Apache Server Security Best Practices
Apache HTTP Server is a free open-source cross-platform web server software. Apache is used by around 30.9% of all websites whose web servers are known. Hackers are actively looking for misconfigured and poorly maintained Apache servers to exploit.
Before exposing your server to the internet you need to make sure to eliminate these misconfigurations and mistakes.
1. Keep Apache Version up to Date
There will be vulnerabilities discovered in software after it is released, so it is very important to keep your Apache version up to date.
You can subscribe to the Apache HTTP Server Announcements List where you can have information on all new security updates.
2. Hiding Server Version and Banner
Exposing your server version and type of OS server is using makes it more prone to attacks. So it is highly recommended to hide it.
Before Hiding it we need to understand ServerSignature and ServerTokens.
ServerSignature : It tells which underlying server actually returns page. In response in error page it sends ServerName of the serving virtual host and server version. The details of server version controlled by ServerTokens.
We can see it is exposing valuable information.
We can set the following values of ServerSignature in apache2.conf file.
ServerSignature Onwill display the result as above imageServerSignature Offwill not display <address>
ServerTokens: It configures the Server HTTP response header
We can set the following values of ServerTokens in apache2.conf file.
Server Tokens Full: Server will send a response header asServer: Apache/2.4.46ServerTokens Prod[uctOnly]: Server will send a response header asServer: ApacheServerTokens Major: Server will send a response header asServer: Apache/2ServerTokens Minor: Server will send a response header asServer: Apache/2.4ServerTokens Min[imal]: Server will send a response header asServer: Apache/2.4.46ServerTokens OS: Server will send a response header asServer: Apache/2.4.46 (Debian)
For Hidding Version and Banner
Set the following values of ServerSignature and ServerTokens
- Restart the apache server.
- Result:
3. ServerRoot Directories Permissions
In most cases, Apache is started by the root user, then it switches to user-defined by User directive. User directive defines the user ID which will answer the server requests.
You need to make sure that the user has only the permission required for its operation. It doesn’t have any permission to write any server file that is being executed by the root or doesn’t have permission to write in log files.
4. Adding a Firewall
A firewall helps in mitigating a few attacks and thus adds a security layer.
ModSecurity is an open-source Web Application Firewall (WAF). It provides protection against generic classes of vulnerabilities using the OWASP ModSecurity Core Rule Set (CRS).
Here is a link to the blog on how to configure ModSecurity with apache
5. Protection Against DDoS, DoS, and Bruteforce
All the servers are vulnerable to denial of service that prevents the client from getting the resources of the server.
Luckily there is a module mod_evasion for the Apache server.
Here is a link to the blog for setting up the mod_evasion module
There are also certain Apache configuration settings helps to mitigate problems:
- RequestReadTimeout
- TimeOut
- KeepAliveTimeout
- LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, LimitXMLRequestBody
- MaxRequestWorks
6. Disable Directory Listing
In the Directory listing, a visitor can see all the underlying files and folders of the directory.
Here all the files/folder under hello directory is listed.
This will lead to exposing all files including the files we don’t want to expose.
Now to disable Indexing for files/folders goes to apache2.conf file and search for Directory and change the Options directive to None or -Indexes
Restart Apache
Now we will visit http://localhost/hello
7. Etag Header
The ETag the header is used for effective caching of server resources by the client. The server sends hash value in Etag which is cached by the client and sends it to the server if the client wants to access the same resources and if the value is not changed then the cached file can be used.
The problem is that if Etag reveals information about the server which should stay secret. Apache server can base the Etag value on inode number, which is considered internal information and should not be exposed. Gaining lots of inode numbers can be used to understand the underlying file system.
Now to prevent this vulnerability
- Go to apache.conf file and set
FileTag None - Restart apache server
8. Server Side Include
SSI are directives that provide dynamic content to HTML pages. SSI is used to execute some content before the page is being loaded.
If user input is not properly validated or sanitized it may result in the execution of arbitrary codes remotely.
eg: if SSI taking some user input and not properly validating and sanitizing it user can provide the following command to execute shell commands
<!--#exec cmd=”whoami” -->
You can disable Server Side Include
<Directory /var/www/html/hello>Options -Indexes -Includes</Directory>
- Restart apache server
9. Security Headers
First we will learn how to set headers in apache2
- Enable the required Apache modules
a2enmod rewrite
a2enmod headers- Apache configuration file for the website
Header set Test "This is a test"- file after configuration
<VirtualHost *:80>ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combinedHeader set Test "This is test"</VirtualHost>
- sudo systemctl restart apache2
Setting Security Headers
- HTTP Strict Transport Security (HSTS)
The browser will ignore if site is accessed over HTTP. It protects against man-in-the-middle attacks
Header set Strict-Transport-Security “max-age=<time-in-sec>; includeSubDomains;”
- Content Security Policy (CSP)
It adds a layer of security that helps in detection and mitigation against certain types of attacks including Cross-Site Scripting and data injection attacks.
It is recommended to set the most strict policy and then change security according to your needs.
Header always set Content-Security-Policy “default-src ‘self’”
- X-XSS-Protection
Defend against XXS attacks
X-XSS-Protection: 0 : This will disable the filter entirely.
X-XSS-Protection: 1 : This will enables the filter but only sanitizes potentially malicious scripts.
X-XSS-Protection: 1; mode=block : This will enable the filter and completely blocks the page
Header set X-XSS-Protection "1;mode=block"
- X-Frame-Options
The X-Frame-Options header is used to defend your website from clickjacking attacks by disabling iframes on your site.
DENY : This will disables iframe features completely.
SAMEORIGIN : iframe can be used only by someone on the same origin.
ALLOW-FROM : This will allows pages to be put in iframes only from specific URLs
Header always set X-Frame-Options "SAMEORIGIN"
- X-Content-Type-Options
The x-content-type header is also called “Browser Sniffing Protection” to tell the browser to follow the MIME types indicated in the header.
Header always set X-Content-Type-Options "nosniff"
- Referrer-Policy
The Referrer-Policy is a security header field that identifies the address of the webpage that requested the current webpage.
Header always set Referrer-Policy “strict-origin”
- Permissions-Policy
The Permissions-Policy is a new header that allows the site to control which APIs or features can be used in the browser.
Header always set Permissions-Policy “geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()”
10. Delete Unused Modules
If you leave unused, unmaintained, or expired modules on your apache server, you are making it more vulnerable.
So first find out modules that are actually active you can list all the modules that apache is using by
sudo apachectl -M
List modules that you don’t use and run the following command to disable them
sudo a2dismod <module-name>
Eg: sudo a2dismod security2 #this is to disable modsecurity module in apache
- Restart apache to load the new configuration.
11. Turn on Logs
Logs will give you ideas and keep you up-to-date with what actually is hitting the server. It will help you to analyze the types of attacks are thrown against the server and if the server has the necessary security present.
sudo grep -i 404 /var/log/apache2/access.log| tail -n 5
