First, please check the Apache website for
http://xianshield.org/guides/apache2.0guide.html has some nice tips on how to harden your apache server. Especially, check your httpd.conf and make sure the configurations are fine.
| Directive and setting | Description/rationale |
|---|---|
| ServerSignature Off | Prevents server from giving version info on error pages. |
| ServerTokens Prod |
Prevents server from giving version info in HTTP headers. With this setting, when people test the site with % telnet www.host.com 80 It won't show the apache version. |
| Listen 80 (remove) | If you don't have to run your server on port 80, then remove the “Listen” directive – we’ll set this directive only in ssl.conf, so that it will only be available over https. |
| User webserv (or whatever you created for the web server) | Ensure that the child processes run as unprivileged user |
| Group webserv (or whatever you created in step 2 above) | Ensure that the child processes run as unprivileged group |
| ErrorDocument 404 errors/404.html ErrorDocument 500 errors/500.html etc. |
To further obfuscate the web server and version, this will redirect to a page that you should create, rather than using the default Apache pages. |
| ServerAdmin |
Use a mail alias – never use a person’s email address here. |
| UserDir disabled root | Remove the UserDir line, since we disabled this module. If you do enable user directories, you’ll need this line to protect root’s files. |
<Directory />
Order Deny,Allow
deny from all
|
Deny access to the root file system. |
| TraceEnable off | Trace option appears to allow XSS or credential theft. See Cross Site Tracing for details. |
<Directory /opt/apache2/htdocs">
<LimitExcept GET POST>
deny from all
</LimitExcept>
Options -FollowSymLinks -Includes -Indexes -MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
|
LimitExcept prevents TRACE from allowing attackers to find a path through cache or proxy servers. The “-“ before any directive disables that option. FollowSymLinks allows a user to navigate outside the doc tree, and Indexes will reveal the contents of any directory in your doc tree. Includes allows .shtml pages, which use server-side includes (potentially allowing access to the host). If you really need SSI, use IncludesNoExec instead. AllowOverride None will prevent developers from overriding these specifications in other parts of the doc tree. |
| AddIcon (remove) IndexOptions (remove) AddDescription (remove) ReadmeName (remove) HeaderName (remove) IndexIgnore (remove) |
Remove all references to these directives, since we disabled the fancy indexing module. |
| Alias /manual (remove) | Don’t provide any accessible references to the Apache manual, it gives attackers too much info about your server. |
This article, Secure Installation of Apache Web Server in Linux Exposed, is kinda old, but it still has a lot of values.
If you run Apache inside chroot, Using Chroot (in Linux Exposed) is a good read. To check the status of the files and directories in a chroot directory, do the following:
# find world writable dir/file
root# find /chroot_dir -perm -2 -ls
# find suid files
root# find /chroot_dir -type f -perm -04000 -ls
# find guid files
root# find /chroot_dir -type f -perm -02000 -ls
The options below will create an HTTPS server supporting only the SSL v3 and TLSv1 protocols, and only allowing strong cipher suites to be accepted by the web server:
SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite HIGH
Reference:
Recent comments
8 weeks 5 days ago
9 weeks 4 days ago
20 weeks 4 days ago
21 weeks 6 days ago
30 weeks 5 days ago
30 weeks 6 days ago
31 weeks 6 days ago
32 weeks 5 days ago
32 weeks 5 days ago
32 weeks 6 days ago