edit-icon download-icon

Harden Apache service security

Last Updated: May 09, 2018

1. Account settings

Run Apache with a dedicated user account and group.

  1. Create a user and a group for Apache as necessary.

  2. See the configuration operations. If no users or groups have been set up, create a new user and specify it in the Apache configuration file.

    1. Create an Apache group.

      groupadd apache

    2. Create an Apache user and add the user to the Apache group.useradd apache -g apache

    3. Add the following two lines to the Apache configuration file httpd.conf.

      1. User apache
      2. Group apache
  3. Check the httpd.conf configuration file. Check whether Apache runs with a non-dedicated account (such as the root account).

Note: The default settings usually meet the requirements. In Linux, the default account is apache or nobody. In Unix, the default account is daemon.

2. Authorization settings

Implement strict control over access permissions to the Apache home directory. Non-super users are not allowed to modify content in the directory.

  1. In the Apache Server configuration file httpd.conf, Apache’s home directory corresponds to the following Server Root options:

    1. Server Root /usr/local/apache
    • Determination conditions: Non-super users are not allowed to modify the content in the directory.
    • Detection operations: Try to modify the content to see whether modification is successful.

      The directory is usually the /etc/httpd directory. By default, the directory owner is the root user, and other users cannot modify the file. The default settings usually meet the requirements.

  2. Implement strict permission settings for the configuration files and log files to prevent unauthorized access.

    • Use the chmod 600 /etc/httpd/conf/httpd.conf command to set the configuration file to be readable and writable only by its owner, and disallow other users reading/writing to the file.
    • Use the chmod 644 /var/log/httpd/*.log command to set the log file to be readable and writable only by its owner, and only allow other users to read the file.

      Note:

      • The default permission for the /etc/httpd/conf/httpd.conf file is 644, which can be modified to 600 as needed.
      • The default permission for the /var/log/httpd/*.log file is 644, and the default settings usually meet the requirements.

3. Log settings

The Apache device is recommended to be configured with the logging feature to record running errors and user access information, including the time, and the IP addresses of users.

  1. Modify the httpd.conf configuration file, set the log file, record content, and record format.

    • For error logs:

      1. LogLevel notice #Log levels
      2. ErrorLog /…/logs/error_log #The location where the error log file is stored
    • For access logs:

      1. LogFormat %h %l %u %t \”%r\” %>s %b “%{Accept}i\”%{Referer}i\” \”%{User-Agent}i\”
      2. combined
      3. CustomLog /…/logs/access_log combined #Access logs

Note:

  • The ErrorLog command sets the error log file name and location. The error log is the most important log file. The Apache httpd program stores the diagnostic information and errors that occur during request processing for this file. To send the error log to Syslog, run the following command: ErrorLog syslog.
  • The CustomLog command specifies the specific location where the log file is stored and the log format. All requests processed by the server are logged in the access log.
  • The LogFormat command sets the log format. The recommended format is “combined”.
  • The LogLevel command is used to adjust the level of detail for the information recorded in the error log. The recommended level is “notice”. The default log level is “warn”. The “notice” level is more detailed, and the log may take up a lot of hard disk space in practice so the level is usually not set by default.

4. Disable access to external files

Prevent Apache from accessing any files outside of the Web directory. See the following configuration operations.

  1. Modify the httpd.conf configuration file.

    1. Order Deny,Allow
    2. Deny from all
  2. Set the accessible directory.

    1. Order Allow,Deny
    2. Allow from /web

    /web is the root directory of the website.

  3. The default configuration is as follows:

    1. Options FollowSymLinks
    2. AllowOverride None

    Generally, it can be set according to your business needs.

5. Disable listing directories

Listing directories leads to explicit information being displayed or downloaded.

  1. To disable the Apache list displaying files, modify the httpd.conf configuration file as follows:

    1. #Options Indexes FollowSymLinks #Delete "Indexes"
    2. Options FollowSymLinks
    3. AllowOverride None
    4. Order allow,deny
    5. Allow from all

    Remove the “Indexes” from “Options Indexes FollowSymLinks” to disable Apache displaying the directory structure. The “Indexes” is used to display the directory structure when the directory contains no index.html file.

  2. Restart the Apache service.

  3. You can also remove the “Indexes” setting of “Options” in the /etc/httpd/httpd.conf file.

Generally, it can be set according to your business needs.

6. Error page redirection

Apache’s error page redirection feature can prevent sensitive information from being displayed.

  1. Modify the httpd.conf configuration file as follows:

    1. ErrorDocument 400 /custom400.html
    2. ErrorDocument 401 /custom401.html
    3. ErrorDocument 403 /custom403.html
    4. ErrorDocument 404 /custom404.html
    5. ErrorDocument 405 /custom405.html
    6. ErrorDocument 500 /custom500.html

    Note: The Customxxx.html file is the error page to be set.

  2. Restart the Apache service.

This feature requires that the application system has an error page set. Or, you can implement this feature through business logic without setting it in the httpd file. You can use this feature according to your business needs.

7. Defense against denial of service attacks

You can set a reasonable session time value according to business needs to prevent denial of service attacks.

  1. Modify the httpd.conf configuration file as follows:

    1. Timeout 10 #The time interval before the client and the server establish a connection
    2. KeepAlive On
    3. KeepAliveTimeout 15 #Limit the retention time of each session to 15 seconds. The value here is a recommendation. You can set the specific time value based on your needs.
  2. Restart the Apache service.

By default, Timeout 120, KeepAlive Off, and KeepAliveTimeout 15 settings involve performance tuning and are generally not changed.

8. Hide Apache version number

Hide the Apache version number and other sensitive information.

Modify the httpd.conf configuration file as follows:

  1. ServerSignature Off ServerTokens Prod

9. Disable the TRACE feature

Disable the TRACE feature to prevent the TRACE method from being exploited by malicious users.

Add the following setting in the /etc/httpd/conf/httpd.conf configuration file.

  1. TraceEnable Off

Note: This setting applies to Apache 2.0 and later.

10. Disable CGI feature

If CGI programs are not required to run on the server, we recommend that you disable CGI.

Modify the /etc/httpd/conf/httpd.conf configuration file and comment out the cgi-bin directory configurations and modules.

  1. #LoadModule cgi_module modules/mod_cgi.so
  2. #ScriptAlias /cgi-bin/ “/var/www/cgi-bin/”
  3. #
  4. #AllowOverride None
  5. # Options None
  6. #Order allow,deny
  7. #Allow from all
  8. #

Apply this configuration as needed. If there is no CGI program, you can disable the features.

11. Bind listening addresses

When a server has multiple IPs, you can set the server to only listen to the IP providing services.

  1. Run the following command to check whether the IP is bound:

    1. cat /etc/httpd/conf/httpd.conf|grep Listen
  1. Modify the /etc/httpd/conf/httpd.conf configuration file as follows:

    1. Listen x.x.x.x:80

The default setting is that Listen feature listens to all IP addresses. If the server has only one IP address, you can skip this setting. If there are multiple IPs, you can configure the preceding setting.

12. Delete useless files installed by default

Delete the useless files installed by default.

  • Delete the default HTML file as follows:

    1. # rm -rf /usr/local/apache2/htdocs/*
  • Delete the default CGI scripts.

    1. # rm –rf /usr/local/apache2/cgi-bin/*
  • Delete the Apache instruction documentation.

    1. # rm –rf /usr/local/apache2/manual
  • Delete the source code file.

    1. # rm -rf /path/to/httpd-2.2.4*
  • Delete CGI files.

CGI files can be removed if unnecessary. Usually, the /var/www/html/var/www/cgi-bin folder is by default empty.

Note: Some directories or files may not exist or are located at different places depending on different installation practices and versions.

13. Disable illegal HTTP methods

Disable risky HTTP methods, such as the PUT and DELETE methods.

Modify the httpd.conf configuration file to allow the GET and POST methods only.

  1. ```bash
  2. <Location />
  3. <LimitExcept GET POST CONNECT OPTIONS>
  4. Order Allow,Deny
  5. Deny from all
  6. </LimitExcept>
  7. </Location>
  8. ```

You can modify this configuration as needed. If the PUT, DELETE or other HTTP methods are required, you can modify the settings accordingly in the /etc/httpd/conf/httpd.conf file.

Thank you! We've received your feedback.