The Apache web server is an extremely stable and secure piece of software. With Apache powering close to 70 percent of the web sites on the Internet today, it has been well tested. It has become clear over the last decade that no software is 100% secure. Fortunately, there are several simple steps you can take to make your Apache installation more secure.
Keep Current
The single biggest cause of security breaches is software that was out of date. As bugs and exploits are found in the Apache web server, patches are released to correct them. The single biggest step you can take to securing your Apache server is to install the patches or upgrade to the latest release of Apache.
Security By Obscurity
The default Apache installation options cause the server to add a signature that shows what version of Apache you are running, what operating system it is running on and even what modules you are using in your Apache configuration. Providing this information makes it easier to exploit your system since hackers will have a great deal of information about the types and versions of your software and can easily search for vulnerabilities. While security by obscurity is not enough by itself, it is a good way to improve the security of your server. To disable Apache’s signature and reduce the information included in the HTTP header, add the following options to your default httpd.conf file:
ServerSignature Off
ServerTokens Prod
Run Under the Right User and Group
The default installation of Apache has the web server to run under the user nobody and the group nobody. While this is definitely better than some older configurations that ran the server as root, it can still be problematic. This is because on some systems the nobody user and group are used by several systems. If one of these other systems is comprised, the attackers would also have access to your Apache server and files. Likewise, if Apache were comprised, the attackers could do added damage to other subsystems. Using a separate user and group for Apache is recommended. You can set these in httpd.conf using the following:
User apache
Group apache
Control Directory and File Access
Apache has access controls that can be used to tighten your security. In particular, you want to block access to access to any files outside of your web root. This prevents users from downloading system files or reading configuration files for your web application if your server were to be mis-configured. Accomplishing this takes two steps. The first is to add the following to your default httpd.conf file:
Order Deny,Allow
Deny from All
Options None
This configuration effectively block access to all files on your file system. The next step is to selectively enable access to the files in your web root directory. If you are running multiple virtual hosts, you will need to include this in each virtual host configuration. For this example, lets say that your web root is /home/user/web. To enable access to the files in the web root, add this to your configuration:
Order Allow,Deny
Allow from All
Turn Off Unneeded Modules
This especially applies when it comes to Apache modules. You should disable any modules that you do not need and are not specifically using. There is always a risk that the default configuration for an unused module will allow something that you did not intend. The easiest solution is to disable the module. If you are using DSO modules, simply remove or comment out the LoadModule line in httpd.conf for any modules that you are not using.check modules using the command
httpd -l
protect .htaccess
However, .htaccess can also create other security problems. Depending on what options are enabled in Apache, .htaccess can override a number of Apache’s configuration settings.
You need to set this within a directory block. For example if your web root was /home/user/web, you would use the following in your Apache configuration:
AllowOverride None
Control Permissions on Configuration Files
control configuration files using there ownership in root control
Don’t Allow Writing in Executable Directories
Dont allow wrinting permission for executable directories may be the hackers manages to write a file into this directory
or change 444 permission to the configuration files.
Disable FollowSymLinks
Symbolic links can expose files and directories on your file system that you did not intend to expose. Apache supports FollowSymLinks as a setting for Options. When this option is set, Apache will allow a user to follow a symbolic link to a file that is outside of the web root. You can stop this behavior by using:
Options None
within a Directory block. Or if you are enabling other options you can use:
Options -FollowSymLinks
Keep Current
The single biggest cause of security breaches is software that was out of date. As bugs and exploits are found in the Apache web server, patches are released to correct them. The single biggest step you can take to securing your Apache server is to install the patches or upgrade to the latest release of Apache.
Security By Obscurity
The default Apache installation options cause the server to add a signature that shows what version of Apache you are running, what operating system it is running on and even what modules you are using in your Apache configuration. Providing this information makes it easier to exploit your system since hackers will have a great deal of information about the types and versions of your software and can easily search for vulnerabilities. While security by obscurity is not enough by itself, it is a good way to improve the security of your server. To disable Apache’s signature and reduce the information included in the HTTP header, add the following options to your default httpd.conf file:
ServerSignature Off
ServerTokens Prod
Run Under the Right User and Group
The default installation of Apache has the web server to run under the user nobody and the group nobody. While this is definitely better than some older configurations that ran the server as root, it can still be problematic. This is because on some systems the nobody user and group are used by several systems. If one of these other systems is comprised, the attackers would also have access to your Apache server and files. Likewise, if Apache were comprised, the attackers could do added damage to other subsystems. Using a separate user and group for Apache is recommended. You can set these in httpd.conf using the following:
User apache
Group apache
Control Directory and File Access
Apache has access controls that can be used to tighten your security. In particular, you want to block access to access to any files outside of your web root. This prevents users from downloading system files or reading configuration files for your web application if your server were to be mis-configured. Accomplishing this takes two steps. The first is to add the following to your default httpd.conf file:
Order Deny,Allow
Deny from All
Options None
This configuration effectively block access to all files on your file system. The next step is to selectively enable access to the files in your web root directory. If you are running multiple virtual hosts, you will need to include this in each virtual host configuration. For this example, lets say that your web root is /home/user/web. To enable access to the files in the web root, add this to your configuration:
Order Allow,Deny
Allow from All
Turn Off Unneeded Modules
This especially applies when it comes to Apache modules. You should disable any modules that you do not need and are not specifically using. There is always a risk that the default configuration for an unused module will allow something that you did not intend. The easiest solution is to disable the module. If you are using DSO modules, simply remove or comment out the LoadModule line in httpd.conf for any modules that you are not using.check modules using the command
httpd -l
protect .htaccess
However, .htaccess can also create other security problems. Depending on what options are enabled in Apache, .htaccess can override a number of Apache’s configuration settings.
You need to set this within a directory block. For example if your web root was /home/user/web, you would use the following in your Apache configuration:
Control Permissions on Configuration Files
control configuration files using there ownership in root control
Don’t Allow Writing in Executable Directories
Dont allow wrinting permission for executable directories may be the hackers manages to write a file into this directory
or change 444 permission to the configuration files.
Disable FollowSymLinks
Symbolic links can expose files and directories on your file system that you did not intend to expose. Apache supports FollowSymLinks as a setting for Options. When this option is set, Apache will allow a user to follow a symbolic link to a file that is outside of the web root. You can stop this behavior by using:
Options None
within a Directory block. Or if you are enabling other options you can use:
Options -FollowSymLinks