Web servers play a key role in the implementation of most of the web applications. Apache is one of the most widely used web servers and so the need to ensure its security is vital. A default or improper configuration of the server makes it highly prone to hacking and other cyber attacks. A proper and secure hardening of the Apache server enables to protect it from damaging cyber threats.
Learn to host your own website with Apache, a solid, well-known, and easy-to-configure web server. Apache is the most commonly used Web server on Linux systems. Web servers are used to serve Web pages requested by client computers. Clients typically request and view Web pages using Web browser applications such as Firefox, Opera, Chromium, or Internet Explorer.
How to secure Apache server Linux:
Around the globe, there are roughly about 350 million web servers that run Apache. Most of these servers execute Apache on some form of Linux. As far as cyber-security is concerned, Apache and Linux have been relatively secure in the past. The attacks were initiated via PHP, SQL and not due to the gaps in Apache or Linux. But today attacks in Linux systems are mainly due to malicious Apache modules, weak authentication and gaps in mostly used applications such as C Panel, Plesk, Joomla, Drupal, WordPress apart from PHP and SQL.
Some of the high-profile cyber threats that involve the Linux Apache machines include DDOS attacks, Dark leech Chapro (A piece of Linux Apache malware that nearly affected 20,000 servers in the past), WordPress Brute force Botnet and Linux/Corked.
To prevent being a victim of such cyber attacks consider the below steps.
- Access: Any organization that uses an internet-connected Linux Apache web-server needs to be fully aware of its functionality, location, administration and security measures to protect the servers. In the event of an attack, proper recovery measures should also be in place to prevent further damages.
- Maintaining a well-structured policy: Well-structured policies need to be implemented for the security and maintenance of Linux Apache systems. The security measures include the restriction of access to certain services to selected IP addresses. Implementing a two-factor authentication to counter-attack brute force attacks. Also, scanning of the anti-malware software needs to be performed on the servers on a periodic basis.
A proper team needs to be established in any organization for the monitoring and implementation of such policies. The service providers and employees in charge of the management of the web server and its contents must be fully aware of the controls and the measures to protect the systems.
3. Audit and Test: Make sure that the organization is aware of the latest cyber threats and ensure that the firm’s responsive measures match the threat.
Securing Apache Installation:
The following steps mention the list of configuration changes that need to be performed for a secure apache installation.
1. Ensure appropriate user and group is used:
Apache by default runs under the daemon user and group. However, to play it safe it is best to execute Apache in a non-privileged account. Also, if two processes such as Apache and MySql are executing under the same user and group, issues in one process might lead to unwanted issues in the other process too. The Apache’s user and the group can be modified by changing the User and Group directives in the Apache configuration file.
2. Retain the Apache server-info disabled:
The<location / server-info> directive in the configuration file isby default enabled. This lists details of the Apache configurationwhen /sever-info page is accessed. These details might includesensitive information about server settings such as the serverversion, system paths, database names, library information and so on.These details might provide valuable inputs to any hacker to craft anattack. So, always maintain this status as disabled. This can be doneby
- Commenting out mod_info module from the httpd.conf (configuration file) or
- Commenting out the <location/server-status> directive from the httpd.conf (configuration file).
3. Retain the Apache server-status disabled.
If the Apache server-status is enabled, the <Location /server-status> directive displays details about the server’s performance such as server uptime, server load, current HTTP requests and client IP addresses. This information might prove vital to a hacker to craft an attack against the webserver. So, always ensure that this status is disabled.
4. Keep the ServerSignature Directive disabled:
Retaining the ServerSignature directive enabled displays Apache configuration details as a footer. The details include the version of Apache and OS server name. In order to prevent Apache from broadcasting this sensitive information, the ServerSignature directive in the Apache configuration file needs to be disabled.
5. Change the ServerToken directives to prod:
TheServerToken directive decides exactly what details about the serverneeds to be transferred or displayed in the server response headerfield. Multiple syntaxes as listed in the Apache ServerTokensdocumentation can be included along with this directive. Changing theServerTokensdirectiveto Prodinstructs Apache to return only ‘Apache’ in the server responseheaders. To change, it includes the below-mentioned directive in theApache configuration file.
Apache Server Wikipedia
ServerTokens Prod
6. Retain Trace Http Request disabled:
The default TraceEnable On allows Trace. It does not permit any request body to process a request. It permits cross-site tracking issues and potentially helps a hacker to steal the cookie details. Disabling this option causes the core server and mod_proxy to return a 405 error to the client. This directive can be displayed by modifying the configuration file TraceEnable Off.
7. Retain only the required modules enabled:
The default installation of Apache includes multiple numbers of pre-installed and enabled modules that are not always required. In most cases, all the modules are enabled to ensure that the server works without any trouble. Such enabling of all modules might pave the way for security threats. The details of all the modules are listed in the Apache documentation module. A careful study of the module is required to clearly understand the requirement of the exact modules for the proper functioning of the application. The rest of the modules need to be deleted. This can be done by including# in front of the LoadModule line.
8. Keep the directory listing disabled:
Directory listing includes a list of directory contents that provide details of all the files from that website. Enabling this directive can assist a hacker to easily discover and view any file. This could further lead to further decompiling and reverse engineering an application to generate the application’s source code. Analyzing the source code can lead to security flaws and abstract more crucial inputs about the application such as database connection strings, passwords to other systems, etc. To disable the directive listing, a new entry is created with an Options directive for a specific directory in the Apache configuration file.
Steps to prevent DDOS attacks:
Toreduce the effects of DDOS attacks, modify the following directories.
LimitRequestFields:The value of this field needs to be minimized as per therequirements. This regulates the number of client requests that getaccepted. The default value is 100. This can be lowered if an attackoccurs as a result of many Http request headers.
LimitRequestFieldSize:This directive permits the setting of a size limit on the HTTPrequest header.
Timeout:This directive permits to set the amount of time the server needs towait for certain events to complete before it fails. The defaultvalue is 300 secs. This value should be set to a minimum on thosewebsites that are prone to DDOS attacks. This value is set mostlybased on the type of requests that are raised on a particularwebsite.
KeepAliveTimeout: This directive is used to specify the time the server needs to wait for a subsequent request before terminating the connection. The default value is 5 secs.
MaxClients:This value needs to be configured depending on the website’straffic and based on the number of connections that needs to beserved at a time. The default value is 256. Modifying this valuewould enable new connections to wait in a queue when the maximumlimit is reached.
By default Apache has no limit on the total size of any HTTP request. The size of an Apache directive can be limited using “LimitRequestBody” with the directive tag. This value can be set anywhere from 0 to 2147483647(2GB). This value can be set based on the requirements of a website. For example, if a website allows uploads, the uploading size for a specific directory can be limited. User_uploads is the directory that contains the files uploaded by users. It can be restricted to size 500K.
9. Use of Allow and Deny to Restrict access to directories:
Accessto directories can be permitted or restricted as per need using Allowand Denyoptions in the configuration file. The following options can be used:
Draft js markdown tool. Options“None”: Thisoption restricts users to enable any optional features.
Orderdeny, allow: Thisis the field in which the Denyand Allowwill be processed. Here first, it will ‘deny’and it will ‘allow’next.
Deny from all: Request from everyone to access the root directory gets denied and nobody will be able to access it.
10. Disable Apache’s following of Symbolic links:
Apachefollows symlinksbydefault. This feature can be turned off by using the Optionsdirectivewith FollowSymLinks.This modification entry needs to be made in the main configurationfile.
If a particular user or a website requires symbolic links (FollowSymLinks), it can be enabled by simply including a rule in the “.htacesss” file from that website. Also, “AllowOveride All” needs to be present in the configuration file to enable rewrite rules.
11. Turn off Server-side includes and CGI Execution:
Disable the server-side includes (mod_include) and CGI execution if not required. The main configuration file needs to be modified for disabling these features. These can be disabled for a particular directory. The below-given values can also be turned On or Off with the Options directive.
OptionsAll:
Thisis the default value. It enables all options at once. It is used whenthere is no need to specify a particular value explicitly in theApache conf file or .htaccess file.
OptionsIncludes NOEXEC:
Bydefault this enables the server-side includes without the executionpermission to a command or CGI files.
OptionsMultiViews:
Thispermits content negotiated multi-views with mod_negotiation module.
OptionsSymLinksIfOwnerMatch:
It is the same as FollowSymLinks. But it works only when the owner is the same between the link and the original directory to which it is linked.
Installation of certain modules to strengthen Apache Security:
An open-source module that works as a web application firewall is the ModSecurity. This module includes multiple functionalities like filtering, server identity masking and null byte attack prevention. It also allows the monitoring of real-time traffic. So the mod_security module needs to be installed to reinforce the security process.
Themodule Mod_evasivedetects DDOS attacks and prevents the huge damages that occur as aresult of such attacks. Mod_evasiveconsiders one request to process at a time and processes it well.This module detects a DDOS attack by considering the below methods.
- If multiple requests are raised for the same page several times per second.
- If any child process raises or tries to raise more than 50 concurrent requests
- If an IP is still trying to raise new requests when the IP is temporarily blacklisted.
Updates:
Apache should always be kept updated to the latest version. New updates include new fixes and patches that would solve possible security concerns that existed in the past and also introduce more security features. The current Apache version can be checked using an httpd-v command. It can be updated using an update httpd.
Enable Logging:
Apachelogging includes details that provide information regarding clientrequests raised on the webserver. Such logging proves useful forinvestigating the cause of particular issues. Logging can be enabledby including the mod_log_configmodule in the Apache configuration file. This module includesTransferLog,LogFormatand CustomLogdirectives that are used to generate a log file. It also helps tospecify a custom format, creating and formatting a log file in onestep.
TransferLog:Creates a Logfile.
LogFormat:Specify a custom format.
CustomLog: Creating and formatting a log file.
Obtain SSL certificates:
Secure all crucial communications in an encrypted format on the internet using an SSL certificate. For example, in case of a website where people login by mentioning their login credentials or an E-Commerce site where people mention their bank and credit card details to purchase products, the webserver by default displays these details in plain format. The use of an SSL certificate in all websites directs Apache to display such details in an encrypted format.
Hope you have some idea about how to secure Apache server now. Let me ask you one thing, how is your server performing? Is it fast enough to satisfy your search demands? If you want a way faster server, try ApacheBooster! Learn more about it here.
The Apache HTTP Server Project is an effort to develop and maintain anopen-source HTTP server for modern operating systems including UNIX andWindows. The goal of this project is to provide a secure, efficient andextensible server that provides HTTP services in sync with the current HTTPstandards.
The Apache HTTP Server ('httpd') was launched in 1995 and it has been the most popular web server on the Internet sinceApril 1996. It has celebrated its 25th birthday as a project in February 2020.
The Apache HTTP Server is a project of The Apache SoftwareFoundation.
The Apache Software Foundation and the Apache HTTP Server Project arepleased toannounce therelease of version 2.4.46 of the Apache HTTP Server ('httpd').
This latest release from the 2.4.x stable branch represents the best availableversion of Apache HTTP Server.
Apache HTTP Server version 2.4.43 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.
Download | ChangeLog for2.4.46 | Complete ChangeLog for2.4 | New Features in httpd2.4
As previously announced, the Apache HTTP Server Project has discontinuedall development and patch review of the 2.2.x series of releases.
The Apache HTTP Server Project had long committed to provide maintenancereleases of the 2.2.x flavor through June of 2017. Mendeley firefox. The final release 2.2.34was published in July 2017, and no further evaluation of bug reports orsecurity risks will be considered or published for 2.2.x releases.
Apache Server
Great! We have updated our download page in an effort tobetter utilize our mirrors. We hope that by making it easier to use our mirrors, we will be able to provide a better download experience.
Please ensure that you verify your downloads usingPGP or MD5 signatures.
Apache Server Configuration
Awesome! Have a look at our current 'Help Wanted' listings then: