Apache HTTP

How to Secure Your Apache Server

Apache is a popular, open-source web server available for both Linux and Windows systems. It allows configuration for a diverse range of use cases, from HTML webpages to HyperText Preprocessor (PHP) dynamic web application content.Apache provides a secure and robust platform to deploy your web applications. However, it is still important to install the latest security patches and configure the server properly to establish a secure environment for your web applications.
In this article, you will find some tips and tricks to strengthen your Apache Web Server configurations and improve the general security.

Non-Privileged User Account

The purpose of a non-root or unprivileged user account is to restrict the user from unnecessary access to certain tasks within a system. In the context of an Apache web server, this means that it should work in a restricted environment with only the necessary permissions. By default, Apache runs with daemon account privileges. You can create a separate non-root user account to avoid threats in case of security vulnerabilities.

Furthermore, if apache2 and MySQL are under the same user credentials, any issue in the process of once service will have an impact on the other. To change the user and group privileges for the web server, go to /etc/apache2, open the file envvars, and set the user and group to a new non-privileged account user, say, “apache,” and save the file.

ubuntu@ubuntu~:$ sudo vim /etc/apache2/envvars
...snip...
export APACHE_RUN_USER= apache
export APACHE_RUN_GROUP= apache
...snip...

You can also use the following command to change the ownership of the installation directory to the new non-root user.

ubuntu@ubuntu~:$ sudo chown -R apache:apache /etc/apache2
Issue the following command to save the changes:
ubuntu@ubuntu~:$ sudo service apache2 restart

Keep Apache Up to Date

Apache is famous for providing a secure platform with a highly concerned developer community that rarely faces any security bugs. Nevertheless, it is normal to discover issues once the software is released. Hence, it is essential to keep the web server up to date to avail the latest security features. It is also advised to follow the Apache Server Announcement Lists to keep yourself updated about new announcements, releases, and security updates from the Apache development community.

To update your apache using apt, type the following:

ubuntu@ubuntu~:$ sudo apt-get update
ubuntu@ubuntu~:$ sudo apt-get upgrade

Disable Server Signature

The default configuration of an Apache Server exposes a lot of details about the server and its settings. For example, enabled ServerSignature and ServerTokens directives in the /etc/apache2/apache2.conf file add an additional header to the HTTP Response that exposes potentially sensitive information. This information includes server setting details, such as server version and hosting OS, that can help the attacker with the reconnaissance process. You can disable these directives by editing the apache2.conf file via vim/nano and add the following directive:

ubuntu@ubuntu~:$ sudo vim /etc/apache2/apache2.conf
...snip...
ServerSignature Off
...snip...
ServerTokens Prod
...snip...

Restart Apache to update the changes.

Disable Server Directory Listings

The Directory listings display all content saved in the root folder or sub-directories. The directory files can include sensitive information not intended for public display, such as PHP scripts, configuration files, files containing passwords, logs, etc.
To disallow directory listings, change the Apache server configuration file by editing the apache2.conf file as:

ubuntu@ubuntu~:$ sudo vim /etc/apache2/apache2.conf

...snip...

<Directory /var/www>

Options -Indexes

</Directory>

...snip...

OR

...snip...

<Directory /var/www/your_website>

Options -Indexes

</Directory>

...snip...

You can also add this directive in the .htaccess file of your main website directory.

Protect System Settings

The .htaccess file is a convenient and powerful feature that allows configuration outside the main apache2.conf file. However, in cases where a user can upload files to the server, this can be exploited by an attacker to upload his or her own “.htaccess” file with malicious configurations. So, if you are not using this feature, you can disable the .htaccess directive, i.e.:

ubuntu@ubuntu~:$ sudo vim /etc/apache2/apache2.conf
...snip...
#AccessFileName .htaccess
...snip...

OR
Disable the .htaccess file except for the specifically enabled directories by editing apache2.conf file and turning AllowOverRide directive to None;

ubuntu@ubuntu~:$ sudo vim /etc/apache2/apache2.conf

...snip...

<Directory '/'>

AllowOverride None

</Directory>

...snip...

Secure Directories with Authentication

You can create user credentials to protect all or some of the directories using the htpasswd utility. Go to your server folder and use the following command to create a .htpasswd file to store password hashes for the credentials assigned to, say, a user named dev.

[email protected]~:$ sudo htpasswd -c /etc/apache2/-htpasswd dev

The above command will ask for the new password and password confirmation. You can view the cat ./htpasswd file to check the hash for the stored user credentials.

Now, you can automatically set the configuration file in the your_website directory you need to protect by modifying the .htaccess file. Use the following command and directives to enable authentication:

ubuntu@ubuntu~:$ sudo nano /var/www/your_website/.htaccess
...snip...
AuthType Basic
AuthName "Add the Dialog Prompt"
AuthUserFile /etc/apache2/user_name/domain_name/.htpasswd
Require valid-user
...snip...

Remember to add the path as per yours.

Run Necessary Modules

The default Apache configuration includes enabled modules that you may not even need. These pre-installed modules open doors for Apache security issues that either already exist or can exist in the future. To disable all these modules, you first need to understand which modules are required for the smooth functioning of your web server. For this purpose, check out the apache module documentation that covers all available modules.

Next, use the following command to figure out which modules are running on your server.

[email protected]~:$ sudo ls /etc/apache2/mods-enabled

Apache comes with the powerful a2dismod command to disable the module. It prevents loading the module and prompts you with a warning when disabling the module that the action can negatively impact your server.

[email protected]~:$ sudo a2dismod module_name

You can also disable the module by commenting in the LoadModule line.

Prevent Slow Loris and DoS Attack

The default installation of an Apache server forces it to wait for requests from clients for too long, which subjects the server to Slow Loris and DoS attacks. The apache2.conf configuration file provides a directive that you can use to lower the timeout value to a few seconds to prevent these types of attacks, i.e.:

ubuntu@ubuntu~:$ sudo vim /etc/apache2/apache2.conf
Timeout 60

Besides, the new Apache server comes with a handy module mod_reqtimeout that provides a directive RequestReadTimeout to secure the server from illegitimate requests. This directive comes with a few tricky configurations, so you can read out the related information available on the documentation page.

Disable Unnecessary HTTP Requests

Unlimited HTTP/HTTPS requests can also lead to low server performance or a DoS attack. You can limit receiving HTTP requests per-directory by using LimitRequestBody to less than 100K. For instance, to create a directive for the folder /var/www/your_website, you can add the LimitRequestBody directive below AllowOverride All, i.e.:

...snip...

<Directory /var/www/your_website>

Options -Indexes

AllowOverride All

LimitRequestBody 995367

</Directory>

...snip...

Note: Remember to restart Apache after the applied changes to update it accordingly.

Conclusion

The default installation of the Apache server can supply plenty of sensitive information to aid attackers in an attack. In the meantime, there are plenty of other ways (not listed above) to secure the Apache web server, as well. Continue researching and keeping yourself updated about new directives and modules to secure your server further.

About the author

Usama Azad

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14