Web Server Security (Apache or HTTPD) Part 1
Securing apache web server is important to get a good reputation for the hosting service. After setting up the apache web server it is very important to get the security check and minimum necessary security configurations for both side benefits. Here we will discuss few of the important issues in this article. The important basic security topics of apache web server are given below.
- Configure apache, so that the version of the apache keeps hidden.
- How to disable directory listing in apache
- How to disable unnecessary modules for apache.
- Run server using separate group and user.
- Restrict access of directories using allow and deny.
- Install two security modules (mod_security & mod_evasive) to secure Apache web server.
- How to disable followsymlinks
- Disable server side includes and CGI execution.
- Limit request size.
- How to disable ETag.
- Secure server from XSS attack.
- Secure server from Click Jacking attack.
- Allow browsing only within the document root.
Configure Apache, so that the version of the Apache keeps hidden
So as our first requirement we need to configure the Apache server, so that a usual client can not find out the Apache version. For that we need to add two lines in /ect/httpd/conf/httpd.conf file. So open this file using vim.
Now add these two below lines to get our goal.
Now save and exit the file and restart apache server. To restart Apache web server we need to run the below commands.
#systemctl restart httpd.service
How to disable directory listing in Apache
Next point we need to make sure that how we can disable directory listing! To do so we need to work on the same previous file and we need to find out the following part from the configuration file.
Once this section is found we need to put three lines in between the above tags to disable directory listing. The following lines we need to put in between these tags.
Require all granted
Now the final outcome of this will be like below.
Require all granted
Now save the configuration file and restart the httpd service. To do so we have to run the restart command again.
How to disable unnecessary modules for apache
Next we have to disable unnecessary modules of apache web server. To do so we have to change few lines in /etc/httpd/conf.modules.d/00-base.conf file. So, run the below command on terminal.
Now we will see few links like below.
LoadModule info_module modules/mod_info.so
Once we get this file and the lines like this we should find few common modules and put “#” tag infront of those lines. These modules names are given below.
Once these lines are comment out then we should save the file and restart the httpd service again.
Run server using separate group and user
Usually a new server is managed by the super user or by root. But as we all know the primary user for any server is the root. So any attacker would consider the root as the primary user for the web server. So we should change the user and the group of the server to make a server a little secure. For that we need to follow the below procedure.
First create a group using the following command.
Now create a user for web server using the following command.
#adduser -d /var/www/ -g webtest -s /bin/nologin webtest
Once the above user and groups are created, now we have to put these in configuration file. So let’s open and edit the configuration file. So open /etc/httpd/conf/httpd.conf file and find the user and group section. Than edit those two lines.
User webtestGroup webtest Now save the file and restart httpd service.
Very helpful post