How to secure your Apache Web Server ?

Answer

Securing your web server is very important, it means allowing others to see only the intended information & protecting your data and restricting access.

These are common things that enhance your web servers’ security.

1) Hiding Apache version and OS information:

Apache displays its version and the name of the operating system

 

A hacker can use this information to launch an attack using the publicly available vulnerabilities in the particular version of the server or OS.

In order to prevent Apache webserverfromdisplaying this information, we have to modify

“server signature” option available in the apache configuration file.  By default, it is “on”, we need to set it “off”. 

1
vim /etc/httpd/conf/httpd.conf
1
2
3
ServerSignature Off
 
ServerTokens Prod

We have also set “ServerTokens Prod” that tells the web server to return only apache and suppress the OS major and minor version

After modifying the configuration file, you have to restart/reload your web server to make it effective.

1
service httpd restart
 

 

2) Disable Directory Listing

If your document root directory does not have an index file, by default your web server will show all the content of the document root directory.

 

This feature could be turn off for a specific directory through “options directive” available in the Apache configuration file.

1
2
3
4
5
<Directory /var/www/html>
 
    Options -Indexes
 
</Directory>

 

3) Disabling unnecessary modules

 

It is good practice to disable all unnecessary modules that are not in use.  You can see list of enabled module available in your apache configuration file -

1
2
3
4
5
6
7
8
9
10
11
[root@amsterdam ~]#httpd –M
 
perl_module (shared)
 
<a title="PHP" href="/php-tutorials.html">php</a>5_module (shared)
 
proxy_ajp_module (shared)
 
python_module (shared)
 
ssl_module (shared)

Many of the listed modules can be disabled likemod_imap, mod_include, mod_info, mod_userdir, mod_autoindex, as they are hardly used by any production web servers.

1
2
3
vi /etc/httpd/conf/httpd.conf
 
#LoadModule auth_digest_module modules/mod_auth_digest.so

Once you commented the module, save the file.

Restart apache services with following command.

1
/etc/init.d/httpd restart

4) Restricting Access to files outside the web root directory

If you like to make sure that files that is outside the web root directory are not accessible, you have to make sure that the directory is restricted with “Allow” and “Deny option” in your web server configuration file.

1
2
3
4
5
6
7
8
9
10
11
<Directory/>
 
Options None
 
AllowOverride None
 
Order deny,allow
 
Deny from all
 
</Directory>

Once you restrict acess outside the web root directoy, you will not be able to access any file located on any other folder on your web server, you will get 404 return code.

All apache Questions

Ask your interview questions on apache

Write Your comment or Questions if you want the answers on apache from apache Experts
Name* :
Email Id* :
Mob no* :
Question
Or
Comment* :
 





Disclimer: PCDS.CO.IN not responsible for any content, information, data or any feature of website. If you are using this website then its your own responsibility to understand the content of the website

--------- Tutorials ---