Best way to secure Apache web server

Best way to secure Apache web server

This article is for the people who have just setup Apache web server & wanted to secure it. Here are some tips which can help you to configure sec

OpenVZ Web Panel: Managing OpenVZ Containers Graphically
How to install VNC Server in OpenVZ VPS container on Ubuntu
How To Set Up Multiple WordPress Sites on a Single Ubuntu VPS

This article is for the people who have just setup Apache web server & wanted to secure it. Here are some tips which can help you to configure secure Apache web server on your Linux box.

I am executing these steps on an Ubuntu 14.04 LTS virtual server.

STEP1: Hide Apache Version information from HTTP response

It’s a risky option to show the version of your Apache web server to the visitor. If a hacker comes to know about any vulnerability with your server’s Apache version, chances are that your server can get compromised.

Following method is used to hide Apache version from response headers & signature.

Open /etc/apache2/conf-enabled/security.conf in an editor & modify the following Values to look like below

STEP2: Disable HTTP methods TRACE & OPTIONS

Disabling OPTIONS & TRACE method is important from security perspective since they are expected to be used for getting Diagnostic information from your server. So For disabling there methods i will have following values in /etc/apache2/conf-enabled/security.conf

 

Make sure that you have enabled mod_rewrite in order for the above rewrite rules to work properly.

STEP3: Restrict uploads directory for only certain file types

Suppose you have a directory “uploads” in the document root and there is a chance that attacker might use different techniques to upload malware code on this directory. To prevent this add the following rules to the virtual host configuration file.

The above code will make sure that only file types allowed to be uploaded are jpg, jpeg, png & gif

STEP4: Mitigate DoS (Slowris) attacks

Since apache is a thread based web server, We need to make sure that it will not get affected by Slowiris DoS attack. Under this vulnerability, the attacker can send slow HTTP requests in huge numbers, thus causing a disruption to your Web server and apache may become unresponsive.

Following fix can be applied to Apache to avoid this attack. Make sure that you have mod_reqtimeout module installed an enabled in Apache.

STEP5: Protecting against SQL injection attacks

SQL Injection has become a common threat to any website running a MySQL backed a web application. Preventing this is an important step in security. With the power of mod_rewrite & mod_security most of the SQL injection attacks can be prevented.

You can install mod_security & include all CORE rules provided by OWASP

Following are some handy rules using which you can avoid SQL injection attacks. You can place them either in virtual host file or .htaccess

STEP6: Have your website only talk on HTTPS

This step is very important if you are running a transaction based website like Ecommerce, Payment etc. In future google will be ranking the sites up which are serving content over HTTPS.

Following is the configuration which you can use while setting up SSL certificate for your site.

Following rule enforces all requests to be served on HTTPS. Please it in .htaccess file.

Place the following rules in apache’s virtual host file.

STEP7: Protect your application against DDoS & brute force attacks.

DDoS attacks are severe headache & they can cause a huge downtime on your websites. DDoS attack is done by sending continuous heavy number of requests to your web server so that your Apache is kept busy and hence it will because unresponsive.

There are various firewalls & solutions available for securing apache against DDoS, I would recommend using either Cloudflare CDN or fail2ban firewall.

fail2ban runs on the same machine where apache is running and it will examine requests from specific IP & drops their connections once the threshold is reached. This threshold value can be configured.

To use CloudFlare CDN, you are required to map your website to name servers provided by cloudflare.

COMMENTS

WORDPRESS: 0
DISQUS: 0