Web servers play a key role in the implementation of most of the web applications. Apache is one of the most widely used web servers and so the need to ensure its security is vital. A default or improper configuration of the server makes it highly prone to hacking and other cyber attacks. A proper and secure hardening of the Apache server enables to protect it from damaging cyber threats.
How to secure Apache server Linux:
Around the globe, there are roughly about 350 million web servers that run Apache. Most of these servers execute Apache on some form of Linux. As far as cyber-security is concerned, Apache and Linux have been relatively secure in the past. The attacks were initiated via PHP, SQL and not due to the gaps in Apache or Linux. But today attacks in Linux systems are mainly due to malicious Apache modules, weak authentication and gaps in mostly used applications such as C Panel, Plesk, Joomla, Drupal, WordPress apart from PHP and SQL.
Some of the high-profile cyber threats that involve the Linux Apache machines include DDOS attacks, Dark leech Chapro (A piece of Linux Apache malware that nearly affected 20,000 servers in the past), WordPress Brute force Botnet and Linux/Corked.
To prevent being a victim of such cyber attacks consider the below steps.
- Access: Any organization that uses an internet-connected Linux Apache web-server needs to be fully aware of its functionality, location, administration and security measures to protect the servers. In the event of an attack, proper recovery measures should also be in place to prevent further damages.
- Maintaining a well-structured policy: Well-structured policies need to be implemented for the security and maintenance of Linux Apache systems. The security measures include the restriction of access to certain services to selected IP addresses. Implementing a two-factor authentication to counter-attack brute force attacks. Also, scanning of the anti-malware software needs to be performed on the servers on a periodic basis.
A proper team needs to be established in any organization for the monitoring and implementation of such policies. The service providers and employees in charge of the management of the web server and its contents must be fully aware of the controls and the measures to protect the systems.
3. Audit and Test: Make sure that the organization is aware of the latest cyber threats and ensure that the firm’s responsive measures match the threat.
Securing Apache Installation:
The following steps mention the list of configuration changes that need to be performed for a secure apache installation.
1. Ensure appropriate user and group is used:
Apache by default runs under the daemon user and group. However, to play it safe it is best to execute Apache in a non-privileged account. Also, if two processes such as Apache and MySql are executing under the same user and group, issues in one process might lead to unwanted issues in the other process too. The Apache’s user and the group can be modified by changing the User and Group directives in the Apache configuration file.
2. Retain the Apache server-info disabled:
The <location / server-info> directive in the configuration file is by default enabled. This lists details of the Apache configuration when /sever-info page is accessed. These details might include sensitive information about server settings such as the server version, system paths, database names, library information and so on. These details might provide valuable inputs to any hacker to craft an attack. So, always maintain this status as disabled. This can be done by
- Commenting out mod_info module from the httpd.conf (configuration file) or
- Commenting out the <location/server-status> directive from the httpd.conf (configuration file).
3. Retain the Apache server-status disabled.
If the Apache server-status is enabled, the <Location /server-status> directive displays details about the server’s performance such as server uptime, server load, current HTTP requests and client IP addresses. This information might prove vital to a hacker to craft an attack against the webserver. So, always ensure that this status is disabled.
4. Keep the ServerSignature Directive disabled:
Retaining the ServerSignature directive enabled displays Apache configuration details as a footer. The details include the version of Apache and OS server name. In order to prevent Apache from broadcasting this sensitive information, the ServerSignature directive in the Apache configuration file needs to be disabled.
5. Change the ServerToken directives to prod:
The ServerToken directive decides exactly what details about the server needs to be transferred or displayed in the server response header field. Multiple syntaxes as listed in the Apache ServerTokens documentation can be included along with this directive. Changing the ServerTokens directive to Prod instructs Apache to return only ‘Apache’ in the server response headers. To change, it includes the below-mentioned directive in the Apache configuration file.
6. Retain Trace Http Request disabled:
The default TraceEnable On allows Trace. It does not permit any request body to process a request. It permits cross-site tracking issues and potentially helps a hacker to steal the cookie details. Disabling this option causes the core server and mod_proxy to return a 405 error to the client. This directive can be displayed by modifying the configuration file TraceEnable Off.
7. Retain only the required modules enabled:
The default installation of Apache includes multiple numbers of pre-installed and enabled modules that are not always required. In most cases, all the modules are enabled to ensure that the server works without any trouble. Such enabling of all modules might pave the way for security threats. The details of all the modules are listed in the Apache documentation module. A careful study of the module is required to clearly understand the requirement of the exact modules for the proper functioning of the application. The rest of the modules need to be deleted. This can be done by including# in front of the LoadModule line.
8. Keep the directory listing disabled:
Directory listing includes a list of directory contents that provide details of all the files from that website. Enabling this directive can assist a hacker to easily discover and view any file. This could further lead to further decompiling and reverse engineering an application to generate the application’s source code. Analyzing the source code can lead to security flaws and abstract more crucial inputs about the application such as database connection strings, passwords to other systems, etc. To disable the directive listing, a new entry is created with an Options directive for a specific directory in the Apache configuration file.
Steps to prevent DDOS attacks:
To reduce the effects of DDOS attacks, modify the following directories.
LimitRequestFields: The value of this field needs to be minimized as per the requirements. This regulates the number of client requests that get accepted. The default value is 100. This can be lowered if an attack occurs as a result of many Http request headers.
LimitRequestFieldSize: This directive permits the setting of a size limit on the HTTP request header.
Timeout: This directive permits to set the amount of time the server needs to wait for certain events to complete before it fails. The default value is 300 secs. This value should be set to a minimum on those websites that are prone to DDOS attacks. This value is set mostly based on the type of requests that are raised on a particular website.
KeepAliveTimeout: This directive is used to specify the time the server needs to wait for a subsequent request before terminating the connection. The default value is 5 secs.
MaxClients: This value needs to be configured depending on the website’s traffic and based on the number of connections that needs to be served at a time. The default value is 256. Modifying this value would enable new connections to wait in a queue when the maximum limit is reached.
By default Apache has no limit on the total size of any HTTP request. The size of an Apache directive can be limited using “LimitRequestBody” with the directive tag. This value can be set anywhere from 0 to 2147483647(2GB). This value can be set based on the requirements of a website. For example, if a website allows uploads, the uploading size for a specific directory can be limited. User_uploads is the directory that contains the files uploaded by users. It can be restricted to size 500K.
9. Use of Allow and Deny to Restrict access to directories:
Access to directories can be permitted or restricted as per need using Allow and Deny options in the configuration file. The following options can be used:
Options “None”: This option restricts users to enable any optional features.
Order deny, allow: This is the field in which the Deny and Allow will be processed. Here first, it will ‘deny’ and it will ‘allow’ next.
Deny from all: Request from everyone to access the root directory gets denied and nobody will be able to access it.
10. Disable Apache’s following of Symbolic links:
Apache follows symlinks by default. This feature can be turned off by using the Options directive with FollowSymLinks. This modification entry needs to be made in the main configuration file.
If a particular user or a website requires symbolic links (FollowSymLinks), it can be enabled by simply including a rule in the “.htacesss” file from that website. Also, “AllowOveride All” needs to be present in the configuration file to enable rewrite rules.
11. Turn off Server-side includes and CGI Execution:
Disable the server-side includes (mod_include) and CGI execution if not required. The main configuration file needs to be modified for disabling these features. These can be disabled for a particular directory. The below-given values can also be turned On or Off with the Options directive.
This is the default value. It enables all options at once. It is used when there is no need to specify a particular value explicitly in the Apache conf file or .htaccess file.
Options Includes NOEXEC:
By default this enables the server-side includes without the execution permission to a command or CGI files.
This permits content negotiated multi-views with mod_negotiation module.
It is the same as FollowSymLinks. But it works only when the owner is the same between the link and the original directory to which it is linked.
Installation of certain modules to strengthen Apache Security:
An open-source module that works as a web application firewall is the ModSecurity. This module includes multiple functionalities like filtering, server identity masking and null byte attack prevention. It also allows the monitoring of real-time traffic. So the mod_security module needs to be installed to reinforce the security process.
The module Mod_evasive detects DDOS attacks and prevents the huge damages that occur as a result of such attacks. Mod_evasive considers one request to process at a time and processes it well. This module detects a DDOS attack by considering the below methods.
- If multiple requests are raised for the same page several times per second.
- If any child process raises or tries to raise more than 50 concurrent requests
- If an IP is still trying to raise new requests when the IP is temporarily blacklisted.
Apache should always be kept updated to the latest version. New updates include new fixes and patches that would solve possible security concerns that existed in the past and also introduce more security features. The current Apache version can be checked using an httpd-v command. It can be updated using an update httpd.
Apache logging includes details that provide information regarding client requests raised on the webserver. Such logging proves useful for investigating the cause of particular issues. Logging can be enabled by including the mod_log_config module in the Apache configuration file. This module includes TransferLog, LogFormat and CustomLog directives that are used to generate a log file. It also helps to specify a custom format, creating and formatting a log file in one step.
TransferLog: Creates a Logfile.
LogFormat: Specify a custom format.
CustomLog: Creating and formatting a log file.
Obtain SSL certificates:
Secure all crucial communications in an encrypted format on the internet using an SSL certificate. For example, in case of a website where people login by mentioning their login credentials or an E-Commerce site where people mention their bank and credit card details to purchase products, the webserver by default displays these details in plain format. The use of an SSL certificate in all websites directs Apache to display such details in an encrypted format.
Hope you have some idea about how to secure Apache server now. Let me ask you one thing, how is your server performing? Is it fast enough to satisfy your search demands? If you want a way faster server, try ApacheBooster! Learn more about it here.