Securing Apache On Ubuntu/Debian

By: Hunter Gregal

So you have an Apache2 webserver completely configured and installed on an Ubuntu/Debian machine. Perhaps you are using a MySQL backend along with PHP support (How To Install LAMP Server On Ubuntu ). But what happens when malicious attackers or bots begin to stress your server? As the savvy administrator or tech connoisseur that you are, you decide to take your Apache web server's security into your own hands.

Below are just a few quick steps to enhance the security of an Apache installation.

Enable SSL/HTTPS

If you are not yet supporting SSL encryption on your webserver, you should be. Follow the steps below to enable HTTPS using self-signed certificates.

Enable the SSL Module:
sudo a2enmod ssl

Restart the Apache service:
sudo service apache2 restart

Create Directory for SSL:
sudo mkdir /etc/apache2/ssl

Generate SSL Key and Certificate (expires after 365 days):
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache_host.key -out /etc/apache2/ssl/apache_host.crt

*During the SSL setup, be sure that "Common Name (e.g. server FQDN or YOUR name)" is properly set. You may use either your server's domain name or public IP address. If the certificate does not match the FQDN that is serving it then the SSL check will fail.

Edit Apache Configuration:
sudo nano /etc/apache2/sites-available/default-ssl.conf

Edit ServerAdmin Directive to Match Your Domain:
ServerAdmin admin@mydomain.com

Add ServerName Line Below ServerAdmin:
ServerName mydomain.com

Edit SSLCertificateFile directive:
SSLCertificateFile /etc/apache/ssl/apache_host.crt

Edit SSLCertificateKeyFile directive:
SSLCertificateKeyFile /etc/apache2/ssl/apache_host.key

Activate the SSL Virtual Host:
sudo a2ensite default-ssl.conf

Restart Apache Service:
sudo service apache2 restart

Disable Directory Indexing

It is a good idea to disable directory listing on your webserver to prevent an attacker from gaining too much information about the files and directories available.

Add the Following to /etc/apache2/apache2.conf:

  
 
 
 
 
    
  
  
  
  

	Options -Indexes
    
  
  
  
  

  
 
 
 
 

You can specify a specific directory or your webserver's root.

Restart Apache Service:
sudo service apache2 restart

Disable Following of Symbolic Links

You may not require Apache to follow symbolic Links. If you are not using symbolic links you may consider disabling the function all together. This is to ensure that no accidental symbolic links are made that may link users to private locations on the filesystem.

Add the Following to /etc/apache2/apache2.conf:

  
 
 
 
 
    
  
  
  
  

	Options -FollowSymLinks
    
  
  
  
  

  
 
 
 
 

You can specify a specific directory or your webserver's root.

Restart Apache Service:
sudo service apache2 restart

Hide Apache Version and OS Identity

By default, Apache error pages will list the version of Apache you are running along with your Operating System. To enhance security it is a good idea to keep this information private.

Modify /etc/apache2/apache2.conf:
ServiceSignature Off
ServerTokens Prod

Restart Apache Service:
sudo service apache2 restart

Limit Request Size

You may wish to limit the total size of a client HTTP request. This can be useful in mitigating certain Denial of Service Attacks.

Add the Following to /etc/apache2/apache2.conf:

  
 
 
 
 
    
  
  
  
  

	LimitRequestBody 614400
    
  
  
  
  

  
 
 
 
 

You can specify a specific directory or your webserver's root. You may change the Request Body size to suit your needs. The above example sets the limit to 600 Kilobytes.

Restart Apache Service:
sudo service apache2 restart

Install mod_security

mod_security is a module add-on for Apache that can act as a firewall, monitor traffic, and prevent brute force attacks.

Install mod_security:
sudo apt-get install libapache2-mod-security2

Copy Configuration File:
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Enable mod_security:
sudo a2enmod security2

Restart Apache Service:
sudo service apache2 restart

Install mod_evasive

mod_evasive is a module add-on for Apache that is very efficient in protecting against DDoS attacks.

Install mod_evasive:
sudo apt-get install libapache2-mod-evasive

Enable mod_evasive:
sudo a2enmod evasive

Append Following to /etc/apache2/apache.conf:

  
 
 
 
 
    
  
  
  
  

    #optional directive (default value equals to 1024)
    
  
  
  
  

    DOSHashTableSize    1024
    
  
  
  
  
 #obligatory directives (if even one of them is not set, malfunctioning is possible)
 DOSPageCount 10
 DOSSiteCount 150
 DOSPageInterval 1
 DOSSiteInterval 1
 DOSBlockingPeriod 10
 
  
 
 
 
 

Restart Apache Service:
sudo service apache2 restart

Monitor Logs

Do not be afraid to monitor your logs! Proper log monitoring is essential to catching any strange activity or errors on your webserver.

Default Apache Logs Locations:
/var/log/apache2/access.log
/var/log/apache2/error.log

Stay Up-To-Date

Last but not least, keep your Apache server up-to-date! This is key to ensuring that your server has the latest vulnerability patches.

Update apache:
sudo apt-get update && sudo apt-get install apache2

Have any other tips or recommendations for keeping an Apache server secure? Share them in the comment section below!