Apache is the most popular and most used web server in the world, and it is the first web server used to serve over 100 million websites worldwide. Apache is supposed to be a very secure web server, in this article we will cover a few major configuration changes to make Apache even more secure on a CentOS VPS.
1. Keep Apache up to date
The most important security tip, not just for Apache, but for all services, applications and scripts, is to keep them up to date by updating every time a new version is released. Apache is under active development and security issues are fixed in new versions.
To upgrade Apache web server to the latest available version run the following command
yum -y update httpd
2. Hide Apache and OS version
The ServerSignature directive is enabled by default and displays the version of Apache installed on your server and the operating system you are using. Attackers can easily use this information against your server. In order to hide this important information, you need to change two directives in the Apache configuration file.
Open Apache config file, find directives and make the following changes.
vi /etc/httpd/conf/httpd.conf ServerSignature Off ServerTokens Prod
3. Disable directory listing
If the directory listing is not disabled, everyone will be able to list the contents of the directories in the document root. The directory listing can be disabled using the “Options” directive in the Apache configuration file.
Open the config file with a text editor and add the following directive
<Directory /your/document/root> Options -Indexes </Directory>
Replace the path ‘/ your / document / root’ with the actual root directory.
4. Install and use the mod_security modulemod_security is a very useful Apache module. It strengthens the security of the Apache web server and protects your site from various attacks by blocking almost all common exploits.
To install and configure mod_security on a CentOS server, please see the installation guide: Install mod_security with OWASP core rule on a CentOS VPS.
5. Disable all unnecessary modules
Apache has many modules and some of them are included in the default Apache installation. Not all of them are required and it is recommended to disable unused modules. You can use the following command to get a list of all included Apache modules
httpd -M Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) auth_basic_module (shared) auth_digest_module (shared) authn_file_module (shared) authn_alias_module (shared) authn_anon_module (shared) ....
You can check the official Apache documentation for modules to learn more about their functionality.
All unnecessary modules can be disabled by adding the ‘#’ character at the beginning of the LoadModule line in the web server configuration file. For example:
vi /etc/httpd/conf/httpd.conf # LoadModule auth_basic_module modules/mod_auth_basic.so # LoadModule auth_digest_module modules/mod_auth_digest.so
6. Limiting the size of the request
Apache’s ‘LimitRequestBody’ directive can be used to limit the number of bytes that are allowed in the request body. The limit depends a lot on your website needs. By default, the ‘LimitRequestBody’ limit is set to unlimited and this can make you a victim of denial of service (DOS) attacks.
The limit of this Apache directive can be set from 0 (no limit) to 2147483647 (2GB). For example, if you want to allow 100K file uploads in the upload directory / var / www / html / upload, you can add the following directive in your Apache config file.
<Directory "/var/www/html/upload directory"> LimitRequestBody 102400 </Directory>
7. Enable logging
Log files are always very useful to get more detailed information about the events that are happening on your server. Thus, it is good practice to enable logging in Apache. It will provide you with more details and details of all client requests made to your web server. To do this, you must make sure that the ‘log_config_module’ module is enabled on your server.
httpd -M |grep log_config_module Syntax OK log_config_module (shared)
The Apache ‘Log_config_module’ module provides the functionality of the TransferLog, LogFormat and CustomLog directives that can be used to create a log file.