Developers June 29, 2020

Apache web server hardening tips

Rejah

Since most of us leave the web server to the default configuration, it can often leak sensitive data.

By applying numerous configuration tweaks we can make Apache withstand malicious attacks up to a limit. I've listed some most common misconfiguration and hardening techniques below:

Hide Server Version Banner

The default Apache configuration will expose the server version. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of the server.

Alter Server Banner

Change server details to misdirect an attacker.

Disable Directory Listing

By Apache’s default configuration, If your web server root directory doesn’t contain index.html, the user can see all files and subdirectories listed in the web root.

Make use of mod_security

mod_security works as a firewall for web applications. It can also be used for real-time web application monitoring and logging. You can install mod_security from your default package installer.

Make use of mod_evasive

mod_evasive provides effective actions against Distributed Denial of Service (DDoS/DoS) attack or brute force attack. Its capabilities also extend to work with ipchains, firewalls, routers, and more. mod_evasive reports events via email and syslog facilities.

Hide ETag Header

The ETag header involves quite a significant number of sensitive details regarding your server. It's interesting that for PCI-compliance it is required to hide the Etag header.

Disable CGI and SSI

SSIs are directives present on web applications used to feed an HTML page with dynamic contents. They are also capable of opening your website up to a certain number of security issues if left unchecked. The same case happens for the CGI scripts. So as to prevent hackers from injecting malicious scripts in your code.

Setting the HTTP Limits

Setting up some HTTP limits can defend against DDoS (Distributed Denial of Service) attack, it is really easy if you know the sort of actions to look out for.

Enable XSS Protection Header

Cross-site scripting (XSS) is a common vulnerability found in web applications. X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks.

We happened to publish a blog recently listing out the ways to rectify these as well. So, if you're using an Apache web server, feel free to check out the blog here.

Let me know your thoughts on this :)

  1. 2

    These are some great tips that I haven't thought about. Thanks for this!

    1. 2

      Glad you found it useful, @RichTheDeveloper :)