Securing your web server is very important, it means allowing others to see only the intended information & protecting your data and restricting access.
These are common things that enhance your web servers’ security.
1) Hiding Apache version and OS information:
Apache displays its version and the name of the operating system
A hacker can use this information to launch an attack using the publicly available vulnerabilities in the particular version of the server or OS.
In order to prevent Apache webserverfromdisplaying this information, we have to modify
“server signature” option available in the apache configuration file. By default, it is “on”, we need to set it “off”.
1
|
vim /etc/httpd/conf/httpd.conf |
1
2
3
|
ServerSignature Off ServerTokens Prod |
We have also set “ServerTokens Prod” that tells the web server to return only apache and suppress the OS major and minor version
After modifying the configuration file, you have to restart/reload your web server to make it effective.
1
|
service httpd restart |
2) Disable Directory Listing
If your document root directory does not have an index file, by default your web server will show all the content of the document root directory.
This feature could be turn off for a specific directory through “options directive” available in the Apache configuration file.
1
2
3
4
5
|
<Directory /var/www/html> Options -Indexes </Directory> |
3) Disabling unnecessary modules
It is good practice to disable all unnecessary modules that are not in use. You can see list of enabled module available in your apache configuration file -
1
2
3
4
5
6
7
8
9
10
11
|
[root@amsterdam ~]#httpd –M perl_module (shared) <a title="PHP" href="/php-tutorials.html">php</a>5_module (shared) proxy_ajp_module (shared) python_module (shared) ssl_module (shared) |
Many of the listed modules can be disabled likemod_imap, mod_include, mod_info, mod_userdir, mod_autoindex, as they are hardly used by any production web servers.
1
2
3
|
vi /etc/httpd/conf/httpd.conf #LoadModule auth_digest_module modules/mod_auth_digest.so |
Once you commented the module, save the file.
Restart apache services with following command.
1
|
/etc/init.d/httpd restart |
4) Restricting Access to files outside the web root directory
If you like to make sure that files that is outside the web root directory are not accessible, you have to make sure that the directory is restricted with “Allow” and “Deny option” in your web server configuration file.
1
2
3
4
5
6
7
8
9
10
11
|
<Directory/> Options None AllowOverride None Order deny,allow Deny from all </Directory> |
Once you restrict acess outside the web root directoy, you will not be able to access any file located on any other folder on your web server, you will get 404 return code.