How To Secure Apache Web With Server Hardening In Linux

Secure Apache web server security and hardening checklist. we just have to make these changes in the server for apache security. These are the best practice to have these all settings in the server. we can also do web server security. We can configure WAF to secure the applications but these settings should be done at the server level. so 

How To Secure Apache Web With Server Hardening In Linux:

Note: you must have to restart or reload the apache service. Once you make any changes. so 

Check Out: How To Optimise Apache Server Performance On CentOS 7

Hide Apache Version

we can hide the apache version and Operating system using the below parameters in httpd.conf file and restart or reload the service. so

ServerSignature off
ServerTokens Prod

ServerSignature will remove the version information from the page generated by the apache web server. so

ServerTokens will change the header to production only.

Secure Server using mod_security and mod_envasive Module

yum install mod_security

Check Out: Configuration of Mod Security in Apache Web Server

mod_securty works as a firewall for our web application and monitor traffic in real-time, also protect from brute force attacks.

mod_envasive it protects from DOS attacks.

Disable Directory Listing

Let’s create a directory under.

cd /var/www/html/
mkdir testing

Check Out: How To Mount Volume To Apache Container In Docker

Now we will access this directory using the link below.

apache server hardening

We will hide this information from accessing in httpd.conf with the below code. so

vim /etc/httpd/conf/httpd.conf

Change the line in <Directory “/var/www/html”>

webserver hardening checklist

Reload the server and check the link again.

apache server security

Protection from Changing files:

Any user can change the configuration file using .htaccess. If you want to protect it, we need to disable these functions. so

Check Out: How To Install and Configure Node Exporter Prometheus

Change AllowOverride to none.

Setting for HTTP Request Methods

HTTP 1.1 protocol supports request methods like GET, POST, DELETE,
HEAD, TRACE, Connect, PUT, OPTIONS and these are not required
until you have a web application.

Apache by default allows these all methods. we’re going to set the limit and search the directory and add the following code.

deny from all

These will allow only these four methods and rest will be denied.

Disable Trace HTTP Request

By default, the Trace method is enabled in apache. We need to disable using the below parameter. This allows Cross-Site Tracing Attack and the hacker can steal cookies information.

TraceEnable off

Check Out: Check Apache Server Status Using Mod_status In Linux

Set-Cookie with HttpOnly with Secure Flag

you might have heard about Cross-Site Scripting Attack. We will secure using the below the header. Without it, Someone can manipulate web application sessions and can steal cookies.

Make sure the module is enabled.

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 

Clickjacking Attack

A clickjacking attack is also known as web application vulnerabilities.

Make sure the module is enabled and put the below code in httpd.conf

Header always append X-Frame-Options SAMEORIGIN

Check Out: How To Increase Size of Volume On Amazon Cloud

X-XSS Protection

It’s a response header that’s supported by all the browsers and stops pages from loading when they detect reflected Cross-Site Scripting(XSS) attacks.

Header set X-XSS-Protection "1; mode=block"

Disable SSL V2 & V3

SSL v2 & v3 has many security flaws and it’s not recommended by apache. The modern browser does not require SSL enabled. So, we can disable it using the below code in the Apache configuration file.  


Disable HTTP 1.0 Protocol

Ensure you have enabled mod_rewrite module. HTTP 1.0 has a security-related issue like session hijacking. So we can disable it and allow rewrite condition only to HTTP 1.1.

RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

Check Out: How To Enable Instant Articles To Monetize Your Contents

Timeout value

By default, the apache timeout value is 300 seconds. 

Timeout 60

Disable Unwanted Modules

These modules are enabled by default. We can disable because they’re not required. you can also disable unwanted modules in the server.


Limit Request Size

By default, apache has no limit on the total size of HTTPD requests in a directory where files are uploaded by the user. You could be a victim of Denial of Service Attacks. We can add a parameter in httpd.conf file. You can set the value between 0 to 2GB. web server hardening checklist

<Directory "/var/www/html/testing/upload">
 LimitRequestBody 630000

Enable Logging

Apache allows you to configure logging as per your requirement. Suppose we have multiple websites running on the single server and we need to check the logs for a website. So, we can define the log format in that virtual host using the below commands.

ErrorLog /var/log/httpd/test.com_error_log
CustomLog /var/log/httpd/test.com_access_log combined

Secure Apache with SSL Certificates

we have to secure our website with an SSL certificate applied on the websites. We can separately apply the certificate and one certificate can work for all websites. It depends on your requirements.

Make sure the mod_ssl module should be enabled and install to work with SSL

Check Out: How To Create a Clone of Existing Virtual Machine In VMWare

Disable Server Side Includes and CGI Execution

we can disable server-side includes(mod_includes) and CGI script if not needed in the Apache server.

Options -Includes -ExecCGI

we can also do this for a particular website with the below codes.

<Directory "/var/www/html/testing/upload">
Options -Includes -ExecCGI

Disable Etag

we can disable it when it’s not required. It allows an attacker to get sensitive information like inode number, multipart MIME boundary through this Etag and put these code in httpd.conf server security web

FileETag None
Check Out:  How To Install and Configure Mediawiki On CentOS / Redhat 7

Run Apache with a non-privileged user

By default, apache runs as nobody user or daemon. We can run apache using the different user. webserver hardening checklist

Create a user and group.

groupadd apache 
useradd -G apache apache
Now change the ownership of the directory where Apache is installed.
chown -R apache:apache directory_path

Make changes in the Apache configuration file httpd.conf and define the user if it’s not there. apache server security

User apache
Group apache

Turnoff Hostname

HostnameLookups Off

You’re done apache server hardening webserver hardening checklist security web secure

Share on:

I'm the founder of Curious Viral. I hope this blog will provide you complete information about Linux Technology & I would like to share my technical knowledge with you which I have learned during this period.

Other Posts You May Like...

Leave a comment