16 Apache Web Server Security and Hardening Tips
Apache web server is one of the most popular and widely used web servers for hosting files and websites. It’s easy to install and configure to meet your hosting needs. However, the default settings are not secure to offer the much-needed protection that your site needs.
In this guide, we look at some of the Apache server hardening tips and tricks that you can implement to strengthen the security of your web server.
1. How to Hide Apache Version and OS Information
By default, the Apache web server displays its version in case you browse the wrong URL of a website. Below is an example of an error page indicating that the page cannot be found on the site. The last line indicates the Apache version, the host OS, the IP address, and the port it is listening on.
It’s not never good idea to display your web server’s information as this can be a good gift to hackers in their reconnaissance mission. To add a layer of security and make it harder for hackers, it’s recommended to hide the web server information.
To do this, open the default Apache configuration file on Debian-based distributions.
$ sudo vim /etc/apache2/apache2.conf
For RHEL-based systems such as RHEL, Fedora, CentOS, Rocky, and AlmaLinux.
$ sudo vim /etc/httpd/conf/httpd.conf
Add the following lines at the end of the file.
ServerTokens Prod ServerSignature Off
Save the changes and restart the Apache web server.
$ sudo systemctl restart apache2 [On Debian, Ubuntu and Mint] $ sudo systemctl restart httpd [On RHEL/CentOS/Fedora and Rocky/AlmaLinux]
Now reload the site and, this time around, the web server information will not be displayed.
2. Disable Directory Listing in Apache
By default, Apache allows directory listing, and visitors might see whatever files or directories you might have on your Document Root directory.
To demonstrate this, we will create a directory called test.
$ sudo mkdir -p /var/www/html/test
Next, we will navigate into the directory and create a few files.
$ cd /var/www/html/test $ sudo touch app.py main.py
Now, if we access the URL, http://localhost/test
we will be able to view the directory listing.
To disable directory listing, head over to Apache’s main configuration file and search for the ‘Directory‘ attribute. Set the ‘Options‘ parameter to '-Indexes'
as shown.
<Directory /opt/apache/htdocs> Options -Indexes </Directory>
Reload Apache, and this time around, when you visit the URL, the directories will no longer be displayed.
3. Regularly Update Apache
It’s always recommended to keep all your applications up to date, as the latest applications come with bug fixes and security patches that address underlying vulnerabilities present in older software versions.
As such, regularly upgrading your applications to their latest versions is recommended.
$ sudo apt update && sudo apt upgrade [On Debian, Ubuntu and Mint] $ sudo dnf upgrade [On RHEL/CentOS/Fedora and Rocky/AlmaLinux]
4. Use HTTPS Encryption on Apache
Apache, by default, uses HTTP protocol which is a weak and insecure protocol that is prone to eavesdropping. To improve your site’s security and, more so, improve your Google SEO rankings, consider encrypting your site using an SSL certificate.
By so doing, it switches the default HTTP protocol to HTTPS, thereby making it harder for anyone to intercept and decipher communication being sent back and forth from the server.
Check out how to secure the Apache web server using Let’s Encrypt SSL on Linux.
5. Enable HTTP/2 on Apache
In 2015, HTTP/2 was released, which is a new version of the HTTP protocol that seeks to address or resolve multiple problems that the creators of HTTP/1.1 did not foresee.
While HTTP/1.1 is still widely in use, it is associated with performance issues associated with the use of multiple TCP connections to process multiple requests from the browser, which leads to high resource overhead on the client side, leading to degraded network performance.
As applications grew in complexity and functionality, HTTP/2 was created to solve the shortcomings of HTTP/1.1 which include long HTTP headers, slow web page loading speeds, and general performance degradation.
HTTP/2 provides more protection and privacy than its predecessor. Equally important, is enhanced performance through the use of multiplexed streams of data. With HTTP/2 a single TCP connection ensures effective bandwidth utilization, even when transmitting multiple streams of data.
Check out how to enable HTTP/2 on the Apache web server using:
6. Restrict Access to Sensitive Directories in Apache
Another security measure you might take is to limit access to directories that might contain sensitive information such as user data, logs, and configuration files. Using the “Allow” and “Deny” attributes, we can restrict access to, for example, the root directory as shown.
<Directory /> Options None Order deny,allow Deny from all </Directory>
Let’s look at these options in closer detail.
- “None” – This restricts users from enabling any optional features.
- Order “deny”, “allow” – The “Deny” directive takes precedence, followed by the “allow” directive.
- Deny from all – Restricts everyone from accessing the root directory.
Save the changes and exit the file. Then restart Apache for the changes to come into effect.
7. Disable the ServerSignature Directive in Apache
The ServerSignature directive in the Apache configuration file appends a footer to server-generated documents that bear information about your web server’s configuration such as the version and the OS on which it is running. Exposing crucial details about your web server to malicious actors will significantly increase the chances of an attack.
To prevent exposure of such information, you need to disable this directive in the Apache configuration file:
ServerSignature Off
Save the changes and once again restart Apache for the changes to come into effect.
$ sudo systemctl restart apache2
8. Set the ‘ServerTokens’ Directive to ‘Prod’
The ‘ServerTokens‘ directive controls what information the server sends including Apache version (major and minor version), OS, and the type of web server running.
The least amount of information that you would want to expose to the public is that the web server is Apache. Anything else would only expose your server to potential attacks. Therefore, it’s recommended to set the ‘ServerTokens‘ directive in the Apache configuration file to ‘prod‘.
ServerTokens Off
As always save the changes and be sure to restart Apache.
9. Secure Apache with Fail2ban
Fail2ban is an open-source intrusion prevention application that protects Linux systems from external threats including DoS and brute-force attacks. It works by constantly monitoring systems logs for nefarious activity and banning hosts that match patterns that mimic attack behavior.
Fail2ban can be configured to protect Apache from DoS attacks by constantly monitoring Apache logs for failed login attempts and temporarily banning offending IPs.
Check out how to install Fail2ban on Linux using:
10. Disable Unnecessary Modules
Apache modules are simply programs that are loaded to extend the functionality of the web server Functions extended by modules include basic authentication, content caching, encryption, security, etc.
It’s always recommended to disable all those modules that are not in use currently to minimize the chances of falling victim to an attack.
To view all enabled modules, run the command
$ apache2ctl -M
To check if a specific module is enabled, for example, the rewrite module, run the command.
$ apache2ctl -M | grep rewrite
To disable the module, run the command:
$ sudo a2dismod rewrite
11. Use mod_security and mod_evasive Modules to Secure Apache
You can enable the mod_security and mod_evasive modules to secure Apache against brute-force attacks or DDoS attacks.
- The mod_security module acts like a web application firewall (WAF) and blocks suspicious and unwanted traffic to your site.
- The mod_evasive module safeguards your server from brute force and denial of service attacks (DoS).
Read more on how to protect Apache using mod_security and mod_evasive modules.
12. Restricted Unwanted Services in Apache
To further secure Apache, consider disabling certain services such as symbolic links and CGI execution if not currently required. By default, Apache follows symlinks, we can turn off this feature as well as the -Includes
feature and CGI in one line.
To do this, add the line '-ExecCGI -FollowSymLinks -Includes'
for the ‘Options’ directive in the ‘Directory‘ section.
<Directory /your/website/directory> Options -ExecCGI -FollowSymLinks -Includes </Directory>
This can also be achieved at a directory level. For example, here, we are turning off Includes and Cgi file executions for the “/var/www/html/mydomain1” directory.
<Directory "/var/www/html/mydomain1"> Options -Includes -ExecCGI </Directory>
Save the changes and restart Apache.
13. Limit File Upload Size in Apache
Another way of securing your web server is to limit the total size of the HTTP request body sent to the web server from a client. You can set it in the context of server, per-directory, per-file, or per-location.
For instance, if you want to allow file upload to a specific directory, say /var/www/domain.com/wp-uploads directory, and restrict the size of the uploaded file to 4M = 4194304Bytes, add the following directive to your Apache configuration file or .htaccess file.
<Directory "/var/www/domain.com/wp-uploads"> LimitRequestBody 4194304 </Directory>
Save the changes and remember to restart Apache.
You can set it in the context of server, per-directory, per-file, or per-location. The directive wards off abnormal client request behavior which sometimes can be a form of denial-of-service (DoS) attack.
14. Enable Logging in Apache
Logging provides all the details about client requests and any other information pertaining to the performance of your web server. This provides useful information in case something goes awry. Enabling Apache logs, especially in virtual host files allows you to pinpoint an issue in case something goes wrong with the web server.
To enable logging, you need to include the mod_log_config module, which provides two main logging directives.
- ErrorLog – Specifies the path of the error log file.
- CustomLog – Creates and formats a log file.
You can use these attributes in a virtual host file in the virtual host section to enable logging.
<VirtualHost 172.16.25.125:443> ServerName example.com DocumentRoot /var/www/html/example/ ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
The {APACHE_LOG_DIR}
directive in Debian systems is defined as /var/log/apache2 path.
15. Run Apache as a Separate User and Group
Running Apache as a separate user and group is a common security practice. By doing so, you can isolate the web server process from other system processes and minimize potential damage if the web server is compromised.
First, you’ll want to create a new user and group specifically for Apache.
$ sudo groupadd apachegroup $ sudo useradd -g apachegroup apacheuser
Next, you’ll need to edit the Apache configuration file to specify the new user and group.
User apacheuser Group apachegroup
Since you’re changing the user and group that Apache runs as you might need to update the ownership of web directories and files to ensure that Apache can still read them.
$ sudo chown -R apacheuser:apachegroup /var/www/html
After making these changes, restart Apache to apply them:
$ sudo systemctl restart httpd # For RHEL/CentOS $ sudo systemctl restart apache2 # For Debian/Ubuntu
16. Protect DDOS Attacks and Hardening
Well, it’s true that you can’t fully protect your website from DDoS attacks. However, here are some guidelines that can help you mitigate and manage them.
- TimeOut – This directive allows you to specify the duration the server will wait for certain events to complete before returning an error. The default value is 300 seconds. For sites susceptible to DDoS attacks, it’s advisable to keep this value low. However, the appropriate setting largely depends on the nature of requests your website receives. Note: A low timeout might cause issues with some CGI scripts.
- MaxClients – This directive sets the limit on the number of connections that can be served simultaneously. Any new connections beyond this limit will be queued. It’s available in both the Prefork and Worker MPMs. The default value is 256.
- KeepAliveTimeout – This directive specifies the duration the server will wait for a subsequent request before closing the connection. The default value is 5 seconds.
- LimitRequestFields – This directive sets a limit on the number of HTTP request header fields accepted by clients. The default value is 100. If DDoS attacks are occurring due to an excessive number of HTTP request headers, it’s recommended to reduce this value.
- LimitRequestFieldSize – This directive sets a size limit for the HTTP request header.
Conclusion
These are some of the Apache hardening tips that you can implement on your web server to provide an extra layer of protection and keep intrusions at bay.