4 minutes
Hardening my Apache installation
As a brand new installation of Apache has a few features I will never need, my first step after setting it up is to configure it down a bit. Mainly I am a firm believer in a smaller attack surface, but some of these are really good ideas for anyone. I am running my web server on ubuntu, so these commands are all pretty ubuntu specific - you may need to tweak to fit your needs.
Please note: All of these suggestions were found somewhere online - just pulling together in one place, so I remember what to do next time…
1. Hiding the version numbers
Apache likes to tell everyone its version number and OS it is running on. This is not necessarily a security issue, but if an exploit is available for a particular version - you know someone will be shodanning (is that a verb yet?) for that version long before you get a chance to update yours.
sudo nano /etc/apache2/apache2.conf
# Suppress Apache Version and Server Type
ServerTokens Prod
ServerSignature Off
You will need to restart Apache to have it take effect…
sudo /etc/init.d/apache2 restart
2. Directory Listing
Do you really need the user to see a directory listing whenever they browse to a folder with no index.html or equivalent. Probably not - so lets just remove that option. While I’m here, I go ahead and remove symlinks as well - why, because I don’t use them, do you? The other directory command I also use is AllowOveride None, this will disable the ability to use an htaccess file to override the main apache config file. Make sure you are applying these to all directories you are sharing…
sudo nano /etc/apache2/apache2.conf
<Directory /var/www/>
Options None
AllowOverride None
Require all granted
</Directory>
You will need to restart Apache to have it take effect…
sudo /etc/init.d/apache2 restart
3. Disable any unused modules
If you haven’t noticed yet, I am not a big fan of running code that I am not using. Therefore my next step is to disable just about every module apache pre-installs that I am not using.
sudo a2dismod autoindex
sudo a2dismod authz_user
sudo a2dismod auth_basic
sudo a2dismod access_compat
sudo a2dismod authn_core
sudo a2dismod authn_file
sudo a2dismod negotiation
sudo a2dismod status
You will need to restart Apache to have it take effect…
sudo /etc/init.d/apache2 restart
^My list of modules to disable worked for me, but your mileage will vary on this. Whenever you disable a mod in apache you need to restart the web server and then retest the website to ensure you didn’t break any needed functionality.
4. Installing and configuring mod-security
Mod security is a web application firewall for your apache, nginx, or iis server. There are many options for web application firewalls, but this one is definitely a good one and is open source. While I am not actually running a web application, just hosting some html pages; this is probably overkill. My thought is that this will help me if there is a malformed get request that causes an exploit in apache in the future as this will review requests and posts and validate them before apache does. You’re probably right, now I’m just getting paranoid.
Installing is pretty simple:
sudo apt-get install libapache2-modsecurity
Configuring is where it gets interesting… I am not an expert in web application firewalls, so I leave it pretty much to the owasp crs rules. The latest / greatest of these can always be found over at owasp. I am not going to go in depth on installation as they have a guide on the github site. There are some differences in ubuntu land, but if you have been following along so far, you should be ok. I may write a separate guide on this whole process another time…
Credits:
Geekflare has a very comprehensive list of hardening tips as well as tecmint. My only adjustments were as needed to port it over to ubuntu where they like to mess with the config files to keep you on your toes. Well that and I skipped over any I wasn’t worried about (my version doesn’t have the etag vuln, doesn’t run as root, and isn’t hosting a web application).
Disclaimer
This is not meant to be a comprehensive security guide, just what I like to do to my apache dev server that isn’t even internet facing.