Apache is the most popular web server used in the internet. It is ideal for most situations and allows flexibility for shared environments through the use of .htaccess file. This file allows each user to apply some custom directives on Apache and PHP for specific websites. However, like with all popular software, attackers keep trying to identify and use any loopholes left unsealed to gain access to a web server. .
Here, we look at some of the measures that can be taken specifically on Apache to improve security of the web application being served. While there are several guides on a similar subject, ours intends to look at how each step can be implemented on the server
1. Update Apache to latest stable version
Performing regular updates is the most basic security measure that can be undertaken on any software. Recently, Apache was found to have a vulnerability that allowed XSS attacks on web servers setup with proxying enabled. A fix was provided via an update. At the time of writing this article, the latest secure Apache version is 2.4.41
To update the system, run the command below as root
[root@serv0-rawle
~]$ yum update httpd -y
To automate this, you can set a cron job to run the command regularly.
2. Enforce SSL/TLS
Encrypting communication between server and client prevents a load of otherwise very easy attacks on your server. Communication between server and clients eg browsers, is encrypted to prevent third parties from accessing data being passed. This is specifically essential for any site that has any form of login or sensitive information being passed between client and the server. Such information includes login details and credit card numbers.
Installing an SSL/TLS certificate varies with the platform. We’ve written a few guides on how to install SSL on various platforms on this blog.
3. Enforce HTTP Strict Transport Security (HSTS)
Having SSL/TLS for your site is important but not enough. Your site is still vulnerable to phishing attacks even with SSL installed. Enforcing HSTS ensures your site is more secure against phishing.
It was discovered that HTTP re-directions to HTTPS can sometimes be hijacked and the user can thus be led to a misleading page, where they may attempt to login as usual and end up loosing their information to an attacker. With HSTS, attackers will not be able to hijack your HTTP redirection to HTTPS onto a phishing URL of their making.
To effect this on Apache, add the following code to your .htaccess file on the server
#Use HSTS to force secure connections
Header always set Strict-Transport-Security “max-age=10886400;includeSubDomains;preload
For more details about HSTS, see this article from GlobalSign
4.Disable insecure protocols
Some encryption protocols have known vulnerabilities and should be disallowed connection on your web server. This are TLSv1.0, TLSv1.1, SSLv2 and SSLv3.
Use TLSv1.2 which is considered secure. TLSv1.3 is also around the corner.
To disable all SSL and TLS protocol versions except TLS version 1.2 and higher, proceed as follows:
a. As root, open the /etc/httpd/conf.d/ssl .conf file and search for all instances of SSLProtocol directive. By default the file contains one section that looks as follows:
~]# vim /etc/httpd/conf.d /ssl .conf
#SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
b. Edit the SSLProtocol line as follows:
#SSL Protocol support:
#List the enable protocol levels with which clients will be able to
#connect. Disable SSLv2 access by default:
SSLProtocol -all +TLSv1.2
c. Verify the change as follows:
~]# grep SSLProtocol /etc/httpd /conf.d /ssl .conf
SSLProtocol -all +TLSv1.2
d. Restart the Apache daemon as follows:
~]# systemctl restart httpd
NOTE: The above works if you implement SSL using mod_ssl. If you use mod_nss, the procedure is the same but commands change slightly.
To check what protocols your web server supports, you can run a test at Qualys SSL Labs
NOTE: If your SSL is Let’s Encrypt SSL issued via certbot, please take note of a configuration file called /etc/letsencrypt/options-ssl-apache.conf that is included in each of the vhosts. It’s a config file meant for security settings and overwrites the settings configured in configuration files in /etc/httpd/conf.d/. You should either perform the step 4 above on the file too, or disable it on all vhosts as its automatically included by certbot and takes precedence over /etc/httpd/conf.d/ files.
5. Disable directory indexing
The public should not be able to see a listing of files in website directories. They should not be able to view files on directories within the root directory and also in directories outside of root directory.
To prevent this, you can first add empty index.php files on directories that shouldn’t be listed.
Also, you can prevent listing using .htaccess file or the Apache config file, httpd.conf by adding the following code:
<directory /var/www >
Options -Indexes
AllowOverride All
Order allow,deny
</directory>
The code above prevents listing of files in the /var/www folder and directories inside of this location.
7. Disable HTTP dangerous methods/modules
Some HTTP methods have been exploited and allow attackers to get information about your configuration which could help in attacks. Some methods you can consider disabling are the TRACE and TRACK methods.
To disable TRACE and TRACK methods, proceed as follows:
a.Open the Apache config file using your favourite editor
[root@serv0-rawle ~]$ vim /etc/httpd/conf/httpd.conf
b. Add the line below
TraceEnable Off
If you would like to turn it off on individual vhosts add the following to the vhost config
RewriteEngine On
RewriteCond %{REQUEST_METHOD}^TRACE
RewriteRule.*-[F]
c. Verify the Apache config and Restart
[root@serv0-rawle ~]$ apachectl configtest
Syntax OK
[root@serv0-rawle ~]$ systemctl restart httpd
Some unnecessary modules may include: userdir, include, autoindex
8. Install and configure Mod Security and Mod Evasive
Mod Security is a powerful WAF that protects against XSS and other attacks on the web apps. Its a free apache module available at EPEL. Mod Evasive protects against DDOS and brute force attacks.
To install these, proceed as follows:
a. Run the command below to install Mod Security and Mod Evasive
[root@serv0-rawle ~]$ yum install -y mod_security mod_security_crs mod_evasive
b. Access mod security config file using editor
[root@serv0-rawle ~]$ vim /etc/httpd/conf.d/mod_security.conf
Set SecRuleEngine as follows
SecRuleEngine On
c. Access mod evasive config file
[root@serv0-rawle ~]$ vim /etc/httpd/conf.d/mod_evasive.conf
Add the following line at the top of the config file
LoadModule evasive20_module modules/mod_evasive24.so
d. Test Apache and Restart
[root@serv0-rawle ~]$ apachectl configtest
Syntax OK
[root@serv0-rawle ~]$ systemctl restart httpd
9. Restrict Apache Version display
You can use curl command to view the Apache version as follows:
[root@serv0-rawle ~]$ sudo curl -I http://localhost
HTTP/1.1 302 Found
Date:Tue, 17 Dec 2019 06:42:21 GMT
Server: Apache/2.4.41 (Unix) OpenSSL/1.1.1d mod_perl/2.0.8-dev Perl/v5.16.3
Location: http://localhost/dashboard/
Content-Type: text/html; charset=UTF-8
To hide this, proceed as follows:
a. Access Apache config files using your favourite editor
[root@serv0-rawle ~]$ vim /etc/httpd/conf/httpd.conf
b. Find the ServerSignature and ServerTokens directives and set them as follows
ServerSignature Off
ServerTokens Prod
c. Restart Apache
[root@serv0-rawle mwabini]# systemctl restart httpd
d. Test the new response
[root@serv0-rawle mwabini]# curl -I http://localhost
HTTP/1.1 302 Found
Date: Tue, 17 Dec 2019 06:49:19 GMT
Server: Apache
Location: http://localhost/dashboard/
Content-Type: text/html; charset=UTF-8
10. Harden against DDOS attacks
Configure TimeOut, MaxClients, KeepAliveTimeout, LimitRequestFields, LimitRequestFieldSizewhich protect against DDOS to some level.
If we’ve missed anything, let us know via the comments section below.