Since most of us leave the web server to the default configuration, it can often leak sensitive data.
By applying numerous configuration tweaks we can make Apache withstand malicious attacks up to a limit. I've listed some most common misconfiguration and hardening techniques below:
The default Apache configuration will expose the server version. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of the server.
Change server details to misdirect an attacker.
By Apache’s default configuration, If your web server root directory doesn’t contain index.html, the user can see all files and subdirectories listed in the web root.
mod_security works as a firewall for web applications. It can also be used for real-time web application monitoring and logging. You can install mod_security from your default package installer.
mod_evasive provides effective actions against Distributed Denial of Service (DDoS/DoS) attack or brute force attack. Its capabilities also extend to work with ipchains, firewalls, routers, and more. mod_evasive reports events via email and syslog facilities.
The ETag header involves quite a significant number of sensitive details regarding your server. It's interesting that for PCI-compliance it is required to hide the Etag header.
SSIs are directives present on web applications used to feed an HTML page with dynamic contents. They are also capable of opening your website up to a certain number of security issues if left unchecked. The same case happens for the CGI scripts. So as to prevent hackers from injecting malicious scripts in your code.
Setting up some HTTP limits can defend against DDoS (Distributed Denial of Service) attack, it is really easy if you know the sort of actions to look out for.
Cross-site scripting (XSS) is a common vulnerability found in web applications. X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks.
We happened to publish a blog recently listing out the ways to rectify these as well. So, if you're using an Apache web server, feel free to check out the blog here.
Let me know your thoughts on this :)