skip to Main Content

How to secure apache web server on CentOS 7

Table Of Contents

Introduction

Apache is one of the most secure web servers to host your web files or your website on the web. It’s popular web servers available for both Windows and Linux/UNIX. In this article, we’ll cover some main tips to secure your web server. In order to do this, you should have some basics of the Apache server on Centos 7.

Prerequisites

In order to complete this guide, you will need:

  • A server running CentOS v. 7 with Apache installed
  • A static IP address for your server

1. Hide Apache Version and Operating System

By-default the apache version and OS are shown in the response headers as shown below. This is a major security vulnerability.

To hide this information from browsers, you will need to make some changes in Apache’s main configuration file. You can do this by editing the httpd.conf file:

$​​ sudo nano /etc/httpd/conf/httpd.conf

Add the following line at the end of file:

ServerSignature Off # Removes version info
ServerTokens Prod #Changes header to production, removing OS detail

Save the file and reload Apache to reflect these changes:

$ sudo systemctl reload httpd

Refresh the browser and you’ll notice the version and OS details removed as shown below:

2. Disable Directory Listing and FollowSymLinks

By default, the directory listing for all files under web root directory is enabled if there is no index file as shown below. If this is enabled, then a hacker can easily view any file, analyze it, and obtain sensitive information about an application of your Apache server.

[image]

To disable these, edit the config file by putting ““ before each tag directive in the line Options Indexes FollowSymLinks to become Options -Indexes -FollowSymLinks as shown below:

sudo nano /etc/httpd/conf/httpd.conf
# Further relax access to the default document root:
<Directory "/var/www/html">
  #
  # Possible values for the Options directive are "None", "All",
  # or any combination of:
  #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
  #
  # Note that "MultiViews" must be named *explicitly* --- "Options All"
  # doesn't give it to you.
  #
  # The Options directive is both complicated and important.  Please see
  # http://httpd.apache.org/docs/2.4/mod/core.html#options
  # for more information.
  #
  Options -Indexes -FollowSymLinks
  #
  # AllowOverride controls what directives may be placed in .htaccess files.
  # It can be "All", "None", or any combination of the keywords:
  #   Options FileInfo AuthConfig Limit
  #
  AllowOverride None
  #
  # Controls who can get stuff from this server.
  #
  Require all granted
</Directory>

Save the file and reload Apache to reflect these changes:

sudo apachectl restart

Refresh the browser and you’ll notice that the files can no longer be viewed and instead generates 403 forbidden error message as shown below:

[image]

3. Disable Unnecessary Modules

By default, Apache comes with lots of unnecessary installed modules. It is a good policy to disable any unnecessary modules that are not in use. Some modules like mod_infomod_userdirmod_autoindex are enabled but not needed.

You can disable this modules by editing the 00-base.conf file:

sudo nano /etc/httpd/conf.modules.d/00-base.conf

Comment lines bellow by inserting a # at the beginning of the following lines to disable the modules:

#LoadModule info_module modules/mod_info.so
#LoadModule info_module modules/mod_info.so
#LoadModule userdir_module modules/mod_userdir.so

Save the file and reload Apache to reflect these changes:

sudo apachectl restart

4. Secure Apache using mod_security and mod_evasive modules

Mod_security: Acts as a firewall for web servers and applications, providing protection against brute force attacks. It just needs to be installed, then restart apache service and starts to work out the magic.

sudo yum install mod_security -y

Then reload Apache to reflect these changes:

sudo apachectl restart

Mod_evasive: Detects and provides protection against DDOS and HTTP brute force attacks. It detects attacks whenever: so many requests are directed to a page several times per second; temporarily blacklisted IP still tries to make new request; child process attempts making more than 50 concurrent requests. Like mod_security, it just needs to be installed, then restart apache service and starts to work out the magic.

sudo yum install mod_evasive -y

Then reload Apache to reflect these changes:

sudo apachectl restart

5. Limit Request Size

By-default the HTTP request in Apache is unlimited hence web server is susceptible to DoS attacks by keeping it open for high number of request. For example, there is a site that allows users to upload files, then it’s important to set limit for upload size. This can be done by setting the LimitRequestBody for that particular upload directory.

To do this, edit the main Apache config file:

 sudo nano /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/wp_content/uploads">
LimitRequestBody 10485760
</Directory>

The upload size has been limited to max of 10megabytes.  The maximum allowable limit is usually 2GB.

Save the file and reload Apache to reflect these changes:

sudo apachectl restart

6. Disable TRACE HTTP Request

By default, Trace HTTP Request is enabled allowing for Cross Site Tracing. This enables a hacker to easily steal cookie information. Disabling Trace HTTP Request makes the mod_proxy and core server return “405 – Method Not Allowed” error message to clients. Trace request is disabled by adding the line below in the config file.

To do this, edit the main Apache config file:

sudo nano /etc/httpd/conf/httpd.conf
TraceEnable off

Save the file and reload Apache to reflect these changes:

sudo apachectl restart

7. Turn Off Server-Side Includes (SSI) And CGI Execution

Server-side includes (SSI) are directives present on Web applications that are placed in HTML pages. An SSI attack allows a web application to be exploited by remotely executing arbitrary codes. The attacker can access sensitive information like password files, and execute shell commands. It is recommended that you disable server side includes and CGI execution if they are not needed.

To do this, edit the main Apache config file:

sudo nano /etc/httpd/conf/httpd.conf
<Directory /var/www/html/>
    Options -Indexes -FollowSymLinks -ExecCGI -Includes
    AllowOverride None
    Require all granted
</Directory>

Save the file and reload Apache to reflect these changes:

sudo apachectl restart

8. Disallow Browsing Outside The Document Root

Unless you have a specific need, it is recommended to restrict Apache to being only able to access the document root. You can secure the root directory / with Allow and Deny options in the httpd.conf file.

To do this, edit the main Apache config file:

sudo nano /etc/httpd/conf/httpd.conf

Edit the following lines:

<Directory />
    Options None
    Order deny,allow
    Deny from all
</Directory>

Save the file and reload Apache to reflect these changes:

sudo apachectl restart
  • Options None : This will turn off all options
  • Order deny,allow : The order in which the allow and deny commands are applied
  • Deny from all : This will deny request from all to the root directory

9. Keep Apache Up To Date

The Apache Server has a good record for security. New Apache updates will contain patches that will reduce vulnerability of your Apache server. You should always be using the most recent version of Apache server.

You can update your Apache to the most recent version by running the following command:

sudo yum update httpd

10. Secure Apache From Clickjacking Attacks

Clickjacking, also known as “User Interface redress attack,” is a malicious technique to collect an infected user’s clicks. Clickjacking tricks the victim (visitor) into clicking on an infected site.

To avoid this, you need to use X-FRAME-OPTIONS to prevent your website from being used by clickjackers.

To do this, edit the main Apache config file:

sudo nano /etc/httpd/conf/httpd.conf

And add the following line:

Header append X-FRAME-OPTIONS "SAMEORIGIN"

Save the file and reload Apache to reflect these changes:

sudo apachectl restart

You should see X-Frame-Options as shown in below image:

[image]

11. Disable ETag

ETags (entity tags) are a well-known point of vulnerability in Apache web server. ETag is an HTTP response header that allows remote users to obtain sensitive information like inode number, child process ids, and multipart MIME boundary. ETag is enabled in Apache by default.

You can see ETag by checking HTTP response headers in Firebug:

[image]

To prevent this vulnerability, disabling ETag is recommended.

To do this, edit the main Apache config file:

sudo nano /etc/httpd/conf/httpd.conf

And add the following line

FileETag None

Save the file and reload Apache to reflect these changes:

sudo apachectl restart

Now, open Firefox and visit your website. When you check the HTTP response headers in Firebug, you should not see Etag listed.

[image]

12. HTTP Request Methods

Apache support the OPTIONS, GET, HEAD, POST, CONNECT, PUT, DELETE, and TRACE method in HTTP 1.1 protocol. Some of these may not be required, and may pose a potential security risk. It is a good idea to only enable HEAD, POST, and GET for web applications.

To do this, edit the main Apache config file:

sudo nano /etc/httpd/conf/httpd.conf

Find the section that begins with Directory /var/www/html. Add the following lines under this section:

<LimitExcept GET POST HEAD>
    deny from all
</LimitExcept>

Save the file and reload Apache to reflect these changes:

sudo apachectl restart

13. Secure Apache From XSS Attacks

Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.

To do this, edit the main Apache config file:

sudo nano /etc/httpd/conf/httpd.conf

And add the following lines:

<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

Save the file and reload Apache to reflect these changes:

sudo apachectl restart

Now, open Firefox and visit your website. When you check HTTP response headers in Firebug, you should see that XSS Protection is enabled and mode is blocked.

[image]

14. Protect Cookies With HTTPOnly Flag

You can protect your Apache server from most of the common Cross Site Scripting attacks using the HttpOnly and Secure flags for cookies.

To do this, edit the main Apache config file:

sudo nano /etc/httpd/conf/httpd.conf

Add add the following lines:

<IfModule mod_headers.c>
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>

Save the file and reload Apache to reflect these changes:

sudo apachectl restart

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top
Search