Web Server is responsible for processing the request and provide the response to the users by delivering web pages to the users. There are many web servers are available in the market with 2 options – Open Source & Licensed product. Apache Web server is an open source server widely implemented across websites and provides all the best in line features. Apache Web Server provides all the standard security features to secure the web application and today we will go through the security best practices for Apache Web Server which can be applied through httpd.conf file.

Apache Web Server is the crucial part of the web applications and we must avoid default configuration on the production environment. Let’s go through some basics of Apache Web server as mentioned below: -

  • Default HTTP Port: 80 TCP and HTTPS Port: 443 TCP
  • Document root Directory: /var/www/html or /var/www
  • Main Configuration file: -  /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)                                        /etc/apache2/apache2.conf (Debian/Ubuntu).
  • Verify your Configuration file settings with syntax: httpd -t
  • Log files location: /var/log/httpd/access_log
  • Error Log files location: /var/log/httpd/error_log

 1)     Use mod_security and mod_evasive Modules to Secure Apache

There are multiple modules in Apache but “mod_security” and “mod_evasive” are very popular modules in terms of security.

Mod_security: - It works as a firewall for web applications and it allows us to monitor traffic on a real-time basis. It is a key module to prevent websites or web server from brute force attacks. It’s easy to install on server with the help of your default package installers. The most important usage of mod_security as below: -

  • Real-time application security monitoring and access control
  • Full HTTP traffic logging
  • Continuous passive security assessment
  • Web application hardening

Mod_evasive: - It provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool. It works very efficiently by processing one request and processes it very well.  This module detects attacks with three methods.

  • Requesting same page more than a few times per second.
  • Making more than 50 concurrent requests on the same child per second.
  • Making any new requests when its temporarily blacklisted.

If any of the above conditions are met, a 403 response is sent and the IP address is logged. Optionally, an email notification can be sent to the server owner or a system command can be run to block the IP address. It can be installed directly from the source.

 

2)     Disable Directory Listing

By default, Apache lists all the content of its Document root directory in the absence of the index file. We can turn off directory listing by using Options directive in configuration file for a specific directory. We need to make an entry in httpd.conf or apache2.conf file as below: -

<Directory />

Options -Indexes

Order allow,deny

Allow from all

</Directory>

 

3)     Disable Trace HTTP Request
‘TRACE’ is a HTTP request method used for debugging which echoes back the received request for a client so that he may see what changes or additions have been done. This creates a security vulnerability because an attacker can exploit it and steal sensitive information via headers like cookies and website credentials. Simply add an directive – TraceEnable Off in httpd.conf file  to address the security issue.

 

4)     Use only TLS, Disable SSLv2, SSLv3

SSL 2.0 & 3.0, reportedly suffers from several cryptographic flaws.

SSLProtocol -ALL +TLSv1

 

5)     Securing server with SSL Certificates

We can secure all our communication in an encrypted manner through SSL certificates. The website which has user login, financial transaction where people provides their bank details then it SSL certificate should be implemented to communicate in an encrypted text rather than plain text format.

 

6)     Limit Request Size

By default Apache has no limit on the total size of the HTTP request i.e. unlimited and when you allow large requests on a web server its possible that you could be a victim of Denial of service attacks. We can Limit the requests size of an Apache directive “LimitRequestBody” with the directory tag.

 

You can set the value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request body. You can set this limit according to your site needs, Suppose you have a site where you allows uploads and you want to limit the upload size for a particular directory.