Apache server security: 10 tips to secure installation

Apache is one of the most popular web servers. As of September 2014, it is used to host 55.7% of the top 1 million websites. It is also often described as one of the most secure web servers. In this article, I shall describe some configuration changes that will harden your Apache’s configuration.

Ensure that Apache server-info is disabled

If the <Location /server-info> directive in the httpd.conf configuration file is enabled it would display information about the Apache configuration when the /server-info page is accessed from http://www.example.com/server-info. This could potentially include sensitive information about server settings such as the server version, system paths, database names, library information and so on. In the underlying screenshot we can see that the Apache /server-info lists the server version, which also includes the OpenSSL version. From this information an attacker could deduce that this server is making use of a version of OpenSSL which is vulnerable to the Heartbleed Bug and thus could now also exploit this vulnerability.

Apache Server Info

Figure 1 – Part of Apache /server-info which clearly lists the server version, OpenSSL version, and PHP version, among other information.

This can be disabled by either commenting out the entire mod_info module from the httpd.conf Apache configuration file as per below:

#LoadModule info_module modules/mod_info.so

Or by commenting out the <Location /server-status> directive from the httpd.conf Apache configuration file as is shown below:

#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
#</Location>

Ensure that Apache server-status is disabled

When enabled, the <Location /server-status> directive lists information about the server’s performance, such as server uptime, server load, current HTTP requests, and client IP addresses. An attacker may make use of this information to craft an attack against the web server.

Server Status

Figure 2 – The server-status page, accessible from http://your.host.example.com/server-status, showing various information with regards to the server’s performance

Disable the ServerSignature directive

The ServerSignature directive endows server-generated documents with a footer which includes information about your Apache configuration such as the version of Apache and the OS server name. In order to restrict Apache from displaying this sensitive information the ServerSginature directive in your Apache configuration would need to be disabled as shown below:

ServerSignature Off
Server Signature

Figure 3 – Leaving the Apache ServerSignature directive enabled displays a footer with information about your Apache configuration

Set the ServerTokens directive to Prod

The ServerTokens directive controls what information about the server is sent back in the Server response header field. A number of syntaxes can be used with this directive, as listed in the Apache ServerTokens documentation. The ServerTokens directive should be set to Prod in order to instruct Apache to return only ‘Apache’ in the server response headers. This can be done by including the below directive in your httpd.conf Apache configuration file:

ServerTokens Prod

Disable Directory Listing

Directory listing displays a list of the directory contents which would include all the files from that website. If this is enabled, an attacker can simply discover and view any file. This could potentially lead to the attacker decompiling and reverse engineering an application in order to obtain the application’s source code. The attacker can then analyze the source code for possible security flaws or to obtain more information about an application, such as database connection strings, passwords to other systems etc. Directory listing can be disabled by setting the Options directive in the Apache httpd.conf file:

<Directory /your/website/directory>
Options -Indexes
</Directory>
Directory Listing

Figure 4 – Apache directory listing

Enable only the modules that are required

A default installation of Apache may include a number of pre-installed and enabled modules which you might not need. To add insult to injury, some web server admins tend to take the path of least resistance and enable all the remaining modules in httpd.conf, so as to ensure that everything works without a hitch. This, however, also opens up the web server to any security issues that might exist, or be discovered in the future for the modules that are enabled.

The Apache module documentation lists and explains all the modules available within Apache. Research the modules that you have enabled, and ensure that these are really required for the functionality of the website. Unnecessary modules should be disabled by adding a # character in front of the LoadModule line.

Modules

Figure 5 – A section of the httpd.conf Apache configuration file showing the majority of modules being disabled including the mod_status.so module

Make use of an appropriate user and group

By default Apache will run under the daemon user and group, however it is best practice to run Apache in a non-privileged account. Furthermore, if two processes, such as Apache and MySQL for example, are running under the same user and group, issues in one process might lead to exploits in the other process. To change Apache’s user and group the User and Group directives in the Apache httpd.conf configuration file need to be changed:

User Group

Figure 6 – An excerpt of the httpd.conf configuration file showing the user and group Apache runs on as ‘apache’

Restrict unwanted services

You may want to disable certain services, such as CGI execution and symbolic links, if these are not needed. You can disable these services with the Options directive from the httpd.conf configuration file and may also disable these services for a particular directory only. The below example shows us what you need to include in your httpd.conf configuration file to disable CGI execution, symbolic links, and server side includes.

<Directory /your/website/directory>
Options -ExecCGI -FollowSymLinks -Includes
</Directory>

Make use of ModSecurity

mod_security is an open-source module that works as a web application firewall. Different functionalities include filtering, server identity masking, and null byte attack prevention. Real-time traffic monitoring is also allowed through this module. Therefore it is recommended to follow the ModSecurity manual to install the mod_security module in order to empower your security options.

Updates

You should always keep up to date with the latest versions of Apache, as new updates will contain new fixes and patches that will address past security issues and also introduce new security measures. The best way to keep up to date about new versions of Apache is to subscribe to the Apache Server Announcements mailing list at announce-subscribe@httpd.apache.org.

Enable logging

Apache logging provides detailed information about client requests made on your web server, hence enabling such logging will prove useful when investigating the cause of particular issues. In order to enable logging the mod_log_config module needs to be included from the Apache httpd.conf file. This module provides the TransferLog, LogFormat, and CustomLog directives which are respectively used to create a log file, specify a custom format, and creating and formatting a log file in one step. As seen below, the LogFormat directive is used to specify a custom logging format – in this case the referrer and browser of each request are logged along with the default logging parameters. Then, the CustomLog directive will be used to instruct Apache to use this logging format.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" detailed
CustomLog logs/access.log detailed
Share this post

Leave a Reply

Your email address will not be published.