for web applications.
|
1 2 3 4 5 |
TraceEnable off <LimitExcept GET POST HEAD> deny from all </LimitExcept> |
Secure Apache From XSS Attacks and Protect Cookies With HTTPOnly Flag and From Clickjacking Attacks
Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.
|
1 2 3 4 5 |
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Header append X-FRAME-OPTIONS "SAMEORIGIN" </IfModule> |
SSL Options:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM SSLHonorCipherOrder on SSLOptions +StrictRequire # Add vhost name to log entries: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common #CustomLog /var/log/apache2/access.log vhost_combined #LogLevel warn #ErrorLog /var/log/apache2/error.log Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff SSLCompression off SSLSessionTickets Off |