In this article, you will find some tips and tricks to strengthen your Apache Web Server configurations and improve the general security.
Non-Privileged User Account
The purpose of a non-root or unprivileged user account is to restrict the user from unnecessary access to certain tasks within a system. In the context of an Apache web server, this means that it should work in a restricted environment with only the necessary permissions. By default, Apache runs with daemon account privileges. You can create a separate non-root user account to avoid threats in case of security vulnerabilities.
Furthermore, if apache2 and MySQL are under the same user credentials, any issue in the process of once service will have an impact on the other. To change the user and group privileges for the web server, go to /etc/apache2, open the file envvars, and set the user and group to a new non-privileged account user, say, “apache,” and save the file.
...snip...
export APACHE_RUN_USER= apache
export APACHE_RUN_GROUP= apache
...snip...
You can also use the following command to change the ownership of the installation directory to the new non-root user.
Issue the following command to save the changes:
ubuntu@ubuntu~:$ sudo service apache2 restart
Keep Apache Up to Date
Apache is famous for providing a secure platform with a highly concerned developer community that rarely faces any security bugs. Nevertheless, it is normal to discover issues once the software is released. Hence, it is essential to keep the web server up to date to avail the latest security features. It is also advised to follow the Apache Server Announcement Lists to keep yourself updated about new announcements, releases, and security updates from the Apache development community.
To update your apache using apt, type the following:
ubuntu@ubuntu~:$ sudo apt-get upgrade
Disable Server Signature
The default configuration of an Apache Server exposes a lot of details about the server and its settings. For example, enabled ServerSignature and ServerTokens directives in the /etc/apache2/apache2.conf file add an additional header to the HTTP Response that exposes potentially sensitive information. This information includes server setting details, such as server version and hosting OS, that can help the attacker with the reconnaissance process. You can disable these directives by editing the apache2.conf file via vim/nano and add the following directive:
...snip...
ServerSignature Off
...snip...
ServerTokens Prod
...snip...
Restart Apache to update the changes.
Disable Server Directory Listings
The Directory listings display all content saved in the root folder or sub-directories. The directory files can include sensitive information not intended for public display, such as PHP scripts, configuration files, files containing passwords, logs, etc.
To disallow directory listings, change the Apache server configuration file by editing the apache2.conf file as:
...snip...
<Directory /var/www>
Options -Indexes
</Directory>
...snip...
OR
<Directory /var/www/your_website>
Options -Indexes
</Directory>
...snip...
You can also add this directive in the .htaccess file of your main website directory.
Protect System Settings
The .htaccess file is a convenient and powerful feature that allows configuration outside the main apache2.conf file. However, in cases where a user can upload files to the server, this can be exploited by an attacker to upload his or her own “.htaccess” file with malicious configurations. So, if you are not using this feature, you can disable the .htaccess directive, i.e.:
...snip...
#AccessFileName .htaccess
...snip...
OR
Disable the .htaccess file except for the specifically enabled directories by editing apache2.conf file and turning AllowOverRide directive to None;
...snip...
<Directory '/'>
AllowOverride None
</Directory>
...snip...
Secure Directories with Authentication
You can create user credentials to protect all or some of the directories using the htpasswd utility. Go to your server folder and use the following command to create a .htpasswd file to store password hashes for the credentials assigned to, say, a user named dev.
The above command will ask for the new password and password confirmation. You can view the cat ./htpasswd file to check the hash for the stored user credentials.
Now, you can automatically set the configuration file in the your_website directory you need to protect by modifying the .htaccess file. Use the following command and directives to enable authentication:
...snip...
AuthType Basic
AuthName "Add the Dialog Prompt"
AuthUserFile /etc/apache2/user_name/domain_name/.htpasswd
Require valid-user
...snip...
Remember to add the path as per yours.
Run Necessary Modules
The default Apache configuration includes enabled modules that you may not even need. These pre-installed modules open doors for Apache security issues that either already exist or can exist in the future. To disable all these modules, you first need to understand which modules are required for the smooth functioning of your web server. For this purpose, check out the apache module documentation that covers all available modules.
Next, use the following command to figure out which modules are running on your server.
Apache comes with the powerful a2dismod command to disable the module. It prevents loading the module and prompts you with a warning when disabling the module that the action can negatively impact your server.
You can also disable the module by commenting in the LoadModule line.
Prevent Slow Loris and DoS Attack
The default installation of an Apache server forces it to wait for requests from clients for too long, which subjects the server to Slow Loris and DoS attacks. The apache2.conf configuration file provides a directive that you can use to lower the timeout value to a few seconds to prevent these types of attacks, i.e.:
Timeout 60
Besides, the new Apache server comes with a handy module mod_reqtimeout that provides a directive RequestReadTimeout to secure the server from illegitimate requests. This directive comes with a few tricky configurations, so you can read out the related information available on the documentation page.
Disable Unnecessary HTTP Requests
Unlimited HTTP/HTTPS requests can also lead to low server performance or a DoS attack. You can limit receiving HTTP requests per-directory by using LimitRequestBody to less than 100K. For instance, to create a directive for the folder /var/www/your_website, you can add the LimitRequestBody directive below AllowOverride All, i.e.:
<Directory /var/www/your_website>
Options -Indexes
AllowOverride All
LimitRequestBody 995367
</Directory>
...snip...
Note: Remember to restart Apache after the applied changes to update it accordingly.
Conclusion
The default installation of the Apache server can supply plenty of sensitive information to aid attackers in an attack. In the meantime, there are plenty of other ways (not listed above) to secure the Apache web server, as well. Continue researching and keeping yourself updated about new directives and modules to secure your server further.