In previous guide, we written how to get started with a blank server, configure Apache for HSTS and how to configure IPTables. This guide is applicable for cloud, dedicated & virtual dedicated server. Here is a detailed guide on how to harden Apache2 server’s security on Ubuntu 16.04 LTS.
Harden Apache2 Server’s Security (Ubuntu 16.04 LTS)
The default settings file of Apache is located at :
1 | /etc/apache2/apache2.conf |
And Apache2 security file located at :
---
1 | /etc/apache2/conf-available/security.conf |
We can test configuration by running :
1 | apachectl -t |
Restart Apache2 webserver by :
1 | systemctl restart apache2 |
Open :
1 | nano /etc/apache2/conf-available/security.conf |
Find these verbs and change then like written below, if some entry not present, add it :
1 2 3 4 5 6 | ServerTokens Prod ServerSignature Off TraceEnable Off Header unset ETag Header always unset X-Powered-By FileETag None |
It will take some time to find the settings and modify. Save the file. Run apachectl -t and run :
1 | systemctl restart apache2 |
Why we did the above changes? To hide Apache Version and operating system identity which are available from error pages like 404. When we get 404, the web page displays the version of Apache web server installed on your server with the name of operating system name. Sometimes the information about Apache modules also become obvious. The above changes will not show up the informations.
Second part is installing and activating two modules – mod_security and mod_evasive. Of course you need to know the way to check which Apache modules are enabled. This is possible by running this command when Apache is running :
1 | apachectl -M |
Or :
1 | a2query -m |
When Apache is not running. There are other ways like creating a PHP info file or a PHP file with the content :
1 2 3 | <?php print_r(apache_get_modules()); ?> |
and loading on browser. There is a separate Apache module named mov_info, which is not enabled by default for security. We need not to enable that module. Run a search on apt :
1 | apt-cache search mod-security2 |
You’ll get the information :
1 | libapache2-mod-security2 - Tighten web applications security for Apache |
You can install with :
1 | apt install libapache2-mod-security2 |
This is the homepage of that module :
1 | http://www.modsecurity.org |
Read documents later. There is a supplied sample file :
1 | cat /etc/modsecurity/modsecurity.conf-recommended |
Simply rename the file :
1 | mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf |
Create the blank log file :
1 | /var/log/apache2/modsec_audit.log |
After some time, run cat :
1 | cat /var/log/apache2/modsec_audit.log |
Web software like WordPress needs to have plugin or settings correct for this module. You’ll also get logs of the intrusions stopped by WordPress plugin IP Geo block. You should check the manual, the common config for virtual host is like this :
1 2 3 4 5 6 7 | <IfModule mod_security2.c> SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream SecDataDir /tmp </IfModule> |
The module mod_evasive is for preventing DDoS. We can install by :
1 | apt install libapache2-mod-evasive |
If you installed Apache in our way, mod_evasive will be active by default. If you run :
1 | a2enmod evasive |
The configuration file is here :
1 | /etc/apache2/mods-enabled/evasive.conf |
Making the settings like this will work fine :
1 2 3 4 5 6 7 8 9 10 11 12 | <IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 #DOSEmailNotify you@yourdomain.com DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" DOSLogDir "/var/log/mod_evasive" </IfModule> |
Create the directories and give permission :
1 2 | mkdir /var/log/mod_evasive chown www-data /var/log/mod_evasive |
Open :
1 | nano /etc/apache2/apache2.conf |
Near end of file add these to whitelist own server :
1 2 | DOSWhitelist 127.0.0.1 DOSWhitelist 127.0.0.* |
Restart Apache :
1 | systemctl restart apache2 |
This blog is official website of the above module :
1 | https://www.zdziarski.com/blog/ |
Now, if PHP is running, then open PHP file :
1 | nano /etc/php/7.0/apache2/php.ini |
Make sure the directives are present and like this :
1 2 3 4 5 6 7 8 9 | disable_functions = exec,system,shell_exec,passthru register_globals = Off expose_php = Off display_errors = Off track_errors = Off html_errors = Off magic_quotes_gpc = Off mail.add_x_header = Off session.name = NEWSESSID |
Restart Apache :
1 | systemctl restart apache2 |
We can set directory browsing off from virtual hosts with Options -Indexes like settings :
1 2 3 | <Directory /var/www/html> Options -Indexes -FollowSymLinks -ExecCGI -Includes </Directory> |
And from Apache main config file :
1 2 | AllowOverride None Require all granted |
However, it is not recommended to override Apache’s default behaviour from Apache’s main config file, instead adding and empty index.html or index.php in the directories is another way.
