20 ways to Secure your Apache Configuration

web

Here are 20 things you can do to make your apache configuration more secure.

Disclaimer: The thing about security is that there are no guarantees or absolutes. These suggestions should make your server a bit tighter, but don't think your server is necessarily secure after following these suggestions.

Additionally some of these suggestions may decrease performance, or cause problems due to your environment. It is up to you to determine if any of the changes I suggest are not compatible with your requirements. In other words proceed at your own risk.

First, make sure you've installed latest security patches

There is no sense in putting locks on the windows, if your door is wide open. As such, if you're not patched up there isn't really much point in continuing any longer on this list. Go ahead and bookmark this page so you can come back later, and patch your server.

Hide the Apache Version number, and other sensitive information.

By default many Apache installations tell the world what version of Apache you're running, what operating system/version you're running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an attack. It also sends the message that you have left most defaults alone.

There are two directives that you need to add, or edit in your httpd.conf file:

ServerSignature Off
ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

Server: Apache

If you're super paranoid you could change this to something other than "Apache" by editing the source code, or by using mod_security (see below).

Make sure apache is running under its own user account and group

Several apache installations have it run as the user nobody. So suppose both Apache, and your mail server were running as nobody an attack through Apache may allow the mail server to also be compromised, and vise versa.

User apache
Group apache

Ensure that files outside the web root are not served

We don't want apache to be able to access any files out side of its web root. So assuming all your web sites are placed under one directory (we will call this /web), you would set it up as follows:

<Directory />
  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None
</Directory>
<Directory /web>
  Order Allow,Deny
  Allow from all
</Directory>
Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.

Turn off directory browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

Options -Indexes

Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Options -Includes

Turn off CGI execution

If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI

Options -ExecCGI

Don't allow apache to follow symbolic links

This can again can be done using the Options directive inside a Directory tag. Set Options to either None or -FollowSymLinks

Options -FollowSymLinks

Turning off multiple Options

If you want to turn off all Options simply use:

Options None

If you only want to turn off some separate each option with a space in your Options directive:

Options -ExecCGI -FollowSymLinks -Indexes

Turn off support for .htaccess files

This is done in a Directory tag but with the AllowOverride directive. Set it to None.

AllowOverride None

If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:

AccessFileName .httpdoverride
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

Run mod_security

mod_security is a super handy Apache module written by Ivan Ristic, the author of Apache Security from O'Reilly press.

You can do the following with mod_security:

  • Simple filtering
  • Regular Expression based filtering
  • URL Encoding Validation
  • Unicode Encoding Validation
  • Auditing
  • Null byte attack prevention
  • Upload memory limits
  • Server identity masking
  • Built in Chroot support
  • And more

Disable any unnecessary modules

Apache typically comes with several modules installed. Go through the apache module documentation and learn what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.

Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line. To search for modules run:

grep LoadModule httpd.conf

Here are some modules that are typically enabled but often not needed: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.

Make sure only root has read access to apache's config and binaries

This can be done assuming your apache installation is located at /usr/local/apache as follows:

chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache

Lower the Timeout value

By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.

Timeout 45

Limiting large requests

Apache has several directives that allow you to limit the size of a request, this can also be useful for mitigating the effects of a denial of service attack.

A good place to start is the LimitRequestBody directive. This directive is set to unlimited by default. If you are allowing file uploads of no larger than 1MB, you could set this setting to something like:

LimitRequestBody 1048576

If you're not allowing file uploads you can set it even smaller.

Some other directives to look at are LimitRequestFields, LimitRequestFieldSize and LimitRequestLine. These directives are set to a reasonable defaults for most servers, but you may want to tweak them to best fit your needs. See the documentation for more info.

Limiting the size of an XML Body

If you're running mod_dav (typically used with subversion) then you may want to limit the max size of an XML request body. The LimitXMLRequestBody directive is only available on Apache 2, and its default value is 1 million bytes (approx 1mb). Many tutorials will have you set this value to 0 which means files of any size may be uploaded, which may be necessary if you're using WebDAV to upload large files, but if you're simply using it for source control, you can probably get away with setting an upper bound, such as 10mb:

LimitXMLRequestBody 10485760

Limiting Concurrency

Apache has several configuration settings that can be used to adjust handling of concurrent requests. The MaxClients is the maximum number of child processes that will be created to serve requests. This may be set too high if your server doesn't have enough memory to handle a large number of concurrent requests.

Other directives such as MaxSpareServers, MaxRequestsPerChild, and on Apache2 ThreadsPerChild, ServerLimit, and MaxSpareThreads are important to adjust to match your operating system, and hardware.

Restricting Access by IP

If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 176.16 network:


Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16

Or by IP:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Adjusting KeepAlive settings

According to the Apache documentation using HTTP Keep Alive's can improve client performance by as much as 50%, so be careful before changing these settings, you will be trading performance for a slight denial of service mitigation.

KeepAlive's are turned on by default and you should leave them on, but you may consider changing the MaxKeepAliveRequests which defaults to 100, and the KeepAliveTimeout which defaults to 15. Analyze your log files to determine the appropriate values.

Run Apache in a Chroot environment

chroot allows you to run a program in its own isolated jail. This prevents a break in on one service from being able to effect anything else on the server.

It can be fairly tricky to set this up using chroot due to library dependencies. I mentioned above that the mod_security module has built in chroot support. It makes the process as simple as adding a mod_security directive to your configuration:

SecChrootDir /chroot/apache

There are however some caveats however, so check out the docs for more info.

Acknowledgments

I have found the book Apache Security to be a highly valuable resource for securing an apache web server. Some of the suggestions listed above were inspired by this book.

Suggestions

Please post any suggestions, caveats, or corrections in the comments and I will update the post if necessary.

digg this!



Related Entries

106 people found this page useful, what do you think?

Trackbacks

Trackback Address: 505/BB6BD8AAA84E8F308B74411744C061E5

Comments

On 12/06/2005 at 2:20:01 PM EST Steven Erat wrote:
1
Very helpful. I was just searching for an article on securing Apache with ColdFusion the other day. Windows/IIS users may want to take a look at this article which is Windows 2003 specific:

Configuring ColdFusion MX 7 Server Security http://www.macromedia.com/devnet/coldfusion/articles/cf7_security.html

On 12/09/2005 at 5:35:41 AM EST polarizer wrote:
2
One could obfuscate server programm using error pages of other http server via

ErrorDocument 404 errors/404.html ErrorDocument 500 errors/500.html

polarizers 2cent http://www.codixx.de/polarizer.html

On 12/12/2005 at 2:19:05 PM EST Scorpion wrote:
3
Hi there, very interestig and useful tutorial. I have found a small error though. In the fourth part, you forgot the slash for the Directory tag. It should be like this: <Directory /> Order Deny,Allow Deny from all Options None AllowOverride None </Directory>

But I was still able to access any files out side of its web root with a simple php script, any ideas?

On 12/12/2005 at 2:24:27 PM EST Pete Freitag wrote:
4
Yes the apache configuration does not limit what PHP (or any cgi program) can do. I'm not sure if there is any way of limiting that, but I'm not a php guru.

Thanks for pointing out that typo as well, I'll fix it.

On 12/13/2005 at 4:58:49 AM EST polarizer wrote:
5
>I'm not sure if there is any way >of limiting that.

What about running apache in a chroot jail.

polarizer http://www.codixx.de/polarizer.html

On 01/20/2006 at 5:19:28 PM EST Brian wrote:
6
For mod_security, the guys at gotroot.com make a very complete set of rules available that you can download and pop in to protect against all kinds of attacks. They update the rules every few days. An excellent way to help protect your application from known exploits, XSS and other attempts.

Brian

On 02/04/2006 at 2:11:51 PM EST Qrucial wrote:
7
Cheers Mate...

On 02/16/2006 at 2:22:25 AM EST Anonymous wrote:
8
Any1 has an idea to restrict PHP to access to files outside its web root??

Tim

On 04/04/2006 at 8:18:29 PM EDT Fabián Arias wrote:
9
To restrict php to the web root you have to set the open_basedir variable in php.ini to your web root.

On 06/17/2006 at 7:28:51 AM EDT web design uk wrote:
10
Thats a great resource. Thanks a lot ! Some wicked tips in there

On 06/17/2006 at 2:55:54 PM EDT NotQuiteJack wrote:
11
Great recommendations, thanks Pete!

On 08/21/2006 at 6:28:37 PM EDT Renan wrote:
12
i want to know how to setup .cfm on apache???

On 12/15/2006 at 7:13:09 AM EST Ramesh Kumar wrote:
13
Author, pin pointed the performance, security issues with suitable mitigation. Cool.

On 01/03/2007 at 7:53:46 AM EST Mueller Martin wrote:
14
Better way to set open_basedir vor every host in apache, because setting in php.ini is global for all defined hosts in apache, so host1 could see directory of host2 and host3 ... It's mentioned here in Listing2: http://www.linux-magazin.de/Artikel/ausgabe/2004/10/php/php.html (Article in German language)

On 01/05/2007 at 8:07:22 PM EST Jok wrote:
15
If you don't want to use mod_security, and simply looks for hiding/masking Server: header, there's a tiny third part module that exists to do it on : http://jok.is-a-geek.net/blog/index.php?page=read&id=2006/01/090956

On 01/08/2007 at 7:46:44 AM EST Apache Dude wrote:
16
Awesome article man, very helpful. Here is a really good post dealing with securing SSL http://www.askapache.com/2006/htaccess/apache-ssl-in-htaccess-examples.html

On 04/04/2007 at 6:01:48 PM EDT Debi Winters wrote:
17
Thank you.

On 06/05/2007 at 3:35:27 AM EDT Humayun wrote:
18
Thanks. Its really helpfull. Keep it up.

On 10/23/2007 at 11:19:53 AM EDT cal wrote:
19
Thank you! :)

On 12/02/2007 at 8:29:10 PM EST Brontojoris wrote:
20
Hi, I know I'm a bit late to the party, but I just wanted to comment on Renan's query regarding .cfm files not being sent to the correct ErrorDocument location as set in Apache's config.

To have Apache catch .cfm files, instead of Coldfusion displaying an error, you need to update the IfModule mod_jrun22.c portion of the httpd.conf file for Apache. Change the 'JRunConfig Ignoresuffixmap false' to 'JRunConfig Ignoresuffixmap true'

On 02/01/2008 at 9:18:24 PM EST Saurabh wrote:
21
This is really useful. I need to allow access to apache only from a specific IP address, can I do that?

Thanks, Saurabh

On 05/23/2008 at 4:50:54 PM EDT Mario Barrera A. wrote:
22
Restricting Access by IP If you have a resource that should only by accessed by a certain network.

I am sure that "by" should be a "be" thanks for this topic!

On 07/21/2008 at 8:16:16 PM EDT Rich wrote:
23
chroot isn't a security tool, and was never intended to be one. You can quite easily break out of a chroot jail, so relying on chroot for security is never a good idea.

On 08/01/2008 at 4:16:39 AM EDT Darko Bunic wrote:
24
Very well article. I would like to add the way you can exclude needless Apache modules. After commenting out needless candidate, run httpd.conf test, not httpd restart because httpd in case of error will not start. You should also comment depend modules. I describe whole procedure on www.redips.net so I hope you will find useful information there.

On 08/12/2008 at 1:09:57 AM EDT Rashmin wrote:
25
its good, but Drupal confidure with apache , clean URl must change AllowOverride All.

On 11/26/2008 at 4:53:09 AM EST rey wrote:
26
hi anyone help me to configure the apache in centos 5.1 or 5.2 i am windows base but i want to switch in linux!please help me tank you

On 04/17/2009 at 10:23:12 PM EDT jimmy wrote:
27
Thanks, awsome advice and help.

On 01/12/2010 at 3:44:24 AM EST dev wrote:
28
Hi the article is indeed very helpful. I just have one doubt, what if I do not want to allow access to the end user using IP address and he should be able to access using domain name not using my IP address ?

On 01/23/2010 at 4:26:03 PM EST Rajnesh Siwal wrote:
29
Thanks a LOT .....

On 01/28/2010 at 11:57:53 PM EST James wrote:
30
One thing is NOT clear - once you set User apache Group apache

then who owns /web? In your case, it will be apache apache (UID and GID). Now if apache has no login shell, how could you edit the files underneath /web? Using root everytime?

On 01/29/2010 at 10:54:15 AM EST Pete Freitag wrote:
31
@James - You could always add users to the Apache group to allow editing by other users.

On 02/11/2010 at 2:57:55 PM EST Rudy Puig wrote:
32
@James - I suggest you look into the mod_suexec module http://httpd.apache.org/docs/2.2/mod/mod_suexec.html

On 02/17/2010 at 1:54:31 AM EST dfd wrote:
33
One thing is NOT clear - once you set User apache Group apache

then who owns /web? In your case, it will be apache apache (UID and GID). Now if apache has no login shell, how could you edit the files underneath /web? Using root everytime?

On 03/03/2010 at 7:38:17 PM EST Thanks! wrote:
34
Good post, thanks Pete!

On 03/19/2010 at 9:21:22 AM EDT dbthegeek wrote:
35
You may want to also mask the "Server" header completely, using your own string. This can be done with mod security. Set ServerToken to Full and then use the SecServerSignature "String" in the mod_sec config.

On 03/27/2010 at 9:17:07 AM EDT Scott wrote:
36
Thanks for some useful suggestions. As for chroot, the easiest way I've found to do it is using Jailkit. This page covers using it with apache. http://home.roadrunner.com/~computertaijutsu/jailkit.html

On 10/21/2010 at 12:22:11 PM EDT ahwebd wrote:
37
Thanks a lot for this guide,

I think it will be more secure to state: <Directory /> Order Allow,Deny </Directory>

instead of <Directory /> Order Deny,Allow Deny from all </Directory>

This way if there is more matching rules later, some allowing access and some denying it the request will be denied (your code will allow access in this case)

see here http://httpd.apache.org/docs/2.0/mod/mod_access.html#order

On 10/21/2010 at 5:06:29 PM EDT ahwebd wrote:
38
Thanks a lot for this guide,

I think it will be more secure to state:<Directory /> Order Allow,Deny </Directory>

instead of <Directory /> Order Deny,Allow Deny from all </Directory>

This way if there is more matching rules later, some allowing access and some denying it the request will be denied (your code will allow access in this case)

see here http://httpd.apache.org/docs/2.0/mod/mod_access.html#order

On 08/04/2011 at 12:36:15 PM EDT thiet ke website wrote:
39
How to disable trace? Please guide me

On 08/23/2011 at 8:59:35 PM EDT vinod palan wrote:
40
Hi, If people knows the URL to static file on the server as .DOC/.pdf how can I prevent them from accessing this. One way is to to the basic suthentication on that folder but is there any other way?

Thanks for the help.

Thanks vinod

On 09/06/2011 at 9:06:24 PM EDT SamDev wrote:
41
OMG . this not right , with this configurations no site will work , you disabled everything . next step would be turn off server .

On 01/19/2012 at 8:44:10 AM EST Don wrote:
42
Hi, thank you for the steps, how could i disable (ln) command (Perl)? Thank you

On 01/28/2012 at 9:46:09 PM EST Derik wrote:
43
Thanks for the tips! I just went through and configured similar to what you advise. It is working peachy and I feel a bit safer. I also use SSL for my login forms, etc. so that no one is passing plain text passwords around the web!

On 04/04/2012 at 5:03:36 AM EDT Arvind Lavania wrote:
44
Hi, Please let me know how can i modify my own header. by default apache is showing but i want to shown in header abcd So please help me...

On 05/08/2012 at 3:23:09 PM EDT The Femi wrote:
45
Thank you for this informative and useful instruction for securing Apache.

On 10/27/2012 at 1:32:32 PM EDT Unrettygreats wrote:
46
I've a web site that has been up and running for some time now, and for numerous reasons I want to replace it with a Wordpress site.. . So, how do I commence making the Wordpress site - within a seperate folder from the "public_html" folder? Then when you will be ready to move it into the public_html folder, does one have to correct whatever file-paths and link errors?.

On 04/11/2013 at 10:44:28 AM EDT Mr. Helpfull wrote:
47
Nice article but still incomplete. You didn't tell how to remove Server:Apache from HTTP header...

On 04/11/2013 at 12:52:14 PM EDT Pete Freitag wrote:
48
@Mr. Helpful - There is no way to remove the server header with standard Apache modules that I'm aware of, you will need a third party module such as mod_security to do that for you.

On 09/06/2014 at 9:26:17 PM EDT @figital wrote:
49
good post (10 years later). thanks pete.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?