If you are a server or network services administrator, security should be one of your priorities. Thus, you will be able to have stable services and without compromise the sensitive data that you can have. If this server can be accessed from the internet, then with more reason security is a concern. All this, although Linux and web servers like Apache or Nginx, are quite secure by default, but like any application, it is possible to make some configurations that increase the level of security without compromising performance. So, in this post, I will show you some security tips for Apache web server. You can apply them to any Linux distribution, however, I will use Ubuntu 18.04 as an example distribution.
Some security tips for Apache Web server
1.- Keep the system upgraded
As the days go by, the Linux distribution development team releases security patches. These patches include updates of very sensitive elements of the system such as the kernel or system libraries.
Similarly, Apache and Nginx benefit from these updates. So it is a good idea to do this frequently.
So, if you are using Debian, Ubuntu, Linux Mint o derivates:
:~$ sudo apt update :~$ sudo apt upgrade
For CentOS 7 and RHEL 7:
:~$ su :~# yum update
Or, for OpenSUSE and SUSE:
:~$ sudo zypper up
So this is the first security tip for Apache.
2.- Disable unnecessary modules
It is a security tip for Apache is pretty important. Because deactivating loaded modules that we are not using will improve the performance of the application.
In addition to this, with fewer modules loaded, the chances of violating Apache are reduced.
First, it lists the modules loaded with the following command:
:~$ apachectl -M Loaded Modules: core_module (static) so_module (static) watchdog_module (static) http_module (static) ....
Verify which ones you do not require for your server and disable them one by one with the following command:
:~$ sudo a2dismod [module]
To check that you have not disabled an important module, run the following command:
:~$ apachectl configtest
Finally, restart Apache.
:~$ sudo systemctl restart apache2
Be careful when disabling important Apache modules. If you do it right, you will have a safer and faster Apache.
3.- Hide the Apache version and the system
The less information we provide to the visitor the better. Therefore, it is convenient to hide the version of Apache that runs the server and of course the system is running.
To do it, change the following directives on the /etc/apache2/conf-enabled/security.conf file.
:~$ sudo nano /etc/apache2/conf-enabled/security.conf .... ServerSignature Off ServerTokens Prod ....
Of course, next, restart Apache.
4.- Disable access to directories
Applications are hosted in directories. However, it is possible that many can see the content of them and not only that, they can also get data from them. This needs to be changed.
First, open the file /etc/apache2/apache2.conf and in the directory section /var/www/ add the following:
:~$ sudo nano /etc/apache2/apache2.conf
....
<Directory /var/www/>
Options -Indexes -FollowSymLinks
AllowOverride None
Require all granted
</Directory>
....
Here we take the opportunity to make Apache not follow symbolic links.
Now we will protect the directories. In that same section, add the following directives:
Order deny, allow Deny from all
So, it would have to stay that way.
Again, after that, restart Apache.
5.- Last security tip for Apache: Use the modules mod_security and mod_evasive
These modules are distributed from the Ubuntu refueling stations. The first one works as a kind of Firewall for our applications. However, it also helps to prevent brute force attacks against the service.
To install it, run this command:
:~$ sudo apt install libapache2-mod-security2
The second module called evasive specializes in brute force attacks. It can eliminate forced or very recurring requests that may generate suspicions of an attack. As you can see it is very useful to increase security.
Install it using this command:
:~$ sudo apt install libapache2-mod-evasive
Next, restart apache.
And that is it.
