Scribd
Upload
37 views8 pages

10 Tips To Ensure Apache Server Security

Uploaded by

elahi elahi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
37 views8 pages

10 Tips To Ensure Apache Server Security

Uploaded by

elahi elahi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Apache server security: 10 tips to secure installation

(http://www.acunetix.com/blog/articles/10-tips-
secure-apache-installation/)
POSTED ON OCTOBER 6, 2014 (HTTP://WWW.ACUNETIX.COM/BLOG/ARTICLES/10-TIPS-SECURE-APACHE-INSTALLATION/) BY
GLENN DARMANIN (HTTP://WWW.ACUNETIX.COM/BLOG/AUTHOR/GLENNDARMANIN/)

Apache is one of the most popular web servers. As of September 2014, it is used to host 55.7% of the
top 1 million websites (http://w3techs.com/technologies/cross/web_server/ranking). It is also often
described as one of the most secure web servers. In this article, I shall describe some configuration
changes that will harden your Apache’s configuration.

Ensure that Apache server-info is disabled


If the <Location /server-info> directive (http://httpd.apache.org/docs/2.4/mod/mod_info.html) in
the httpd.conf configuration file is enabled it would display information about the Apache
configuration when the /server-info page is accessed from http://www.example.com/server-info.
This could potentially include sensitive information about server settings such as the server version,
system paths, database names, library information and so on. In the underlying screenshot we can
see that the Apache /server-info lists the server version, which also includes the OpenSSL version.
From this information an attacker could deduce that this server is making use of a version of
OpenSSL which is vulnerable to the Heartbleed Bug
(http://www.acunetix.com/blog/releases/acunetix-vulnerability-scanner-identify-heartbleed-bug/) and
thus could now also exploit this vulnerability.

(http://www.acunetix.com/wp-
content/uploads/2014/10/Server_Info.png)

Figure 1 – Part of Apache /server-info


which clearly lists the server version,
OpenSSL version, and PHP version,
among other information.

This can be disabled by either commenting out the entire mod_info module from the httpd.conf
Apache configuration file as per below:

#LoadModule info_module modules/mod_info.so


Or by commenting out the <Location /server-status> directive from the httpd.conf Apache
configuration file as is shown below:

#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
#</Location>

Ensure that Apache server-status is disabled


When enabled, the <Location /server-status> directive lists information about the server’s
performance, such as server uptime, server load, current HTTP requests, and client IP addresses. An
attacker may make use of this information to craft an attack against the web server.

(http://www.acunetix.com/wp-
content/uploads/2014/10/Server_Status.png)

Figure 2 – The server-status page,


accessible from
http://your.host.example.com/server-
status, showing various information
with regards to the server’s performance

Disable the ServerSignature directive


The ServerSignature directive
(http://httpd.apache.org/docs/current/mod/core.html#serversignature) endows server-generated
documents with a footer which includes information about your Apache configuration such as the
version of Apache and the OS server name. In order to restrict Apache from displaying this sensitive
information the ServerSginature directive in your Apache configuration would need to be disabled
as shown below:

ServerSignature Off

(http://www.acunetix.com/wp-
content/uploads/2014/10/Server_Signature.png)

Figure 3 – Leaving the Apache


ServerSignature directive enabled
displays a footer with information about
your Apache configuration

Set the ServerTokens directive to Prod


The ServerTokens directive controls what information about the server is sent back in the Server
response header field. A number of syntaxes can be used with this directive, as listed in the Apache
ServerTokens documentation (http://httpd.apache.org/docs/current/mod/core.html#servertokens).
The ServerTokens directive should be set to Prod in order to instruct Apache to return only
‘Apache’ in the server response headers. This can be done by including the below directive in your
httpd.conf Apache configuration file:

ServerTokens Prod

Disable Directory Listing


Directory listing displays a list of the directory contents which would include all the files from that
website. If this is enabled, an attacker can simply discover and view any file. This could potentially
lead to the attacker decompiling and reverse engineering an application in order to obtain the
application’s source code. The attacker can then analyze the source code for possible security flaws or
to obtain more information about an application, such as database connection strings, passwords to
other systems etc. Directory listing can be disabled by setting the Options directive
(http://httpd.apache.org/docs/current/mod/core.html#options) in the Apache httpd.conf file:

<Directory /your/website/directory>
Options -Indexes
</Directory>
(http://www.acunetix.com/wp-
content/uploads/2014/10/Dir_Listing.png)

Figure 4 – Apache directory listing

Enable only the modules that are required


A default installation of Apache may include a number of pre-installed and enabled modules which
you might not need. To add insult to injury, some web server admins tend to take the path of least
resistance and enable all the remaining modules in httpd.conf, so as to ensure that everything
works without a hitch. This, however, also opens up the web server to any security issues that might
exist, or be discovered in the future for the modules that are enabled.

The Apache module documentation (http://httpd.apache.org/docs/2.4/mod/) lists and explains all the
modules available within Apache. Research the modules that you have enabled, and ensure that
these are really required for the functionality of the website. Unnecessary modules should be
disabled by adding a # character in front of the LoadModule line.

(http://www.acunetix.com/wp-
content/uploads/2014/10/Modules.png)
Figure 5 – A section of the httpd.conf
Apache configuration file showing the
majority of modules being disabled
including the mod_status.so module

Make use of an appropriate user and group


By default Apache will run under the daemon user and group, however it is best practice to run
Apache in a non-privileged account. Furthermore, if two processes, such as Apache and MySQL for
example, are running under the same user and group, issues in one process might lead to exploits in
the other process. To change Apache’s user and group the User and Group directives in the Apache
httpd.conf configuration file need to be changed:

(http://www.acunetix.com/wp-
content/uploads/2014/10/User_Group.png)

Figure 6 – An excerpt of the httpd.conf


configuration file showing the user and
group Apache runs on as ‘apache’

Restrict unwanted services


You may want to disable certain services, such as CGI execution and symbolic links, if these are not
needed. You can disable these services with the Options directive from the httpd.conf
configuration file and may also disable these services for a particular directory only. The below
example shows us what you need to include in your httpd.conf configuration file to disable CGI
execution, symbolic links, and server side includes.

<Directory /your/website/directory>
Options -ExecCGI -FollowSymLinks -Includes
</Directory>

Make use of ModSecurity


mod_security (http://www.modsecurity.org) is an open-source module that works as a web
application firewall. Different functionalities include filtering, server identity masking, and null byte
attack prevention. Real-time traffic monitoring is also allowed through this module. Therefore it is
recommended to follow the ModSecurity manual
(https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual) to install the mod_security
module in order to empower your security options.

Updates
You should always keep up to date with the latest versions of Apache
(https://httpd.apache.org/docs/), as new updates will contain new fixes and patches that will address
past security issues and also introduce new security measures. The best way to keep up to date about
new versions of Apache is to subscribe to the Apache Server Announcements
(http://httpd.apache.org/lists.html#http-announce) mailing list at announce-
[email protected].

Enable logging
Apache logging provides detailed information about client requests made on your web server, hence
enabling such logging will prove useful when investigating the cause of particular issues. In order to
enable logging the mod_log_config module
(http://httpd.apache.org/docs/current/mod/mod_log_config.html) needs to be included from the
Apache httpd.conf file. This module provides the TransferLog, LogFormat, and CustomLog directives
which are respectively used to create a log file, specify a custom format, and creating and formatting
a log file in one step. As seen below, the LogFormat directive is used to specify a custom logging
format – in this case the referrer and browser of each request are logged along with the default
logging parameters. Then, the CustomLog directive will be used to instruct Apache to use this logging
format.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" detaile


d
CustomLog logs/access.log detailed

Share this post

← Older (http://www.acunetix.com/blog/docs/difference-between-web-scan-verification-and-
network-scan-verification/)

Newer → (http://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)

Leave a Reply
Enter your comment here...
Your email address will not be published.

Name

Email

URL

Post Comment

I'm not a robot


reCAPTCHA
Privacy - Terms

Subscribe for Updates

Enter E-Mail Subscribe

Learn More
SQL Injection (http://www.acunetix.com/websitesecurity/sql-injection/)
Cross-site Scripting (http://www.acunetix.com/websitesecurity/cross-site-scripting/)
Web Site Security (http://www.acunetix.com/websitesecurity/web-site-security/)
Directory Traversal (http://www.acunetix.com/websitesecurity/directory-traversal/)
AJAX Security (http://www.acunetix.com/websitesecurity/ajax/)
Troubleshooting Apache (http://www.acunetix.com/websitesecurity/troubleshooting-tips-for-
apache/)
WordPress Security (http://www.acunetix.com/websitesecurity/wordpress-security-top-tips-
secure-wordpress-application/)
Drupal Security (http://www.acunetix.com/blog/articles/drupal-security-top-tips-to-secure-your-
drupal-application/)
Joomla! Security (http://www.acunetix.com/blog/articles/joomla-security-measures/)

Find Us on Facebook
© Acunetix, 2016 (http://www.acunetix.com)

You might also like