How to Secure an Apache Web Server
In this article, we discuss how to set up better security mechanisms in your Apache web server to mitigate cyberattacks and hackers.
Join the DZone community and get the full member experience.Join For Free
Web-based applications wholly depend on web servers, hence if you possess a server with a default setup or that's misconfigured, you are more likely to be a victim of hacking. It is the responsibility of a website administrator to perform a regular security scan for the website to detect online threats. As the saying goes, “prevention is better than a cure”; it is always wise to take action before a hacker gets access to your server.
There is a wide range of web servers. Out of all of them, Apache is the most popular and a majority of websites use Apache. Due to its widespread use, Apache is more vulnerable to malicious attacks. Proper hardening enables us to secure Apache servers from cyber threats.
Let’s explore the ways to harden an Apache web server.
How to Run Apache
A separate Apache web server should be run for both a user and a group. By default, it runs its process in nobody or daemon. For achieving better isolation, the web server should be configured to run on a non-privileged account. It is possible to instruct Apache to run as a specific user/group by configuring the user/group. When you do this, the file configuration of Apache changes, subsequently restarting the service.
Disable the Displaying of Web Server Information
By default, Apache error pages display web server and Apache module information. Exposing such information offers a privilege to hackers. In order to prevent this, a few changes should be made in Apache's configuration file.
- The value of server tokens should be set to “prod,” which in turn, in the event of every page request, Apache will be returned as a product in the server response header.
- Set the option ServerSignature to “Off.”
It is better to forbid the creation of .htaccess files as they are configured in the directory level and can override the security settings.
Turn Off Directory Listing Display
If the corresponding index page does not exist, Apache displays all the files in a directory. This should be turned off as there is a chance it can display confidential information to unauthorized users. To do this, initially create a new entry with an options directive for the particular directory in Apache’s configuration file.
How to Prevent DDoS Attacks
To minimize the effects of a DDoS attack, tweak the following directories:
LimitRequestFields should be lowered based on your requirements. This limits the number of HTTP requests accepted from clients.
TimeOut should be set low as the web server requires more time to execute certain web requests.
MaxClients should be configured considering the website’s traffic and the number of connections to be served at a time. This enables new connections to wait in a queue when the connection limit is reached.
Install Certain Modules to Strengthen Apache Security
Modules such as
mod_evasive should be installed to strengthen Apache security.
mod_evasivedetects DDoS attacks and prevents extensive damage caused due to DDoS attacks.
mod_security is a firewall built for web applications to prevent brute force attacks. This module monitors the traffic on a real-time basis.
Keep Apache Updated
Set the option ServerSignature to “Off.” The Apache development team constantly works to overcome cyberattacks by releasing updated versions with advanced security options.
The current Apache version can be checked with the command.
To update and install the latest Apache version, use the following commands:
yum update httpd
apt-get install apache
Disable Unnecessary Modules
To mitigate the chances of being a victim of a cyber attack, disable the modules that are not in use. Below are a few of the modules that can be disabled which are enabled by default.
The ways to harden the Apache web server mentioned above are the basic hardening efforts to mitigate the vulnerabilities of cyber attacks. If you are looking for an in-depth server hardening to secure your web servers contact a server management services company offering in-depth security services for your servers.
Opinions expressed by DZone contributors are their own.