![\"\"](\"https:\/\/easy-admin.ca\/wp-content\/uploads\/2017\/05\/apache-http-server.jpg\")
<\/p>\n<\/p>\n
NOTE:<\/strong> https:\/\/www.feistyduck.com\/library\/apache%2dsecurity\/online\/<\/a><\/p>\n Apache is one of the most widely-used and popular web servers. It is also one of the most secure web servers available. In this article, I will explain some tips and tricks that will secure your Apache server.<\/p>\n Visit your web server in Firefox. Activate Firebug by clicking the Firebug icon on the top right side.<\/p>\n If you check the HTTP response headers in Firebug, it will show the Apache version along with your operating system name and version, as shown in this screenshot:<\/p>\n To hide this information from browsers, you will need to make some changes in Apache’s main configuration file.<\/p>\n You can do this by editing the Add the following line at the end of file:<\/p>\n Save the file and restart the Apache service to reflect these changes:<\/p>\n Now, open Firefox and access your web server. Check the HTTP response headers in Firebug, You can see that setting Directory listing in the absence of an You can turn off this setting by using the Find the section that begins with Save the file and restart Apache service to reflect these changes.<\/p>\n Next, try to visit your website in a browser. You will get a “Forbidden” error.<\/p>\n By default Apache comes with lots of unnecessary installed modules. It is a good policy to disable any unnecessary modules that are not in use.<\/p>\n You can list all enabled modules on your server using the following command:<\/p>\n From the enabled modules in You can disable this modules by editing the Insert a Save the file and restart Apache service to reflect these changes.<\/p>\n By default Apache follows symbolic links (symlinks). Turning this off is recommended for security.<\/p>\n To do this, you need to edit Find the section that begins with Now restart Apache to reflect changes.<\/p>\n Server-side includes (SSI) are directives present on Web applications that are placed in HTML pages. An SSI attack allows a web application to be exploited by remotely executing arbitrary codes. The attacker can access sensitive information like password files, and execute shell commands. It is recommended that you disable server side includes and CGI execution if they are not needed.<\/p>\n To do this, edit the main Apache config file:<\/p>\n Find the section that begins with Now restart Apache to reflect the changes.<\/p>\n You can also do this for specific web directories. For example, to turn off Includes and CGI file executions for Add the following line:<\/p>\n Save the file and restart Apache.<\/p>\n By default Apache has no limit on the size of the HTTP request. This can allow hackers to send large number of data.<\/p>\n You can limit the requests size by using the Apache directive Suppose you have a site (www.example.com), where you allow uploads, and you want to limit the upload size on this site.<\/p>\n You can set value from For example, to limit the request size for the Add the following line:<\/p>\n Save the file and restart Apache.<\/p>\n Unless you have a specific need, it is recommended to restrict Apache to being only able to access the document root.<\/p>\n You can secure the root directory Add\/edit the following line:<\/p>\n Save the file and restart Apache:<\/p>\n The Apache Server has a good record for security. New Apache updates will contain patches that will reduce vulnerability of your Apache server. You should always be using the most recent version of Apache server.<\/p>\n You can update your Apache to the most recent version by running the following command:<\/p>\n Clickjacking, also known as “User Interface redress attack,” is a malicious technique to collect an infected user’s clicks. Clickjacking tricks the victim (visitor) into clicking on an infected site.<\/p>\n To avoid this, you need to use You can do this by editing the Add the following line:<\/p>\n Save the file and restart Apache:<\/p>\n Now, open Firefox and visit your website. When you check the HTTP response headers in Firebug, you should see ETags (entity tags) are a well-known point of vulnerability in Apache web server. ETag is an HTTP response header that allows remote users to obtain sensitive information like inode number, child process ids, and multipart MIME boundary. ETag is enabled in Apache by default.<\/p>\n To prevent this vulnerability, disabling ETag is recommended.<\/p>\n You can do this by editing Add the following line:<\/p>\n Save the file and restart Apache:<\/p>\n Now, open Firefox and visit your website. When you check the HTTP response headers in Firebug, you should not see Apache support the OPTIONS, GET, HEAD, POST, CONNECT, PUT, DELETE, and TRACE method in HTTP 1.1 protocol. Some of these may not be required, and may pose a potential security risk. It is a good idea to only enable HEAD, POST, and GET for web applications.<\/p>\n You can do this by editing the Find the section that begins with Save the file and restart Apache:<\/p>\n sudo apachectl restart<\/p>\n Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.<\/p>\n You can do this by editing the httpd.conf file:<\/p>\n Add the following line:<\/p>\n Save the file and restart Apache to reflect changes.<\/p>\n Now, open Firefox and visit your website. When you check HTTP response headers in Firebug, you should see that XSS Protection is enabled and mode<\/strong> is blocked.<\/p>\n You can protect your Apache server from most of the common Cross Site Scripting attacks using the You can do this by editing the Add the following line:<\/p>\n Save the file and restart Apache to reflect changes.<\/p>\n NOTE: https:\/\/www.feistyduck.com\/library\/apache%2dsecurity\/online\/ Introduction Apache is one of the most widely-used and popular web servers. It is also one of the most secure web servers available. In this article, I will explain some tips and tricks that will secure your Apache server. Requirements A server running CentOS v. 7 with Apache installed A static IP address … Continue reading How to Harden the Apache Web Server on CentOS 7<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"slim_seo":{"title":"How to Harden the Apache Web Server on CentOS 7 - HP Server","description":"NOTE: https:\/\/www.feistyduck.com\/library\/apache%2dsecurity\/online\/ Introduction Apache is one of the most widely-used and popular web servers. It is also one of"},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1417","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/1417","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1417"}],"version-history":[{"count":0,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/1417\/revisions"}],"wp:attachment":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1417"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Introduction<\/h2>\n
Requirements<\/h2>\n
\n
Hide the Apache version<\/h2>\n
![\"\"](\"https:\/\/easy-admin.ca\/wp-content\/uploads\/2017\/05\/centos_apache_version_info.png\")
<\/p>\nhttpd.conf<\/code> file:<\/p>\nsudo nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\nServerSignature Off\r\nServerTokens Prod\r\n<\/code><\/pre>\nsudo apachectl restart\r\n<\/code><\/pre>\nServerSignature<\/code> to Off<\/code> has removed the version information from Server<\/strong>.<\/p>\n![\"\"](\"https:\/\/easy-admin.ca\/wp-content\/uploads\/2017\/05\/centos_apache_version_info_2.png\")
<\/p>\nTurn off directory listing<\/h2>\n
index<\/code> file is enabled by default in Apache. Directory listing displays all the files from the Apache web root directory. If this is enabled, then a hacker can easily view any file, analyze it, and obtain sensitive information about an application of your Apache server.<\/p>\nOptions<\/code> directive in the Apache configuration file for a specific web directory.<\/p>\nsudo nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\nDirectory \/var\/www\/html<\/code> and add -Indexes<\/code> in the Options<\/code> directive:<\/p>\n<Directory \/var\/www\/html\/>\r\n Options -Indexes\r\n AllowOverride None\r\n Require all granted\r\n<\/Directory>\r\n<\/code><\/pre>\nsudo apachectl restart\r\n<\/code><\/pre>\nDisable unnecessary modules<\/h2>\n
sudo grep LoadModule \/etc\/httpd\/conf.modules.d\/00-base.conf\r\n<\/code><\/pre>\n00-base.conf<\/code> file, some modules like mod_info<\/code>, mod_userdir<\/code>, mod_autoindex<\/code> are enabled but not needed.<\/p>\n00-base.conf<\/code> file:<\/p>\nsudo nano \/etc\/httpd\/conf.modules.d\/00-base.conf\r\n<\/code><\/pre>\n#<\/code> at the beginning of the following lines to disable the modules:<\/p>\n#LoadModule info_module modules\/mod_info.so\r\n#LoadModule userdir_module modules\/mod_userdir.so<\/code><\/pre>\r\n<\/code><\/pre>\nsudo apachectl restart\r\n<\/code><\/pre>\nDisable Apache’s FollowSymLinks<\/h2>\n
httpd.conf<\/code> file:<\/p>\nsudo nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\nDirectory \/var\/www\/html<\/code>. Add -FollowSymLinks<\/code> in option directive:<\/p>\n<Directory \/var\/www\/html\/>\r\n Options -Indexes -FollowSymLinks\r\n AllowOverride None\r\n Require all granted\r\n<\/Directory>\r\n<\/code><\/pre>\nsudo apachectl restart\r\n<\/code><\/pre>\nTurn off server-side includes (SSI) and CGI execution<\/h2>\n
sudo nano \/etc\/httpd\/conf\/httpd.conf<\/code><\/pre>\r\n<\/code><\/pre>\nDirectory \/var\/www\/html<\/code>, Add -ExecCGI<\/code> and -Includes<\/code> in option directive:<\/p>\n<Directory \/var\/www\/html\/>\r\n Options -Indexes -FollowSymLinks -ExecCGI -Includes\r\n AllowOverride None\r\n Require all granted\r\n<\/Directory>\r\n<\/code><\/pre>\nsudo apachectl restart<\/code><\/pre>\n\/var\/www\/html\/www.vhost1.com<\/code> directory:<\/p>\nsudo nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\n<Directory \/var\/www\/html\/www.vhost1.com\/>\r\n Options -Includes -ExecCGI\r\n<\/Directory>\r\n<\/code><\/pre>\nsudo apachectl restart\r\n<\/code><\/pre>\nLimit request size<\/h2>\n
LimitRequestBody<\/code> in combination with the Directory tag. This can help protect your web server from a denial of service (DOS) attack.<\/p>\n0<\/code> (unlimited) to 2147483647<\/code> (2GB) in the main Apache config file.<\/p>\n\/var\/www\/html\/www.example.com<\/code> directory to 200K<\/code>:<\/p>\nsudo nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\n<Directory \/var\/www\/html\/www.example.com>\r\n LimitRequestBody 204800\r\n<\/Directory>\r\n<\/code><\/pre>\nsudo apachectl restart\r\n<\/code><\/pre>\nDisallow browsing outside the document root<\/h2>\n
\/<\/code> with Allow and Deny options in the httpd.conf<\/code> file.<\/p>\nsudo nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\n<Directory \/>\r\n Options None\r\n Order deny,allow\r\n Deny from all\r\n<\/Directory>\r\n<\/code><\/pre>\nsudo apachectl restart\r\n<\/code><\/pre>\n\n
Keep Apache up to date<\/h2>\n
sudo yum update httpd\r\n<\/code><\/pre>\nSecure Apache from clickjacking attacks<\/h2>\n
X-FRAME-OPTIONS<\/code> to prevent your website from being used by clickjackers.<\/p>\nhttpd.conf<\/code> file:<\/p>\nsudo nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\nHeader append X-FRAME-OPTIONS \"SAMEORIGIN\"\r\n<\/code><\/pre>\nsudo apachectl restart\r\n<\/code><\/pre>\nX-Frame-Options<\/code><\/p>\nDisable ETag<\/h2>\n
httpd.conf<\/code> file:<\/p>\nsudo nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\nFileETag None\r\n<\/code><\/pre>\nsudo apachectl restart\r\n<\/code><\/pre>\nEtag<\/code> listed.<\/p>\nHTTP request methods<\/h2>\n
httpd.conf<\/code> file:<\/p>\nsudo nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\nDirectory \/var\/www\/html<\/code>. Add the following lines under this section:<\/p>\n<LimitExcept GET POST HEAD>\r\n deny from all\r\n<\/LimitExcept>\r\n<\/code><\/pre>\nSecure Apache from XSS attacks<\/h2>\n
sudo nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\n<IfModule mod_headers.c>\r\n Header set X-XSS-Protection \"1; mode=block\"\r\n<\/IfModule>\r\n<\/code><\/pre>\nsudo apachectl restart\r\n<\/code><\/pre>\nProtect cookies with HTTPOnly flag<\/h2>\n
HttpOnly<\/code> and Secure<\/code> flags for cookies.<\/p>\nhttpd.conf<\/code> file:<\/p>\nsudo nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\n<IfModule mod_headers.c>\r\n Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure\r\n<\/IfModule>\r\n<\/code><\/pre>\nsudo apachectl restart\r\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"