Apache, Linux

Securing Apache Part 1

The following tips are things you can do to make your apache server more secure.

Before you begin to follow the tips below, locate your apache’s configuration files first. Common places for apache’s configuration files are: /etc/apache2/apache2.conf, /etc/apache2/httpd.conf and /etc/apache2/sites-enabled/000-default.

Before you make any changes, MAKE BACKUP COPIES OF YOUR FILES.

Here we go:

1. Install latest security updates

2. Run Apache under its own user and group. Ex. apache:apache

3. Restrict Access outside the document root(directory /var/www/ varies)

<Directory />
  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None
</Directory>
<Directory /var/www/>
  Order Allow,Deny
  Allow from all
</Directory>

4. Turn Off: CGI execution, Directory Browsing, Server side includes, Symbolic links

<Directory /var/www/>
  Order Allow,Deny
  Allow from all
  Options -Indexes -Includes -FollowSymLinks -ExecCGI
</Directory>

5. Turn Off .htaccess support if you don’t need it

AllowOverride None

6. Disable any unused modules

7. Limit Timeout value

Locate and change the line Timeout 300 to Timeout something_smaller_than_300

ex Timeout 50

8. Limit request size

add directive LimitRequestBody with a size of your choise. Default is unlimited!

9. Install mod_security module

10. Hide Apache’s version number