By: Hunter Gregal
So you have an Apache2 webserver completely configured and installed on an Ubuntu/Debian machine. Perhaps you are using a MySQL backend along with PHP support (How To Install LAMP Server On Ubuntu ). But what happens when malicious attackers or bots begin to stress your server? As the savvy administrator or tech connoisseur that you are, you decide to take your Apache web server’s security into your own hands.
Below are just a few quick steps to enhance the security of an Apache installation.
Enable SSL/HTTPS
If you are not yet supporting SSL encryption on your webserver, you should be. Follow the steps below to enable HTTPS using self-signed certificates.
Enable the SSL Module:
sudo a2enmod ssl
Restart the Apache service:
sudo service apache2 restart
Create Directory for SSL:
sudo mkdir /etc/apache2/ssl
Generate SSL Key and Certificate (expires after 365 days):
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache_host.key -out /etc/apache2/ssl/apache_host.crt
*During the SSL setup, be sure that “Common Name (e.g. server FQDN or YOUR name)” is properly set. You may use either your server’s domain name or public IP address. If the certificate does not match the FQDN that is serving it then the SSL check will fail.
Edit Apache Configuration:
sudo nano /etc/apache2/sites-available/default-ssl.conf
Edit ServerAdmin Directive to Match Your Domain:
ServerAdmin [email protected]
Add ServerName Line Below ServerAdmin:
ServerName mydomain.com
Edit SSLCertificateFile directive:
SSLCertificateFile /etc/apache/ssl/apache_host.crt
Edit SSLCertificateKeyFile directive:
SSLCertificateKeyFile /etc/apache2/ssl/apache_host.key
Activate the SSL Virtual Host:
sudo a2ensite default-ssl.conf
Restart Apache Service:
sudo service apache2 restart
Disable Directory Indexing
It is a good idea to disable directory listing on your webserver to prevent an attacker from gaining too much information about the files and directories available.
Add the Following to /etc/apache2/apache2.conf:
<Directory /var/www> Options -Indexes </Directory>
You can specify a specific directory or your webserver’s root.
Restart Apache Service:
sudo service apache2 restart
Disable Following of Symbolic Links
You may not require Apache to follow symbolic Links. If you are not using symbolic links you may consider disabling the function all together. This is to ensure that no accidental symbolic links are made that may link users to private locations on the filesystem.
Add the Following to /etc/apache2/apache2.conf:
<Directory /var/www> Options -FollowSymLinks </Directory>
You can specify a specific directory or your webserver’s root.
Restart Apache Service:
sudo service apache2 restart
Hide Apache Version and OS Identity
By default, Apache error pages will list the version of Apache you are running along with your Operating System. To enhance security it is a good idea to keep this information private.
Modify /etc/apache2/apache2.conf:
ServiceSignature Off
ServerTokens Prod
Restart Apache Service:
sudo service apache2 restart
Limit Request Size
You may wish to limit the total size of a client HTTP request. This can be useful in mitigating certain Denial of Service Attacks.
Add the Following to /etc/apache2/apache2.conf:
<Directory /var/www> LimitRequestBody 614400 </Directory>
You can specify a specific directory or your webserver’s root. You may change the Request Body size to suit your needs. The above example sets the limit to 600 Kilobytes.
Restart Apache Service:
sudo service apache2 restart
Install mod_security
mod_security is a module add-on for Apache that can act as a firewall, monitor traffic, and prevent brute force attacks.
Install mod_security:
sudo apt-get install libapache2-mod-security2
Copy Configuration File:
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Enable mod_security:
sudo a2enmod security2
Restart Apache Service:
sudo service apache2 restart
Install mod_evasive
mod_evasive is a module add-on for Apache that is very efficient in protecting against DDoS attacks.
Install mod_evasive:
sudo apt-get install libapache2-mod-evasive
Enable mod_evasive:
sudo a2enmod evasive
Append Following to /etc/apache2/apache.conf:
<IfModule evasive_module>
#optional directive (default value equals to 1024)
DOSHashTableSize 1024
#obligatory directives (if even one of them is not set, malfunctioning is possible)
DOSPageCount 10
DOSSiteCount 150
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
Restart Apache Service:
sudo service apache2 restart
Monitor Logs
Do not be afraid to monitor your logs! Proper log monitoring is essential to catching any strange activity or errors on your webserver.
Default Apache Logs Locations:
/var/log/apache2/access.log
/var/log/apache2/error.log
Stay Up-To-Date
Last but not least, keep your Apache server up-to-date! This is key to ensuring that your server has the latest vulnerability patches.
Update apache:
sudo apt-get update && sudo apt-get install apache2
Have any other tips or recommendations for keeping an Apache server secure? Share them in the comment section below!
Nice. But a typo me thinks.
Where there is
Modify /etc/apache2/apache2.conf:
ServiceSignature Off
ServerTokens Prod
the ServiceSignature could not be found on my setup, but ‘ServerSignature’ was there.
I dont know whether this has changed in versions – I am using jessie. But there you are.