NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Curated Threat Intelligence
      • Managed Detection and Response (MDR)
      • Sentinel Managed Extended Detection and Response (MXDR)
      • SOC as a Service
      • Splunk Managed Services
      • Tenable Managed Services
      • Vendor Security Assessments
      • Vulnerability Management
      • Zscaler Support Services
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
December 29, 2015

Securing Apache On Ubuntu/Debian

Justin Fimlaid Justin Fimlaid

By: Hunter Gregal

ASF-logo

So you have an Apache2 webserver completely configured and installed on an Ubuntu/Debian machine. Perhaps you are using a MySQL backend along with PHP support (How To Install LAMP Server On Ubuntu ). But what happens when malicious attackers or bots begin to stress your server? As the savvy administrator or tech connoisseur that you are, you decide to take your Apache web server's security into your own hands.

Below are just a few quick steps to enhance the security of an Apache installation.

Enable SSL/HTTPS

If you are not yet supporting SSL encryption on your webserver, you should be. Follow the steps below to enable HTTPS using self-signed certificates.

Enable the SSL Module:
sudo a2enmod ssl

Restart the Apache service:
sudo service apache2 restart

Create Directory for SSL:
sudo mkdir /etc/apache2/ssl

Generate SSL Key and Certificate (expires after 365 days):
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache_host.key -out /etc/apache2/ssl/apache_host.crt

*During the SSL setup, be sure that "Common Name (e.g. server FQDN or YOUR name)" is properly set. You may use either your server's domain name or public IP address. If the certificate does not match the FQDN that is serving it then the SSL check will fail.

Edit Apache Configuration:
sudo nano /etc/apache2/sites-available/default-ssl.conf

Edit ServerAdmin Directive to Match Your Domain:
ServerAdmin admin@mydomain.com

Add ServerName Line Below ServerAdmin:
ServerName mydomain.com

Edit SSLCertificateFile directive:
SSLCertificateFile /etc/apache/ssl/apache_host.crt

Edit SSLCertificateKeyFile directive:
SSLCertificateKeyFile /etc/apache2/ssl/apache_host.key

Activate the SSL Virtual Host:
sudo a2ensite default-ssl.conf

Restart Apache Service:
sudo service apache2 restart

Disable Directory Indexing

It is a good idea to disable directory listing on your webserver to prevent an attacker from gaining too much information about the files and directories available.

Add the Following to /etc/apache2/apache2.conf:

  
 
 
 
 
    
  
  
  
  
Options -Indexes

You can specify a specific directory or your webserver's root.

Restart Apache Service:
sudo service apache2 restart

Disable Following of Symbolic Links

You may not require Apache to follow symbolic Links. If you are not using symbolic links you may consider disabling the function all together. This is to ensure that no accidental symbolic links are made that may link users to private locations on the filesystem.

Add the Following to /etc/apache2/apache2.conf:

  
 
 
 
 
    
  
  
  
  
Options -FollowSymLinks

You can specify a specific directory or your webserver's root.

Restart Apache Service:
sudo service apache2 restart

Hide Apache Version and OS Identity

By default, Apache error pages will list the version of Apache you are running along with your Operating System. To enhance security it is a good idea to keep this information private.

Modify /etc/apache2/apache2.conf:
ServiceSignature Off
ServerTokens Prod

Restart Apache Service:
sudo service apache2 restart

Limit Request Size

You may wish to limit the total size of a client HTTP request. This can be useful in mitigating certain Denial of Service Attacks.

Add the Following to /etc/apache2/apache2.conf:

  
 
 
 
 
    
  
  
  
  
LimitRequestBody 614400

You can specify a specific directory or your webserver's root. You may change the Request Body size to suit your needs. The above example sets the limit to 600 Kilobytes.

Restart Apache Service:
sudo service apache2 restart

Install mod_security

mod_security is a module add-on for Apache that can act as a firewall, monitor traffic, and prevent brute force attacks.

Install mod_security:
sudo apt-get install libapache2-mod-security2

Copy Configuration File:
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Enable mod_security:
sudo a2enmod security2

Restart Apache Service:
sudo service apache2 restart

Install mod_evasive

mod_evasive is a module add-on for Apache that is very efficient in protecting against DDoS attacks.

Install mod_evasive:
sudo apt-get install libapache2-mod-evasive

Enable mod_evasive:
sudo a2enmod evasive

Append Following to /etc/apache2/apache.conf:

  
 
 
 
 
    
  
  
  
  
#optional directive (default value equals to 1024)
DOSHashTableSize 1024

#obligatory directives (if even one of them is not set, malfunctioning is possible)
DOSPageCount 10
DOSSiteCount 150
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

Restart Apache Service:
sudo service apache2 restart

Monitor Logs

Do not be afraid to monitor your logs! Proper log monitoring is essential to catching any strange activity or errors on your webserver.

Default Apache Logs Locations:
/var/log/apache2/access.log
/var/log/apache2/error.log

Stay Up-To-Date

Last but not least, keep your Apache server up-to-date! This is key to ensuring that your server has the latest vulnerability patches.

Update apache:
sudo apt-get update && sudo apt-get install apache2

Have any other tips or recommendations for keeping an Apache server secure? Share them in the comment section below!

Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

2 min read
Installing LAMP Server On Ubuntu (Linux, Apache, PHP, MySQL) Read More
Industry Insights 4 min read
CISO Security Metrics: Proving Business Value Read More
Compliance 1 min read
MARS-E 2.0: Key Dates for Compliance Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.