Five Measures to Ensure Apache security of Web servers

Five Measures to Ensure the Apache security of Web servers-Linux Enterprise applications-Linux server application information. For details, refer to the following section. Source: Saidi net Author: freedom

Needless to say, an important reason for Apache to take over half of Web servers is that it can provide a secure Web operation environment. The Apache community has done a lot of work to ensure its security. When a security defect was discovered in this product, Apache developers developed a patch as soon as possible.

However, Apache is already a secure product. If you do not take any security precautions when building your server, such Web servers are still vulnerable to many attacks.

In this article, I will provide you with 10 tips to protect your Apache Web server from many attacks. However, remember that you need to evaluate every skill carefully to make sure it fits your organization.

Only install

One of the biggest features of Apache is its flexibility and a large number of optional installation modules, which can become a major weakness when it comes to security issues. The more you install, the larger the attack surface for potential attackers. A standard Apache installation contains more than 20 modules, including CGI features and some authentication mechanisms. If you do not plan to use CGI, and you only want to use static Web sites without user authentication, you may not need any services provided by these modules, therefore, disable these modules when installing Apache.

If you use a running Apache server and do not want to reinstall it, you should carefully check the httpd. conf configuration file to find the lines starting with LoadModule. Check Apache documents (or search by Google or Yahoo) to find the target information of each module and find out the modules you do not need. Then restart Apache.

Minimum exposure

Apache is easy to install and easy to manage. Unfortunately, many Apache installations provide a lot of "helpful" information about their servers for completely unfamiliar users, such as Apache version numbers and operating system-related information. With this information, a potential attacker can track specific destructive vulnerabilities that may affect your system, especially when you fail to update all patches. In this way, the attacker can know exactly what you are running without repeated tests, so as to adjust the attack method.

To prevent the server from broadcasting sensitive information, make sure that the "ServerSignature" command in httpd. conf is set to "off ". A default Apache installation sets this command to "off", but many administrators have enabled it.

Similarly, disabling directory browsing is also a good concern. When directory browsing is enabled, a user accessing a directory that does not contain the required documents will see the complete list of contents in this directory. Without a doubt, you should not store sensitive materials in plain text on a Web server. Unless you must do so, you should not allow people to see more content than they need.

Directory browsing is enabled by default. To disable this feature, edit the http. conf file and clear the "Indexs" reference for each "Directory" command.

For example, on the Apache 2.2.4 server used in my experiment, this is the default directory command:


Options Indexes FollowSymLinks
AllowOverrride None
Order allow, deny
Allow from all


After the Indexes reference is cleared:

Options FollowSymLinks
AllowOverrride None
Order allow, deny
Allow from all


You can also retain the Indexes command and use a broken number to guide the command to disable it (that is, "-Indexes ").

Disable symbolic Connection Tracing

If you are the only person who proofreads Web content and you create a new symbolic connection without making any mistakes, you may not worry about this measure. However, if you have a lot of people who can add content to your site, and not all people are as cautious as you are, there will be a risk, that is, a user may accidentally create a symbolic connection pointing to a part of your file system, and you really don't want people to see these files. For example, what if someone in the root directory of your Apache server creates a symbolic connection pointing to the "/" folder?

To cancel the request that the Apache server allows users to trace symbolic connections, clear the FollowSymlinks command in the Directory command.

For example, on the author's experimental Apache 2.2.4 server, the Directory command is as follows:


Options Indexes FollowSymLinks
AllowOverrride None
Order allow, deny
Allow from all


After the FollowSymLinks reference is cleared, it will look like the following:

Options Indexes
AllowOverrride None
Order allow, deny
Allow from all


If you need to track symbolic connections, you can use SymLinksIfOwnerMatch instead.

Listen command

When you first install Apache, httpd. conf contains a "Listen 80" command. Change it to "Listen mn. xx. yy. zz: 80". Here "mn. xx. yy. zz" is the IP address that you want Apache to Listen. This is especially important if your Apache runs on a server with multiple IP addresses. If you do not take preventive measures, the default "Listen 80" Command tells Apache to Listen to port 80 of each IP address.

However, this measure may not apply to your environment and should be tailored to your needs.

Clear default comments from httpd. conf

The default httpd. conf file in Apache 2.2.4 contains more than 400 lines. Only a small part of the 400 lines is the actual Apache commands, and the rest is only to help users properly place command comments in httpd. conf. Based on the author's experience, these annotations sometimes play a negative role, and even store Dangerous commands in files. On many Apache servers managed by the author, the httpd. conf file is copied to other files, such as httpd. conf. orig, and redundant comments are cleared completely. Files become easier to read, so as to better solve potential security problems or misconfigure files.