You are on page 1of 18


Linux Services



Contact Us



Linux Distro’s

Open Source

Web Servers


Free Linux eBooks

Linux Commands

Select Language

Pow ered by



Mark Shuttleworth has announced the codename as "Trusty Tahr" for Ubuntu 14.04 LTS

Write For Us! and Earn $$$s

13 Apache Web Server Security and Hardening Tips
By Tarunika Shrivastava Under: Apache On: October 15, 2013 ► Linux Mint ► Security ► Apachen ► Web Servers









Quiz 3: Take "Test Yourself" Online Exam and Get Famous We all are very familiar with Apache web server, it is a very popular web server to host your web files or your website on the web. Here are some links which can help you to configure Apache web server on your Linux box.

Enter Your Email Address :)

Before you apply these changes in your web server. It also shows the information about Apache modules installed in your .2. CentOS and Fedora 106 Comments Install Apache 2.Apache Security and Hardening Tips SPONSOR Install Apache Web Server Setup Your Website in Your Linux Box Here in this tutorial.4/5.5. you should have some basics of the Apache server.9 & Fedora 19-12 105 Comments Install Cacti (Network Monitoring) on RHEL/CentOS 6.5. MySQL 5. Document root Directory: /var/www/html or /var/www Main Configuration file: /etc/httpd/conf/httpd.3/5. I’ll cover some main tips to secure your web server. How to hide Apache Version and OS Identity from Errors When you install Apache with source or any other package installers like yum.conf (Debian/Ubuntu).15.7.8 and Fedora 17-12 102 Comments POPULAR LATEST COMMENTS TAGS Advertise Here 1.conf (RHEL/CentOS/Fedora) and /etc/apache/apache2.4 on RHEL/CentOS 6.3 Released – Install in RHEL. it displays the version of your Apache web server installed on your server with the Operating system name of your server in Errors. Default HTTP Port: 80 TCP Default HTTPS Port: 443 TCP Test your Configuration file settings and syntax: httpd -t Access Log files of Web Server: /var/log/httpd/access_log Error Log files of Web Server: /var/log/httpd/error_log Wine 1.34 & PHP 5.

Open configuration file with vim editor and search for “ ServerSignature“. # vim /etc/httpd/conf/httpd. We need to Off these server signature and the second line “ ServerTokens Prod ” tells Apache to return only Apache as product in the server response header on the every page request.4 Step by Step Installation Guide with Screenshots 88 Comments CentOS 6. It also shows the information about Apache modules installed in your server.conf (RHEL/CentOS/Fedora) # vim /etc/apache/apache2.3 Step by Step Installation Guide with Screenshots 84 Comments Google Chrome 29 Released – Install on RHEL/CentOS 6 and Fedora 19/15 69 Comments :: ADVERTISE :: Show Apache Version In above picture. It suppress the OS. its by default On. This can be a major security threat to your web server as well as your Linux box too. To prevent Apache to not to display these information to the world. you can see that Apache is showing its version with the OS installed in your server.conf (Debian/Ubuntu) .your server in Errors. CentOS 6. major and minor version info. we need to make some changes in Apache main configuration file.

Please see the image below. Disable Directory Listing By default Apache list all the content of Document root directory in the absence of index file. .ServerSignature Off ServerTokens Prod # service httpd restart (RHEL/CentOS/Fedora) # service apache2 restart (Debian/Ubuntu) :: DOWNLOAD FREE LINUX EBOOKS :: Introduction to Linux – A Hands on Guide The GNU/Linux Advanced Administration Securing & Optimizing Linux: The Hacking Solution Linux Command Line Cheat Sheet A Newbie’s Getting Started Guide to Linux Create Your Own Linux System from Scratch Linux Shell Scripting Cookbook – Second Edition Linux Bible – The Complete Tutorial Resource :: FOLLOW US :: Hide Apache Version 2.

<Directory /var/www/html> Options -Indexes </Directory> .conf file. Tutorials & Guides Follow + 847 +1 Apache Directory Listing We can turn off directory listing by using Options directive in configuration file for a specific directory.TecMint. For that we need to make an entry in httpd.conf or Tecmint: Linux Howtos.

Hide Apache Directory Listing 3.15 (Unix) Server built: Aug 13 2013 17:29:28 You can update your version with the following command. .2. So It is always recommended to use the latest version of Apache as your web server. Keep updating Apache Regularly Apache developer community is continuously working on security issues and releasing its updated version with new security options. To check Apache version: You can check your current version with httpd -v command. # httpd -v Server version: Apache/2.

So it’s recommended to disable all those modules that are not in use LoadModule log_config_module modules/mod_log_config. LoadModule env_module modules/ LoadModule authz_host_module modules/ LoadModule ldap_module modules/ LoadModule authn_file_module modules/mod_authn_file. # grep LoadModule /etc/httpd/conf/ LoadModule auth_basic_module modules/mod_auth_basic. you can insert a “ #” at the beginning of that line and restart the LoadModule authz_user_module modules/ LoadModule include_module modules/mod_include.# yum update httpd # apt-get install apache2 It is also recommended to keep your Kernel and OS updated to the latest stable releases if you are not running any specific application which works only on specific OS or Kernel. You can list all the compiled modules of web server.conf # have to place corresponding `LoadModule' lines at this location so the # LoadModule foo_module modules/ LoadModule authz_default_module modules/mod_authz_default. 4. .so LoadModule authn_dbm_module modules/mod_authn_dbm. mod_userdir. Disable Unnecessary Modules It’s always good to minor the chances of being a victim of any web .so LoadModule authnz_ldap_module modules/mod_authnz_ldap. using following LoadModule authz_owner_module modules/ LoadModule authn_alias_module modules/ LoadModule authn_anon_module modules/ LoadModule authz_dbm_module modules/mod_authz_dbm. Above is the list of modules that are enabled by default but often not needed: LoadModule logio_module modules/mod_logio. To disable the particular LoadModule auth_digest_module modules/mod_auth_digest. LoadModule ext_filter_module modules/ LoadModule authn_default_module modules/ LoadModule authz_groupfile_module modules/mod_authz_groupfile. mod_include.

For example: httpweb. Use Allow and Deny to Restrict access to Directories We can restrict access to directories with “ Allow” and “ Deny” options in httpd. Create Apache User and Group # groupadd http-web # useradd -d /var/www/ -g http-web -s /bin/nologin http-web Now you need to tell Apache to run with this new user and to do so. For security reasons it is recommended to run Apache in its own non-privileged account.conf with vim editor and search for keyword “ User” and “ Group” and there you will need to specify the username and groupname to use. Run Apache as separate User and Group With a default installation Apache runs its process with user nobody or daemon. Here in this example. User http-web Group http-web 6. for that by setting the following in the httpd. <Directory /> Options None Order deny.conf and restart the service.conf file. we need to make an entry in /etc/httpd/conf/httpd. we’ll be securing root directory. Open /etc/httpd/conf/httpd.allow Deny from all </Directory> Options “None” – This option will not allow users to enable any optional features. .conf file.5.

. 7. This feature of mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack. allow – This is the order in which the “ Deny” and “ Allow” directives will be processed. Here it will “ deny” first and “ allow” next.d/apache2 force-reload Install mod_security on RHEL/CentOS/Fedora/ # yum install mod_security # /etc/init. It prevents DDOS attacks from doing as much damage. It also helps us to protect our websites or web server from brute force attacks. it takes one request to process and processes it very well. Install mod_security on Ubuntu/Debian $ sudo apt-get install libapache2-mod-security $ sudo a2enmod mod-security $ sudo /etc/init. nobody will be able to access root directory. Deny from all – This will deny request from everybody to the root directory.d/httpd restart Mod_evasive mod_evasive works very efficiently. You can simply install mod_security on your server with the help of your default package installers. This module detects attacks with three methods. Use mod_security and mod_evasive Modules to Secure Apache These two modules “ mod_security” and “ mod_evasive” are very popular modules of Apache in terms of security. Mod_security Where mod_security works as a firewall for our web applications and allows us to monitor traffic on a real time basis.Order deny.

Disable Apache’s following of Symbolic Links By default Apache follows symlinks. Here. Protect Apache using Mod_Security and Mod_evasive 8. Turn off Server Side Includes and CGI Execution We can turn off server side includes (mod_include) and CGI execution if not needed and to do so we need to modify main configuration file. we can turn off this feature with FollowSymLinks with Options directive. mod_evasive can be installed directly from the source. we can simply write a rule in “ . we have an Installation and setup guide of these modules which will help you to set up these Apache modules in your Linux box.htaccess” file from that website. And to do so we need to make the following entry in main configuration file. If any child process trying to make more than 50 concurrent requests.If so many requests come to a same page in a few times per second. 9.htaccess” file “ AllowOverride All” should be present in the main configuration globally. If any IP still trying to make new requests when its temporarily blacklisted. Options -Includes Options -ExecCGI . if any particular user or website need FollowSymLinks enable. Options -FollowSymLinks And. # Enable symbolic links Options +FollowSymLinks Note: To enable rewrite rules inside “ .

Limit Request Size By default Apache has no limit on the total size of the HTTP request i. We are putting a limit of 500K for this. But. <Directory "/var/www/myweb1/user_uploads"> LimitRequestBody 512000 </Directory> 11. Protect DDOS attacks and Hardening . Options SymLinksIfOwnerMatch – It’s similar to FollowSymLinks.We can do this for a particular directory too with Directory tag. Here In this example. Options MultiViews – Allows content negotiated multiviews with mod_negotiation module. If you don’t want specify any values explicitly in Apache conf file or . This is the default value. You can set this limit according to your site needs. Options All – To enable All options at once. unlimited and when you allow large requests on a web server its possible that you could be a victim of Denial of service attacks. Suppose you have a site where you allows uploads and you want to limit the upload size for a particular directory. We can Limit the requests size of an Apache directive “ LimitRequestBody” with the directory tag.htaccess. 10. <Directory "/var/www/html/web1"> Options -Includes -ExecCGI </Directory> Here are some other values with can be turned On or off with Options directive. this will follow only when the owner is the same between the link and the original directory to which it is linked. You can set the value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request body.e. Here in this example. we are turning off Includes and Cgi file executions for “ /var/www/html/web1” directory. user_uploads is a directory which contains files uploaded by users. Options IncludesNOEXEC – This option allows server side includes without the execute permission to a command or cgi files.

It is recommended to lower this value if DDos attacks are occurring as a result of so many http request headers. such as the commands entered by users that have interacted with your Web server.11. Here are some directives which can help you to have a control on it. because it provides more information. here is the my website virtual host configuration with logging enabled. LimitRequestFieldSize : It helps us to set a size limit on the HTTP Request header. MaxClients : This directive allows you to set the limit on connections that will be served simultaneously. Its default value is 300 secs. Enable Apache Logging Apache allows you to logging independently of your OS logging. CustomLog : Creating and formatting a log file. KeepAliveTimeout : Its the amount of time the server will wait for a subsequent request before closing the . It’s good to keep this value low on those sites which are subject to DDOS attacks. LimitRequestFields : It helps us to set a limit on the number of HTTP request’s header fields that will be accepted from the clients. This value totally depends on kind of request you are getting on your website. It is available with Prefork and Worker both MPM . To do so you need to include the mod_log_config module. it’s true that you cannot completely protect your web site from DDos attacks. Note: It could pose problems with come CGI scripts. TimeOut : This directive allows you to set the amount of time the server will wait for certain events to complete before it fails. Default value is 5 secs. TransferLog: Creating a log file. <VirtualHost *:80> DocumentRoot /var/www/html/example. You can also use them for a particular website it you are doing Virtual hosting and for that you need to specify it in the virtual host section. Every new connection will be queued up after this limit. 12. It is wise to enable Apache logging. LogFormat : Specifying a custom format. Its default value is 100. For example. There are three main loggingrelated directives available with Apache. Protect DDOS attacks and Hardening Well. The default value of it is 256.

key -out exmaple.125:443> SSLEngine on SSLCertificateFile /etc/pki/tls/certs/example. Now you need to add this in Apache ErrorDocument 404 / DocumentRoot /var/www/html/example/ ErrorLog /var/log/httpd/example.ServerName www. Securing Apache with SSL Certificates DirectoryIndex index. Open main configuration file with vim editor and add the following lines and restart the service. Apache sends all this information in encrypted text.csr # openssl x509 -req -days 365 -in example.key SSLCertificateChainFile /etc/pki/tls/certs/sf_bundle.key -out example.16.crt ServerAdmin ravi.php ServerAlias example. you can secure your all the communication in an encrypted manner over the Internet with SSL index.html -signkey ServerName You can purchase SSl certificates from So many different SSL providers like namecheap.crt Once your certificate has been created and signed. # openssl genrsa -des3 -out common .key 1024 # openssl req -new -key example.Commerce website where people provides their bank details or Debit/ Credit card details to purchase products. <VirtualHost but not the least SSL SSLCertificateKeyFile /etc/pki/tls/certs/ CustomLog /var/log/httpd/ If you are running a very small web business and do not willing to purchase an SSL certificate you can still assign a Self signed certificate to your website.php ErrorLog /var/log/httpd/example. by default your web server send these details in plain – text format but when you use SSL certificates to your websites. Suppose you have a website in which people login by proving their Login credentials or you have an Apache uses the mod_ssl module to support SSL combined </VirtualHost> 13.com_error_log CustomLog /var/log/httpd/example.

These are few security tips that you can use to secure your Apache web server installation. Please submit your orders by Clicking Here. see the official online documentation of Apache HTTP Server.2. MySQL 5. I am working as System Engineer with a Web Hosting Company. and you will be able to see the new selfsigned certificate. Bio Latest Posts Tarunika Shrivastava I am a linux server admin and love to play with Linux and all other distributions of it.5. still you may find difficulties and want us to help you out. We offer wide range of Linux and Web Hosting Solutions at fair minimum rates. type https://example.9 & Fedora 19-12 .4 on RHEL/CentOS 6.15. World Cup Latest News Show News Runnings Check Your To Check News of the world Show Google Chrome Certificate World Cup « PREVIOUS POST NEXT POST » Install Apache 2. ► Apache SSL ► Web Servers ► HTTP Server ► Server SSL Linux Services & Free WordPress Setup Our post is simply ‘DIY’ aka ‘Do It Yourself .</VirtualHost> Open up your browser.5.34 & PHP For more useful security tips and ideas.

15. R EP LY .conf should be edited as rarely as possible on a debian system.9 & Fedora 19-12 Creating Your Own Webserver and Hosting A Website from Your Linux Box Install mod_pagespeed (Website Optimizer) for Apache in RHEL. 2013 at 12:05 am A few points: http. MySQL 5. Becareful with LimitRequestFields since some apps require a lot of fields (learned this the hard way) #13 Payment card industry standards (PCI-DSS) now require a minimum key size of 2048 R EP LY Tarunika Shrivastava October 17.34 & PHP 5. If what you use takes a small amount of memory it can be larger but some web stores and some poorly written software I’ve come across can run a system out of memory with 256. 2013 at 2:45 am Hi Mack. Nice Suggestions and tips.d/ exists for a reason.2.Related Post(s): Install Mod_GeoIP for Apache in RHEL/CentOS 6.4/5. Thanks.8 GoAccess (A Real-Time Apache and Nginx) Web Server Log Analyzer Install Apache 2. #8 Turning off symlinks will break many web apps and some php libraries.4 on RHEL/CentOS 6.5. /etc/conf. #11 Maxrequests depends on what you are running.3/5.5. CentOS and Fedora Install Apache CouchDB on RHEL/CentOS 6/5 7 Responses Gerhard Mack October 16.

. how we do this ? R EP LY daeny October 16. 2013 at 4:32 pm How to redirect Port in Apache httpd service.2/mod/mod_proxy. then it will automatically goes to another port. one will need to do: # systemctl restart httpd in order to restart apache and there is no such # apt-get update apache2 you would do ‘apt-get install apache2′ so if it is installed and there is update available it will update the package. since ‘systemd’ is used as default init system. when a client connect to the server default port 2013 at 9:10 pm Check mod_proxy. 2013 at 10:41 am thanks R EP LY Abhishek October 16.html R EP LY RoseHosting.nobita October 16.apache. http://httpd. 2013 at 7:11 pm In October 16.

2013 at 1:15 am #1 – you can find the apache2 security settings on ubuntu and debian in the config file: /etc/apache2/conf. that’s reverse proxying as far as I can understand your question.d/security ServerSignature Off ServerTokens Prod R EP LY Leave a Reply Name (Required) Mail (will not be published) (Required) Website Submit Comment .@Abhishek. R EP LY nf October 17.

tutorials. Website migration and Custom is a website that publishes practical and useful out-of-the-box articles for aspirant like you and me. making us a one-stop destination for all your possible hosting needs at fair minimum rates. Spread your messages or products to an engaged readers by advertising with us. Submit Order :: ADVERTISE :: TecMint. We seek to present exceptional. WordPress hosting. .com is visited by tens of thousands of Linux users and has a excellent reputation in the search engine ranking. Joomla Hosting. Most of the traffic comes from Google organic search (80%). and resources that the modern web professional will appreciate.:: ABOUT :: TecMint. CMS hosting. remarkable tips. Know More :: OUR SERVICES :: We offer wide range of Linux Web Hosting and Management Services includes Linux hosting. Advertise Now Home | Privacy Policy | Copyright Policy © 2012-2013 All Rights Reserved.