We can secure and configure apache web server security hardening on ubuntu 20.04. Let’s see, how to secure the apache2 server on ubuntu. you need to secure your Apache web server to protect the server. so
There’re lots of vulnerabilities available on the apache server. we need to solve them and secure the server as much as we can. We’ve tried to cover almost known vulnerabilities to protect. so
- You must have the latest Apache server installed.
- You must know how to inspect the website on the browser.
- We need to have a backup copy of apache2.conf and security.conf file.
How To Secure and Hardening Apache Web Server On Ubuntu 20.04
First of all, you should aware of how to inspect the website on the browser. I will show you how to do that. so
1. Hide Apache Version and Operating System:
Open your website on the browser and then press “ctrl+shift+i“. This will open the “Inspect window“.
As you can see the server Apache 2.4 and OS is ubuntu at the right side tab. To hide this information, we need to add these two parameters in the /etc/apache2/conf-enabled/security.conf file.
ServerTokens Prod ServerSignature Off
When you added these two parameters in the file then save the file and reload the apache service.
sudo systemctl reload apache2
2. Disable the Directory Listing:
Now, we need to disable the directory listing in our wp-includes folder. Be default, the directory listing in the webroot is enabled. We need to disable it.
By default, Apache is configured to follow symlinks which are not recommendable. So, we need to disable it by replacing the below code.
Options -Indexes -FollowSymLinks
Then reload the apache service and check the URL again. you will get forbidden permission denied. The below URL depends on your WordPress webroot path.
3. Secure Apache using mod_security and mod_evasive modules:
Mod_Security: it acts as the firewall for your web application or website. you can configure the mod security on ubuntu 20.04. you need to install mod security using the below command and reload the apache service.
sudo apt install libapache2-mod-security2 sudo systemctl reload apache2
Mod_evasive: This helps us to protect against DDOS and HTTP brute force attacks. It detects the attaches whenever So many requests coming on the server per second then it blocks the IP address for temporary if the new request still coming.
sudo apt install libapache2-mod-evasive sudo systemctl reload apache2
4. Disable Trace HTTP Request:
By default, HTTP Trace is enabled that allows Cross-site tracing. The hacker can easily steal the cookie’s information using this method. when we disable HTTP trace request makes the mod_proxy and core server returns the ” 405- a method not allowed” error to the client.
Disable it using the below parameter in the /etc/apache2/conf-enabled/security.conf file and reload the apache service.
5. Hiding Etag: This tag keeps vital information and needs to disable. you can add the below parameter in this vim /etc/apache2/conf-enabled/security.conf file and reload the service.
6. Secure Apache from XSS attacks: Make sure you have enabled XSS header in your ubuntu apache server using the below header in the vim /etc/apache2/conf-enabled/security.conf file and reload the apache service.
Before applying this header, you need to enable the mod_header in the apache server using the below command then add the header in the security.conf file.
a2enmod headers systemctl restart apache2 Header set X-XSS-Protection "1; mode=block"
Check if it’s enabled, you need to check it on the browser in the Network -> header section and look for “X-XSS Protection” as shown in the below figure.
7. Secure “HTTPOnly flag” To Secure Cookies:
You can easily protect your apache server from Cross-Site Scripting attacks by using the “HTTPOnly” and “Secure flags” for cookies. You need to add the below line in vim /etc/apache2/conf-enabled/security.conf file and reload the apache service.
Use the below line for apache 2.4.
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Use the below line for the apache version lower than 2.4.
Header set Set-Cookie HttpOnly;Secure
8. Turn off Server Side Includes and CGI Execution: This is recommended to disable SSI and CGI when it’s not required. you can add the following lines in the /etc/apache2/apache2.conf file and reload the service.
<Directory /var/www/> Options -Indexes -FollowSymLinks -Includes -ExecCGI AllowOverride None Require all granted </Directory>
For a particular directory, use the below command. Suppose /var/www/html/directory then add the below code.
Options -Includes -ExecCGI
9. Protect from Clickjacking Attack:
This is also known as UI redress attack. It means forcing a user to click on which the attacker wants him to click to perform the desired malicious activity. To protect, such an attack we need to add the below header in the /etc/apache2/conf-enabled/security.conf file and save the file.
Header always append X-Frame-Options: "sameorigin"
That’s it. secure and hardening apache apache2