Eight simple methods to protect Apache Web Servers

Eight simple methods to protect Apache Web Servers

Apache can be the most widely used Web server on the internet today. It works in a Unix environment, but has been transplanted to other server operating systems, such as Windows. Apache Web servers provide services for millions of websites and Internet application systems. A large number of verification solutions, support for a large number of language interfaces, and security features make it a Web server favored by thousands of users around the world.

Apache's star position and popularity also make the websites it supports a preferred target for hackers. Websites supported by Apache often fall victim to hacker attacks, not because Apache has security risks and vulnerabilities, but mainly because of poor coding and other database-related security issues. Apache and Linux provide good security for the golden partner, but if you do not take necessary preventive measures, it is still possible to go wrong. You need to take several measures to protect Apache. To this end, we have sorted out several simple and easy-to-learn measures you should take to ensure the security of Web servers.

First thing: Update

Each Apache version has security vulnerabilities and potential risks, but it is fixed in time. The development community is constantly striving to solve new security issues, and the importance of updates cannot be emphasized too much.

Sound update policies and security policies complement each other. You should not only update Apache when major versions are released, but also install all patches. It is also wise to update PHP (if you use PHP) when updating Apache.

You only need to use the following command to check the current version of Apache.

# http -v
Server version: Apache/2.*.** (Unix)
Server built: Mar 12 2014 13:20:23

If the result shows that the Apache you are currently running is not the latest version, update it quickly.

Apache version and Operating System

If an error occurs, the server may return information about the error and details about the Apache version and operating system. A simple 404 error page can expose critical information about Web servers and operating systems. In some cases, it may even return details about the Apache module installed on the server.

To disable this function, use the text editing tool to open the configuration file (httpd. conf) and find the string "ServerSignature On ". It should be "On" by default ". To disable it, replace "On" with "Off.

Now, the HTTP site title and error page only show that it runs Apache, but not the version.

Disable directory list

If there is no index file in the root directory, Apache will list all files in the root directory by default. There are several ways to prevent Apache from listing files in the root folder. You need to add several lines to the configuration file. Therefore, there are two methods. You can also set Option Directive to "-Indexes" or "None ". If you do not know what we are talking about, add the following lines to the configuration file.

<directory /var/www/html>
Options -Indexes
Order allow,deny
Allow from all
</directory> 

Or use the following code.

<directory></directory>
Options None
Order allow,deny
Allow from all 

In some release versions, these commands are already in place, but it is best to check them. It is always a good thing to be secure.

Protect configuration files

If you are a newbie and have been taking the above steps, you should think of: the httpd. conf configuration file plays an important role in ensuring server security. Therefore, it is best to hide the configuration file. You can always expose the configuration file as needed.

Use the following command to hide the configuration file.

chattr +i /httpd/conf/httpd.conf

The following text is from the chattr reference manual page:

"A file with the 'I' attribute cannot be modified: it cannot be deleted or renamed; a link cannot be created for the file; data cannot be written to the file. Only Super Users or processes with the CAP_LINUX_IMMUTABLE function can set or clear this attribute ."

Restrict request size to prevent DoS Attacks

If large requests are prohibited, most DoS attacks can be prevented. By default, LimitRequestBody is set to unrestricted. You can change the size depending on the actual needs of your website. You can also restrict requests to more vulnerable directories (such as uploading folders.

Disable unnecessary modules

By disabling several modules that are useless to you, you can reduce the security vulnerabilities faced by your servers. To list all the modules on your Web server in detail, use the following command.

# grep LoadModule /etc/httpd/conf/httpd.conf

Analyze all the modules in the output list to find out which modules are unnecessary. You don't even need to delete a line of code. As long as "#" is added at the beginning, it will become disabled after the service is restarted.

Do not run Apache as root

Apache should not run as root. Running Apache as another user is always a good idea. By default, it runs as a daemon or without any user. Create a non-privileged account dedicated to Apache. Do not set Apache users or user groups as root.

# vi httpd.conf
Group apache
User apache 

Select an appropriate hosting service provider

This has nothing to do with your Web server. Some of the most popular host hosting services come from European and American countries. Popularity does not mean high security. You do not need to buy host hosting services from these host hosting service providers. If you don't live in the United States, you can find many secure, reliable, and cost-effective host hosting service providers in your country. If you live in Australia, you can select an Australian Hosting provider such as EZI Hosting and the most popular Hosting provider. Their IP addresses are often not attacked by hackers.

Address: http://linuxaria.com/article/8-simple-to-follow-tips-to-secure-your-apache-web-server