How’s it going people? Everyone wants 100% secure applications but the problem is do 100% applications exist in the world? Answer is ‘Nope’. That’s bad but you can secure your application up to a certain extend by applying security. Hope you have read my last two articles on PHP Security. Article 1 & Article 2 where you can apply security at the application level. it’s time for you to read them before proceeding.

Today we are going to look at how to secure your Apache web server by adding security to it. Once you apply these configuration in your Apache web server you will be able to live safely. Let’s make the world a better place.

Note : Once make changes to your Apache configuration file(/etc/apache/apache2.conf) you should restart Apache web server using below command. 

1. How to hide Apache version and OS

Apache version & OS is shown

Open apache2.conf configuration file with vim editor and search for ServerSignature which is On by default. Set it to Off ,it tells Apache to stop showing the Apache version. Then set ServerTokens Prod which tells Apache to suppress the OS version info.

Set below two configurations.

Much cleaner

Much cleaner

2. Keep up to date

The Apache HTTP Server has a good record for security and a developer community highly concerned about security issues. But it is inevitable that some problems — small or large — will be discovered in software after it is released. For this reason, it is crucial to keep aware of updates to the software. – Apache Docs

3. Disable directory listing

When index.php/index.html is not present in a directory by default Apache list all the content of the particular document directory. Turn off directory listing by using Options directive in apache2.conf file as shown below.

4. mod_security and mod_evasive modules

Apache mod_security

Apache mod_security

mod_security

Mod_security is an apache module which helps to be protected from various attacks. Let’s install mod_security.

Verify if the mod_security module was loaded.

Then you have to do some configurations as mentioned in the link. Read more on mod_security.

Apache mod_security

Apache mod_security base rules list

mod_evasive

mod_evasive is an Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. Let’s install mod_evasive.

Let’s create a log file folder for mod_evasive

Add the below configurations to the /etc/apache2/mods-available/mod-evasive.conf file.

Read more here on mod_evasive.

5. Disable unnecessary modules

Below is the list of modules that are enabled by default but often not needed. To disable the particular module, you can insert a “#” at the beginning of that line. Read more here and here.

6. Apache with SSL

The Apache HTTP Server module mod_ssl provides an interface to the OpenSSL library, which provides Strong Encryption using the Secure Sockets Layer and Transport Layer Security protocols. – Apache SSL

There are plenty of article written on this topic, so I’m not going to rewrite. Refer this article to get SSL on Apache.

7. Apache logging

Apache logging provides more information on what’s happening in the server.

In order to effectively manage a web server, it is necessary to get feedback about the activity and performance of the server as well as any problems that may be occurring. The Apache HTTP Server provides very comprehensive and flexible logging capabilities. – Apache Logs

See the below image about Apache log levels.

Apache Log Levels

Apache Log Levels

Okay now let’s configure logs in your virtual hosts. If you don’t know much about virtual host time to read this article.

These are most used configurations to secure an Apache web server. If you have any questions let me know in the comments below. Your feedback is highly appreciated(happy-face).

Be Sociable, Share!