Apache is the most widely used web server over the internet on Linux machines. For better and reliable performance you need to protect your web server from hackers. Here i am going to write some steps which can help you in protecting your web server from hacker. “I am writing this article from some references and apache security tips.”
Steps to secure apache web server
1-Update you apache at regular interval
You should update your linux at a regular interval of time. If you have installed it from source, make sure that upgrade is not going to break any modules or dependencies your Web site has. And if you update Apache, make sure PHP (if used) is updated as well. New holes and security risks are found all the time. You have to ready for that.
2-Turn off unwanted services
There are a some apache services you don’t want to use. All of these services can be disabled or turnoff in the httpd.conf file. Some of these service are:
Directory browsing.
Server side Includes.
CGI execution.
Symbolic links.
3-Use the right user:group
One of the first things to ensure is that Apache does not run as root because if Apache is cracked then an attacker could get control of the root account. One of the biggest offenders is the root user. This can cause some serious issues. Or say both Apache and MySQL are run by the same user/group. If there is a hole in anyone, it can lead to an attack on the other. The best scenario is to make sure Apache is run as the user and group apache. To make this change, open the httpd.conf file and check the lines that read:
User Group
Change these entries to:
User apache Group apache
If you get any errors indicating the group or user do not exist, you’ll have to create them.
4-Disable unused modules
Apache has a ton of modules. To get an idea how many modules your installation is running, issue the command (as the root user) grep -n LoadModule httpd.conf from within your Apache configuration directory. This command will show you every module Apache is loading, along with the line number it falls on. To disable the modules you don’t need, simply comment them out with a single # character at the beginning of the module line.
5-Do not allow browsing outside the document root
Never allow browsing outside the document root. Unless you have a specific need to allow it. Disable this feature. First, you’ll need to edit the document root Directory entry like so:
Order Deny, Allow Deny from all Options None AllowOverride None
Now, if you need to add options to any directory within the document root, you will have to add a new Directory entry for each one.
6-Limit request size
Limit your request size because DDOS attack is always possible for allowing large request. The size of your limit request will depend upon your Web site’s traffic need. By default, LimitRequestBody is set to unlimited.
7-Immunize httpd.conf
Hide your httpd.conf file is one of the best security measures . If a person can’t see it, he can’t change it. To immunize the httpd.conf file, set the immutable bit with the following command:
chattr +i /path/to/httpd.conf
where /path/to/httpd.conf is the path to your Apache configuration file. Now it will be very difficult for anyone to make any changes to httpd.conf.
8-Restrict access
You can restrict access to your internal network by adding the following inside a directory tag in your httpd.conf file:
Order Deny, Allow Deny from all Allow from 192.168.1.0/16
where 192.168.1.0/16 is the configuration matching your internal network. As with all modifications to the httpd.conf file, make sure you restart Apache so the changes take effect.
9- Hide Apache’s version number
This is also one of some good defences. By hiding it, you keep hackers from knowing how to quickly hack your Web server. To hide Apache’s version number, add the following in your document root Directory tag:
ServerSignature Off ServerTokens Prod
Steps to secure apache web server
1-Update you apache at regular interval
You should update your linux at a regular interval of time. If you have installed it from source, make sure that upgrade is not going to break any modules or dependencies your Web site has. And if you update Apache, make sure PHP (if used) is updated as well. New holes and security risks are found all the time. You have to ready for that.
2-Turn off unwanted services
There are a some apache services you don’t want to use. All of these services can be disabled or turnoff in the httpd.conf file. Some of these service are:
Directory browsing.
Server side Includes.
CGI execution.
Symbolic links.
3-Use the right user:group
One of the first things to ensure is that Apache does not run as root because if Apache is cracked then an attacker could get control of the root account. One of the biggest offenders is the root user. This can cause some serious issues. Or say both Apache and MySQL are run by the same user/group. If there is a hole in anyone, it can lead to an attack on the other. The best scenario is to make sure Apache is run as the user and group apache. To make this change, open the httpd.conf file and check the lines that read:
User Group
Change these entries to:
User apache Group apache
If you get any errors indicating the group or user do not exist, you’ll have to create them.
4-Disable unused modules
Apache has a ton of modules. To get an idea how many modules your installation is running, issue the command (as the root user) grep -n LoadModule httpd.conf from within your Apache configuration directory. This command will show you every module Apache is loading, along with the line number it falls on. To disable the modules you don’t need, simply comment them out with a single # character at the beginning of the module line.
5-Do not allow browsing outside the document root
Never allow browsing outside the document root. Unless you have a specific need to allow it. Disable this feature. First, you’ll need to edit the document root Directory entry like so:
Order Deny, Allow Deny from all Options None AllowOverride None
Now, if you need to add options to any directory within the document root, you will have to add a new Directory entry for each one.
6-Limit request size
Limit your request size because DDOS attack is always possible for allowing large request. The size of your limit request will depend upon your Web site’s traffic need. By default, LimitRequestBody is set to unlimited.
7-Immunize httpd.conf
Hide your httpd.conf file is one of the best security measures . If a person can’t see it, he can’t change it. To immunize the httpd.conf file, set the immutable bit with the following command:
chattr +i /path/to/httpd.conf
where /path/to/httpd.conf is the path to your Apache configuration file. Now it will be very difficult for anyone to make any changes to httpd.conf.
8-Restrict access
You can restrict access to your internal network by adding the following inside a directory tag in your httpd.conf file:
Order Deny, Allow Deny from all Allow from 192.168.1.0/16
where 192.168.1.0/16 is the configuration matching your internal network. As with all modifications to the httpd.conf file, make sure you restart Apache so the changes take effect.
9- Hide Apache’s version number
This is also one of some good defences. By hiding it, you keep hackers from knowing how to quickly hack your Web server. To hide Apache’s version number, add the following in your document root Directory tag:
ServerSignature Off ServerTokens Prod
No comments:
Post a Comment