Tips to secure apache web server on centos / rhel / oracle linux
Below are some of the best practices verified by Apstia Security and Performance Team to secure and finetune an Apache server
(A)Hide the Apache version
After Installing Apache the first vulnerability is when your server information is shared publicly, hackers can easily target the appropriate method to hack your server. To prevent the same we should always hide this sensitive information whenever we install a server. using below command you can hide your apache server’s identity.
sed -i “s/^ServerTokens OS$/ServerTokens Prod/” /etc/httpd/conf/httpd.conf
sed -i “s/^ServerSignature On$/ServerSignature Off/” /etc/httpd/conf/httpd.conf
if ServerTokens or ServerSignatures are not available in your httpd.conf file we can add the same using below commands.
echo “ServerTokens Prod” >> /etc/httpd/conf/httpd.conf
echo “ServerSignature Off” >> /etc/httpd/conf/httpd.conf
(B)Always use canonical name for your virtual hosts
Many sites map a variety of hostnames for the same content. For example, apstia.com, www.apstia.com and www.apstia.in may all refer to the same site. It is best to make sure that, regardless of the name clients use to access the site, they will be redirected to a single, canonical hostname, preferably without “www.”. This makes the site easier to maintain and assures that there will be only one version of the site in proxy caches and search engines. It will always us ServerName for your primary domain name whether you are using multiple ServerAlias names for the same virtual host. You can start using Canonical name using below command
echo “UseCanonicalName On” >> /etc/httpd/conf/httpd.conf
(C)Always disable tracing of your Apache server’s request.
Disabling TRACE and TRACK on Apache with PCI-related risks such as Web Server HTTP Trace / Track Method Support Cross-Site Tracing Vulnerability is surprisingly easy with the Apache web server. The important thing to remember is to understand that if you are using apache and this risk arises during scanning, you can rightly be sure that TRACK is not a problem – TRACE is.
The HTTP TRACK method is Microsoft’s cook that does the same thing as TRACE without being used – except for hackers, hackers, worms, and vulnerabilities scanners.
echo “TraceEnable Off” >> /etc/httpd/conf/httpd.conf
(D)Turn off directory listing
In Apache, indexing is a default behavior that displays index content where there is no default index file such as index.php or index.html. In the production environment, enabling browser browsing is not recommended as it can lead to information retrieval and help attackers determine how a website or web application is organized and increase the location of the attack. find the solution below
You need to add the following line in all your directory statement whether it is in httpd.conf or any virtual host configuration file
Options -Indexes
Example
Options -Indexes
AllowOverride None
Require all granted
(E)Disable unnecessary modules
It is recommended by Apstia Security and Performance teams by analyzing almost 5000 servers that most of the customers doesn’t disable unnecessary modules which they installed by default and even they are not aware of which module is being used and which are not. Which leads to a security concern as well as performance issues. It’s always good to minor the chances of being a victim of any web attack.
Resulting that use case we have identified some of the modules which are not utilized in most cases but we would suggest to go through each of your apache server’s modules and disable one by one and check your application/website is working properly or not.
Risk :- Your website / application may not function as you expected but once you finalize the modules you need and disable the rest you should be good to go
sed -i
-e ‘s~^(LoadModule .*)$~#1~g’
-e ‘s~^#LoadModule mime_module ~LoadModule mime_module ~g’
-e ‘s~^#LoadModule log_config_module ~LoadModule log_config_module ~g’
-e ‘s~^#LoadModule setenvif_module ~LoadModule setenvif_module ~g’
-e ‘s~^#LoadModule status_module ~LoadModule status_module ~g’
-e ‘s~^#LoadModule authz_host_module ~LoadModule authz_host_module ~g’
-e ‘s~^#LoadModule dir_module ~LoadModule dir_module ~g’
-e ‘s~^#LoadModule alias_module ~LoadModule alias_module ~g’
-e ‘s~^#LoadModule expires_module ~LoadModule expires_module ~g’
-e ‘s~^#LoadModule deflate_module ~LoadModule deflate_module ~g’
-e ‘s~^#LoadModule alias_module ~LoadModule alias_module ~g’
/etc/httpd/conf.modules.d/00-base.conf
mv /etc/httpd/conf.modules.d/00-dav.conf /etc/httpd/conf.modules.d/00-dav.conf.bk
mv /etc/httpd/conf.modules.d/00-lua.conf /etc/httpd/conf.modules.d/00-lua.conf.bk
You can also get a list of all modules running on your server using below command.
apachectl -M
(F)Disable Apache language based content negotiation or MultiViews
To remove the same you can use the below code
sed -i
-e ‘s~^LanguagePriority (.*)$~#LanguagePriority 1~g’
-e ‘s~^ForceLanguagePriority (.*)$~#ForceLanguagePriority 1~g’
-e ‘s~^AddLanguage (.*)$~#AddLanguage 1~g’
/etc/httpd/conf/httpd.conf
Alternatively add below lines in your httpd.conf as well as virtual host files.
Options -MultiViews
Or you can try disabling negotiation module as well if you are using the server for your own uses instead of a shared hosting.
(G)Turn off server-side includes (SSI) execution
Server Side Includes (SSI) was introduced by Apache to allow you to add files to your web pages. They are mainly used to process dynamic content on web pages and reuse HTML codes. For example, you can create a navigation bar / footer for your website, place it in a separate file and add it to all your web pages. but this can lead you to potential server attack as well.
For example it can execute this command which lists the current directory content and which can delete all your files and directories in current working directory without any console or ssh access.
To disable Server-Side Includes follow the same method we used in disabling directory indexing just add -Includes in the end example
Options -Indexes -Includes
(H)Turn off Common Gateway Interface (CGI) execution
СGI (Соmmоn Gаtewаy Interfасe) defines а wаy fоr а web server tо interасt with externаl соntent-generаting рrоgrаms, whiсh аre оften referred tо аs СGI рrоgrаms оr СGI sсriрts. It is а simрle wаy tо рut dynаmiс соntent оn yоur web site, using whаtever рrоgrаmming lаnguаge yоu’re mоst fаmiliаr with. Which also leads us to a potential security risk.
Example : let’s support our website is designed in PHP and hacker wants to execute a Perl based script file on server. As perl is by default installed on the Linux server that script can be easily executed on the server.
We can disable execution of such programs by disabling CGI using the same method we used in Server-Side Include by adding -ExecCGI in the end
Options -Indexes -Includes -ExecCGI
(I)Limit request size
LimitRequestBody directive is used to restrict the overall size of the HTTP request body sent from the end user. you can use this directive to specify the variety of bytes from 0 (that means limitless) to 2147483647 (2GB) which can be allowed in a request. you can set it within the context of server, in step with-directory, in step with-file or consistent with-place.
By default Apache doesn’t have any restriction on HTTP request size. Which allows hackers to send large amounts of data to server.
You can limit the size of applications by using the Apache directive LimitRequestBody by linking to the Directory tag. This can help protect your web server from attack (DOS). You can add the below code example in your directory permission in httpd.conf or Virtual host file
LimitRequestBody 5242880
Note :- LimitRequestBody size is in bytes so you need to convert your desired size in bytes.
(J)Secure Apache from clickjacking attacks
An interface-based attack known as Clickjacking, where a person got tricked into clicking on actionable content material on a hidden site by clicking on a few different content material in a fraud website.
Below is one of the example for the same:
An internet consumer accesses a fraud site (possibly There is a hyperlink provided through an e-mail) and clicks on a button to win a prize. Unknowingly, they were deceived through an attacker into clicking an alternative hidden button and this consequences within the price of an account on another website. which is an example of a clickjacking target. The approach relies upon upon the incorporation of an invisible, actionable internet web page (or a couple of pages) containing a button or hidden hyperlink, say, inside an iframe. The iframe is overlaid on top of the user’s predicted fraud web page content material. This attack differs from a CSRF attack in that the person is needed to perform an activity which includes a button click whereas a CSRF attack relies upon upon forging a whole request without the user’s understanding or interest
Green = Original Website
Red = Fraud Website
Method to prevent this
Add the below code at the end of httpd.conf file
Header append X-FRAME-OPTIONS “SAMEORIGIN”
(K)Disable ETag
A server response header named ETag permits browsers to make conditional requests and carry out cache validation efficaciously. Alternatively, it poses safety concerns in case it receives leaked through your code, and might bring about cache poisoning blitz for your website. So it’s far superior to disable ETag in case your website does no longer desire it.
Add the following line in httpd.conf at the end:
FileETag None
(L)Secure Apache from XSS attacks
ross-site Scripting (XSS) abuses are a kind of injection, where malicious scripts are injected into in any other case benign and depended on web sites. XSS abuses arise while an attacker makes use of an internet software to transmit malicious code, usually inside the structure of a browser faced script, to a distinct end person. Flaws that permit those abuses to be successful are pretty massive and arise everywhere an internet application uses any response from a consumer inside the output it generates with out validating or encoding it.
XSS can be utilized to transfer a malicious script to user’s browser. The end user’s browser has no ways to understand that the script must no longer be relied on, and could execute the script. The malicious script can get entry to session tokens, any cookies or a highly sensitive data retained by way of the browser and used with that website. Those scripts may even rewrite the output of the HTML web page.
Add the following code to httpd.conf to mitigate this issue at the end of the file.
Header set X-XSS-Protection "1; mode=block"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
(M)Disable SSLv2 and SSLv3
Both Secure Socket Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that provides communication security over a network; for example a end user is trying to connect to a server. A “handshake” needs to be performed in the beginning of a TLS or SSL connection. While handshake is going on the end user and server will find mutual ciphers and hash algorithms are supported by both the parties. Where a server also will provide its digital certificate to a connecting end user.
TLS is the continuity of SSL. Over the years vulnerabilities have been and continue to be identified in the older SSL and TLS protocols. For this reason, you should disable SSLv2, SSLv3, TLS 1.0 and TLS 1.1 in your server configuration, leaving only TLS protocols 1.2 and 1.3 enabled.
To disable all the older versions of the SSL and TLS you need to change the below code in your httpd.conf or ssl.conf.
SSLProtocol -ALL +TLSv1.2 +TLSv1.3
(N)Disabling Void and Weaker SSL/TLS Ciphers
SSL Cipher is an encryption algorithm, is used as a key between two computers over the network for encrypting data in the process of converting plain text in secret ciphered codes.
It depends on your server’s SSL Cipher configuration and strong protocol which can allow data encryption to be encrypted.
So it is very important to configure SSL Cipher and enable above TLS 1.1 & TLS 1.1, which is stronger and not vulnerable.
To disable all the older versions of the SSL and TLS Ciphers you need to change the below code in your httpd.conf or ssl.conf file in the end
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
(O)Always stay updated
It is very important in today’s fast growing technologies to be updated frequently or else it can result you to big security issue.