Tuesday, 12 June 2018

Tutorials :: Apache Installation & Hardening | Linuxlearners


Apache Installation & Hardening:
Apache Installation:
yum install update
yum install httpd
chkconfig httpd on
service httpd start —-→ to start apache
service httpd stop —-→ to stop apache
service httpd restart —-→ to restart apache
service httpd status —-→ to see the status whether the apache is running or not
Apache Hardening
1. Hide the Apache Version number, and other sensitive information.
> vim /etc/httpd/conf/httpd.conf
Search and Edit this command
ServerSignature Off (search for “ServerSignature“, it’s by default On. We need to Off these )
ServerTokens Prod ( “ServerTokens Prod” tells Apache to return only Apache as product in the server )
2. Make sure apache is running under its own user account and group
We can turn off directory listing by using Options directive in configuration file for a specific directory.
<Directory /var/www/html>
Options -Indexes
3. Keep updating Apache Regularly
To check Apache version ( it shows current version of Apache)
httpd -v
yum update httpd (update apache)
4. Disable Unnecessary Modules (recommended)
Disable all those unnecessary modules that not in use currently.
Otherwise you can insert a “#” at the beginning of that line to disable the unnecessary modules and restart the service.
5. Run Apache as separate User and Group
With a default installation Apache runs its process with user nobody or daemon. For security reasons it is recommended to run Apache in its own non-privileged account.For example: http-web.
Add a user and Group
groupadd http-web
useradd -d /var/www/ -g http-web -s /bin/nologin http-web
vim /etc/httpd/conf/httpd.conf
search for keyword “User” and “Group” and there you will need to specify the username and groupname to
user http-web
group http-web
6. Use Allow and Deny to Restrict access to Directories
We can restrict access to directories with “Allow” and “Deny” options in httpd.conf file.
<Directory />
Options None
Order deny,allow
Deny from all
Options “None” – This option will not allow users to enable any optional features.
Order deny, allow – This is the order in which the “Deny” and “Allow” directives will be processed. Here it will “deny” first and “allow” next.
Deny from all – This will deny request from everybody to the root directory, nobody will be able to access root directory.
7. Install mod_evasive Modules &  mod_security for Secure Apache
Where mod_security works as a firewall for our web applications and allows us to monitor traffic on a real time basis.It also helps us to protect our websites or web server from brute force attacks. You can simply install mod_security on your server
yum install mod_security
etc/init.d/httpd restart
8. Disable Apache’s following of Symbolic Links
Default Apache follows symlinks, So we can Switch off this feature with FollowSymLinks by using options directive.
If we want enable a particular user or website need to FollowSymLinks , simply write a rule in “.htaccess” file from that website.
> Enable symbolic links
Options +FollowSymLinks
9. Disable server side includes
We can also done with Options directive inside a Directory tag. Set Options any like None or -Includes
<Directory /var/www/html>
Options -Includes
10. Turn off CGI execution
If we are not using CGI turn it off with the Options directive inside a Directory tag.
Set Options to either None or -ExecCGI
<Directory /var/www/html>
Options -ExecCGI
11. Limit Request Size
By Default , Apache has no limit on the total size of the HTTP request i.e. unlimited and also allow large requests on a web server so there is a victim of attack
<Directory “/var/www/myweb1/user_uploads”>
LimitRequestBody 512000
12. Protect DDOS attacks and Hardening
We Can’t completely protect your website from DDos attacks. So we use some directives to have a control on it.
TimeOut : This directive allows you to set the amount of time the server will wait for certain events to complete before it fails. Its default value is 300 secs.
MaxClients directive : It allows you to set the limit on connections it will be served simultaneously. Every new connection will be queued within this limit.
> It is available with Prefork and Worker both MPM. The default value of it is 256.
KeepAliveTimeout : It set the amount of time to wait that subsequent request before close the connection by Default value is 5 secs.
LimitRequestFields : It set a limit on the number of HTTP request’s . Its default value is 100.
LimitRequestFieldSize : It set a size limit on the HTTP Request’s.
13. Enable Apache Logging
Its important for the apache server over all control , because it will give more information about commands entered by users
There are three main logging-related directives available with Apache.
TransferLog : Creating a log file.
LogFormat : Specifying a custom format.
CustomLog : Creating and formatting a log file.
You can also use them for a particular website
<VirtualHost *:80>
DocumentRoot /var/www/html/
ServerName www.example.com
DirectoryIndex index.htm index.html index.php
ServerAlias example.com
ErrorDocument 404 /story.php
ErrorLog /var/log/httpd/example.com_error_log
CustomLog /var/log/httpd/example.com_access_log combined
14. Turn off support for .htaccess files
We can do this in directory tag
AllowOverride None
in a directory
If having a requires to Overrides ensure that they cannot be downloaded other than “.htaccess”. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:
Here the “AccessFileName .htaccess has been changed to AccessFileName .httpdoverride”
AccessFileName .httpdoverride
<Files ~ “^\.ht”>
Order allow,deny
Deny from all
Satisfy All
15. Limiting large requests
We can restrict the upload limits , Apache have like that directives to allow to limit the size of a request, this can also be useful
By using LimitRequestBody directive to allow us to file uploads of no larger than 1MB
> vi /etc/httpd/conf/httpd.conf
> LimitRequestBody 1048576
Some other directives to look at are LimitRequestFields, LimitRequestFieldSize and LimitRequestLine.
16. Restricting Access by IP
To restrict particular IP address access from enforce this apache configuration is possible
For eg, Allow only 1**.** network
Order Deny,Allow
Deny from all
Allow from 1**.** .0.0/16
Or by IP:
Order Deny,Allow
Deny from all
Allow from
17. Must Root user only has read access to Apache’s config and binaries
This can be done by
eg., apache installation is located at /usr/local/apache as
> chown -R root:root /usr/local/apache
> chmod -R o-rwx /usr/local/apache