TECHONOLGY

Apache Web Security and Hardening Tips

Apache Web Server Security and Hardening Tips
Written by Alex

Introduction

Apache web-server is most widely used and popular in the world. Because of that reason, it becomes the most vulnerable attack. We are going to show you Apache Web Server Security and Hardening Tips.
Because for an important part of the server our responsibility to secure our web server. We will also know about apache security headers.
Below is some process to secure our web server.

Apache Web Security and Hardening Tips

Hide Apache Version and OS Identity from Errors.

When you install Apache from package installers like yum, it displays the version of your Apache web server installed on your server with the OS name of your server in Errors. It also shows the knowledge about Apache modules installed in your server.

Therefore this makes hacker know what algorithm need to need to use for hack your server so we should hide our apache version so your server not visible to anyone.

Apache Web Security and Hardening Tips

In the above picture, you can see that Apache is showing its version with the OS installed in your server. This s a major security threat to your web server and your installed OS.

To disable the Apache version to not display this information to the world, we need to do some changes in the Apache configuration file.

# vim /etc/httpd/conf/httpd.conf  (RHEL/CentOS/Fedora)
# vim /etc/apache2/apache2/conf  (Debian/Ubuntu)

Add below syntax in the config file.

ServerSignature Off
ServerTokens Prod

Now restart apache service with below commands.

# service httpd restart  (RHEL/CentoOS/Fedora)
# service apache2 restart  (Debian/Ubuntu)

 Disable Directory Listing

By default Apache list all the content of Document root directory. For Example please see the image below.

Apache Web Security and Hardening Tips

We can turn off directory listing by using the Options directive in the configuration file. For that, we need to make an entry in httpd.conf or apache2.conf file.

# vi /etc/httpd/conf/httpd.conf

Do below settings in the configuration file

<Directory /var/www/html>
Options -Indexes
</Directory>

Apache Web Security And Hardening Tips (Implement apache security headers)

  • X-XSS-Protection: In order to improve the security of your site against some types of XSS (cross-site scripting) attacks, it is recommended that you add the following header to your site. Need to do below config in Apache HTTP Server
Header set X-XSS-Protection "1; mode=block"

Need to do below config in Nginx web Server.

add_header X-XSS-Protection "1; mode=block";
  • x-Frame-Options Use X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe. This has some limitations in browser support, so you got to check before implementing it.

Follow the below apache security headers parameter.

Parameter ValueMeaning
SAMEORIGINFrame/iframe of contents is only allowed from the same site origin
DENYPrevent any domain to embed your content using Frame/iframe
ALLOW-FROMAllow framing the contents only on a particular URL.

Use below config in nginx config.add_header X-Frame-Options “SAMEORIGIN”;

Header set X-Frame-Options: SAMEORIGIN

X-Content-Type-Options This header is used to prevent certain versions of Internet Explorer from ‘sniffing’ the MIME type of a page. Its feature of Internet Explorer to interpret sites of ‘Content-Type: text/plain text’ as HTML when it contains HTML-tags. This introduces cross-site scripting risks when one has to deal with user-provided content. The X-Content-Type-Options knows only one option – ‘nosniff’ – which prevents the browser from trying to sniff MIME type.

Apache config uses below.

Header set X-Content-Type-Options: NOSNIFF

Nginx web server use the below config.

add_header X-Content-Type-Options nosniff;
  • Strict-Transport-Security HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature that tells browsers that it should only be communicated with using HTTPS, instead of using HTTP

Apache config uses below.

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

Nginx web server use the below config.

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  • Content-Security-Policy Content Security Policy (CSP) best security which helps to secure from cross-site scripting (XSS), clickjacking, and code injection attacks within the website.

Apache config uses below.

Header set Content-Secure-Policy "default-src 'self';"

Nginx config uses below.

add_header Content-Security-Policy "img-src *";

Apache Web Security and Hardening Tips (SSL Certificates configuration letsencrypt)

SSL certificates are used in the web servers to encrypt the traffic between the apache web server and the client. Providing extra security for users accessing your application. Let’s Encrypt provides trusted certificates for free.


1. Download the Let’s Encrypt Client First, add the repository.

# sudo yum install epel-release

2. Now that you can access extra repository and install all of the required packages with below command.

# sudo yum install httpd mod_ssl python-certbot-apache

Most importantly You should now have all of the packages you need to secure your site.
Before requesting a certificate, we should make sure Apache is running on our server and accessible to the outside world.
Make sure Apache is up and running, type below command.

# sudo systemctl restart httpd
  1. Requesting an SSL Certificate from Let’s Encrypt

If you need to install a single certificate that is valid for multiple domains and subdomains, you can add additional parameters on the command. The first domain name in the list of parameters would be the base domain used by Let’s Encrypt to create the certificate.

For that reason we recommend that you have to bare top-level domain name first in the list, followed by any additional subdomains or aliases for instance.

# certbot --apache -d example.com -d www.example.com
Requesting an SSL Certificate.

You will be able to know the step-by-step process to customize your certificate. You will be asked for an email address for lost key recovery and notices. If you do not specify your domain on the command line, you will be prompted for that as well.

If your Virtual Host files dose not contain domain name in the ServerName directive, you will be asked to select the Virtual Host file. The default ssl.conf file should work.
In addition, You will be able to choose between enabling both HTTP and https traffic or forcing all requests to redirect HTTP to https.

For better security, you should choose the Secure option if you do not have any special needs to allow unencrypted connections.
When the installation is finished, you should see a message similar to this.

Apache Web Security and Hardening Tips

The generated certificate files should be available your base domain in the /etc/letsencrypt/live directory.

2. Implement SSL Cipher:

Apache can be configured to use SSL Cipher suites. For better security, set Apache SSL settings to use the highest grade security ciphers. It would be common practice to set the server to prefer RC4-SHA cipher both for speed and fix against the BEAST attack. I will let you know you how to configure this in apache.

Red Hat / CentOS, edit this file

# sudo vi /etc/httpd/conf.d/ssl.conf

Put in the following configuration, save, then restart apache.

Restart the apache service after that.

In Conclusion

Now you Know How to Secure Apache Web Server and Hardening Tips, apache security headers in all the above topics.

We hope you are like this article and this is useful for you. If you learn more about Linux, AWS Tips, and Tricks Please Bookmark this Website. We are Daily Publish New Article in this Website WWW.BPMTECHGURU.IN and all post on this website is practically tested and 100% Work if you have any Problem Please Drop a Comment we are trying to resolve your problem.

About the author

Alex

Leave a Comment