Apache Hardening Guide

TL;DR

This guide provides essential steps to secure your Apache web server against common attacks. It covers disabling unnecessary modules, configuring access controls, updating software, and monitoring logs.

1. Disable Unnecessary Modules

Apache comes with many modules enabled by default, even if you don’t need them. Disabling unused modules reduces the attack surface.

1. Identify unused modules: Use apachectl -M or check your Apache configuration files (usually in /etc/apache2/mods-enabled/).
2. Disable modules: For each module you want to disable, either remove the symbolic link from mods-enabled to available, or comment out the corresponding LoadModule line in your Apache configuration file (e.g., httpd.conf or apache2.conf).
3. Restart Apache: After making changes, restart Apache for them to take effect.

   sudo systemctl restart apache2

2. Configure Access Controls

Restrict access to sensitive directories and files using .htaccess files or within your main Apache configuration.

1. Limit directory access: Use the <Directory> block in your configuration file to control who can access specific directories. For example, to allow only local access:

   <Directory /var/www/html/sensitive-data>
     Require local
   </Directory>

2. Protect files with passwords: Use .htaccess and the AuthName, AuthType, AuthUserFile, and Require valid-user directives to password-protect specific files or directories.

   AuthName "Restricted Area"
   AuthType Basic
   AuthUserFile /etc/apache2/.htpasswd
   Require valid-user

3. Create .htpasswd file: Use the htpasswd command to create and manage user accounts for password protection.

   sudo htpasswd -c /etc/apache2/.htpasswd username

   (use without `-c` to add additional users)

3. Keep Software Updated

Regularly update Apache and all related software to patch security vulnerabilities.

1. Update Apache: Use your system’s package manager.
   • Debian/Ubuntu:

     sudo apt update && sudo apt upgrade apache2

   • CentOS/RHEL:

     sudo yum update apache2

2. Check for security updates: Subscribe to security mailing lists or use vulnerability scanners to stay informed about new vulnerabilities.

4. Configure Logging

Enable and configure Apache logs to monitor server activity and detect potential attacks.

1. Ensure logging is enabled: Check your Apache configuration file for the CustomLog directive.

   CustomLog ${APACHE_LOG_DIR}/access.log combined

2. Review logs regularly: Use tools like tail -f /var/log/apache2/access.log and tail -f /var/log/apache2/error.log to monitor logs in real-time. Consider using log analysis tools for more advanced monitoring.
3. Rotate logs: Configure log rotation to prevent logs from growing too large.

   sudo logrotate -f /etc/logrotate.d/apache2

5. Hide Server Information

Prevent attackers from gathering information about your server by hiding the Apache version and other details.

1. Disable ServerSignature: In your Apache configuration file, set ServerSignature Off.

   ServerSignature Off

2. Disable mod_status: Unless you specifically need it, disable the mod_status module.

6. Implement a Web Application Firewall (WAF)

A WAF can protect your web applications from common attacks like SQL injection and cross-site scripting.

1. Choose a WAF: Popular options include ModSecurity, OWASP Core Rule Set, and commercial WAFs.
2. Install and configure the WAF: Follow the documentation for your chosen WAF to install and configure it properly.

7. Run Apache as a Dedicated User

Avoid running Apache as root. Create a dedicated user account with limited privileges.

1. Create a dedicated user:

   sudo adduser apache

2. Configure Apache to run as the new user: Modify the User and Group directives in your Apache configuration file.

   User apache
   Group apache

8. Enable cyber security

Ensure you have a robust cyber security plan, including regular vulnerability scans, penetration testing and incident response procedures.