10 measures of Apache security

Apache's running on Linux does not mean you do not need to update. New vulnerabilities and security risks are always available.
first . Constantly updated
10 measures of Apache security Picture 110 measures of Apache security Picture 1
Apache's running on Linux does not mean you do not need to update. New vulnerabilities and security risks are always available. You should regularly update the patch to fix the vulnerabilities and fix those security bugs. If you have Apache installed with your distribution's package manager, you can make updates very easy. And if installing from the source, make sure that the update process will not alter the module or its components. In addition, if you use PHP, you must update both and at the same time update Apache.

2 Operating Apache according to each object

Apache is usually installed for multiple groups or users. One of the most error-prone people is root user (which has the same rights as admin), resulting in some very serious errors. In other words, both Apache and MySQL are run by the same user object or user group. If a person causes a vulnerability, then another person may suffer the consequences. The best way to avoid this situation is to ensure Apache is run as an Apache for a specific user or group. To do this, simply open the httpd.conf file and check the lines of the form:
User Group
Then change these items to:
User apache Group apache
If an error occurs while changing, the group or user declared does not exist and you need to create a new one.

3. Turn off unnecessary services

There are several services or features you will want to disable or block. All of these services can be canceled in the httpd.conf file. These services / features may cause the following errors:
  1. Directory browsing : This service is aborted in a Directory tag (usually launched in the document root) using Options Directive and installing it with '-Indexing'.
  1. Server side Includes : This is another tool that can be removed in the Directory tab by using Options Directive and installing it with '-Includes'.
  1. CGI execution : If the website does not use CGI, you should disable this service by using Options Directive and installing it with '-ExecCGI' in the directory tag.
  1. Symbolic links : Install this tool in a Directory tag with '-FollowSymLinks'.
  1. None : You can turn off all options (in the above ways) using 'None' with the Option Directive.
4. Remove unused modules

Apache includes a lot of modules. To see how many modules are running, use the command g rep –n LoadModule httpd.conf from within the Apache configuration directory. This command will show you all the modules that Apache is loading along with the line positions of these modules. To cancel unnecessary modules, simply add the '#' character to the beginning of the line of the module to be disabled.

5. Limit access

Suppose you have an intranet that contains a lot of important company information and you don't want to give people outside your private network access to this information group. To do that, you only need to limit access to your local network by adding the following code to the httpd.conf file in your Directory tab:
Order Deny, Allow Deny from all Allow from 192.168.1.0/16
Where 192.168.1.0/16 is your intranet address. After making changes in the httpd.conf file, you need to restart Apache to apply these changes.

6. Restriction requirements

A denial of service attack (DoS) can always be output when you allow a large volume of requests on Apache. Apache has a navigation command, LimitRequestBody, which is placed in the directory tag. The limited number depends on the needs of the website. By default, LimitRequestBody is set to infinite values.

7. Use mod_security module

One of Apache's most important modules is mod_security . This module handles many tasks, including filtering, regular expression filtering, URL encoding and server address hiding. Mod_security installation is also quite complicated. You must first add two unique_id and security2 navigation commands to the Apache module area. Then run the command:
apache2 service configtest
When you receive the Syntax message OK , you have successfully installed it.

8. Do not allow browsing outside the original document

Allowing browsing outside of the original document can cause problems. If you do not need to enable this service, it is best to turn it off. First, you will have to edit the Directory directory of the root directory as follows:


Order Deny, Allow Deny from all None Options AllowOverride None

Then, if you need to add options for any directory in the original document, you'll have to add a new Directory tag for each directory.

9. Hide the Apache version number

One of the best precautions is to hide information about your service to the extent possible. One of the information to hide is the Apache version number. Doing so will prevent unwanted users from entering your web server quickly. You only need to add the following code in the Directory tab of the original document:

ServerSignature Off ServerTokens Prod

10. Hide the httpd.conf configuration file

One of the best security measures is to hide the httpd.conf file. Because this file contains many configuration information as well as settings. If people don't see it, that means they can't change the content inside, and of course your settings will remain the same. To hide the httpd.conf file, simply use the following command:
chattr + i /path/to/httpd.conf
In which /path/to/httpd.conf is the path to the Apache configuration file.
5 ★ | 1 Vote