apache server centos

How to Harden Apache Web Server on Centos 7

Apache is a popular web server used by millions of websites all over the world. As a result, they are often prey to security vulnerabilities and attacks. It is important to secure your Apache server against malicious attacks. In this article, we will learn the different steps you can take to harden Apache web server on CentOS. You can also use these steps on other Linux platforms such as Ubuntu, Debian, RHEL, Fedora, SUSE.


How to Harden Apache Web Server on Centos 7

Here are some of the things you can do to secure Apache server.


1. Hide Apache Server Name

By default, every response from Apache server contains its name and version number in one of the response headers. It also displays the OS information of your server. This makes it easy for attackers to find out which server your website uses, and exploit its vulnerabilities. So it is advisable to hide this information from being displayed in your website’s response headers.

For this, open Apache configuration file in a text editor.

$ sudo nano /etc/httpd/conf/httpd.conf

Add the following lines to it.

ServerSignature Off
ServerTokens Prod

Save and close the file. Restart Apache web server.

$ sudo apachectl restart


2. Turn Off Directory Listing

By default, if Apache is unable to find the requested URL and the index file is missing on your website, it simply displays the list of files and folders on your website. In other words, Apache displays the entire directory listing of your website with clickable links to each subfolder and file. This makes it very easy for attackers to find what all files & technology your website uses. It even allows them to read source code in some cases. As a result, they can easily devise attacks to your website. To turn it off, open Apache configuration file in a text editor as mentioned above.

Find the Directory tag that begins with /var/www/html and add the Options -Indexes line to it.

<Directory /var/www/html/>
    Options -Indexes
    AllowOverride None
    Require all granted
</Directory>

Save and close the file. Restart Apache server to apply changes.


3. Disable Unnecessary Modules

By default, Apache loads a lot of modules many of which you don’t really need. It is advisable to disable them so that their vulnerabilities cannot be exploited by others. You can list all the modules loaded in your Apache server with the following command.

$ sudo grep LoadModule /etc/httpd/conf.modules.d/00-base.conf

You will see many lines that start with LoadModule command. Comment the ones you don’t need by adding # at their beginning. For example, you can easily disable mod_info, mod_autoindex, mod_userdir as shown below. They are mostly unnecessary.

#LoadModule info_module modules/mod_info.so
#LoadModule info_module modules/mod_info.so
#LoadModule userdir_module modules/mod_userdir.so

Save and close the file. Restart Apache server to apply changes.


4. Disable Symlinks

By default, Apache follows symlinks. You can disable it by opening Apache configuration file in a text editor. Look for the Directory Tag that begins with /var/www/html. Add -FollowSymlinks to Options Directive.

<Directory /var/www/html/>
    Options -Indexes -FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

Save and exit the file. Restart Apache server to apply changes.


5. Disable SSI & CGI Execution

SSI (Server Side Includes) are those files that are included in HTML, from server side. They are vulnerable for exploitation since attackers can place malicious codes in them to steal passwords and other details. So it is advisable to disable SSI and CGI execution if your website does not need them. For this purpose, open Apache configuration file in a text editor. Look for the directory tag starting with /var/www/html. Add -ExecCGI and -Includes directive to disable SSI and CGI

<Directory /var/www/html/>
    Options -Indexes -FollowSymLinks -ExecCGI -Includes
    AllowOverride None
    Require all granted
</Directory>

Instead of doing this for your entire website, you can also do this for specific website folders by adding the Options -ExecCGI -Includes directive to the Directory tag of those folders.


6. Protect from Clickjacking

Clickjacking is an attack where visitors are prompted to make clicks to harmful links on infected website. These are often done by displaying website’s contents on other domains using iframe. You can disable this by opening Apache configuration file in a text editor, and adding the following line to it.

Header append X-FRAME-OPTIONS "SAMEORIGIN"

Save and close the file. Restart Apache server to apply changes. This will allow your web pages to be loaded only when the domain is yours and not others’.


7. Disable ETags

Etags are response headers that allow remote users to obtain sensitive information like inode number, child process id, etc. They are a well-known source of vulnerabilities. To disable them, open Apache configuration file in a text editor, and add the following line to it.

FileETag None

Save and close the file. Restart Apache server to apply changes.


8. Protect from XSS attacks.

XSS (Cross Side Scripting) allows attackers to inject malicious client-side scripts into your website’s database via forms, textboxes, textareas and other user inputs. Once your website is infected, then these client-side scripts begin executing on all visitors’ browsers causing widespread damage to your website. To disable XSS, open Apache configuration file and add the following lines to it.

<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

Save and close the file. Restart Apache server to apply changes.

In this article, we have learnt many simple ways to protect your Apache server. Also, it goes without saying that you must regularly update your Apache server as well as other components of your web stack to mitigate risks.

Also read:

How to Display Specific Columns in Linux
How to List Active Connections in PostgreSQL
How to Create Swap Space in Ubuntu/Debian
How to FIx “mv: argument list too long”
How to Repair MySQL Databases & Tables

Leave a Reply

Your email address will not be published.