Frontpage





Securing Apache

A fresh installation of Apache will, when an error happens, show the name of your operating system, along the version of Apache. Also shown is information of which modules have been installed in the Apache webserver.
Here is how to fix that. Open the configurations file here:
$ vim /etc/apache/apache2.conf

And then find where the entry "ServerSignature" is located. It is by default set to On. You will have to change that into Off. And we will make the name of the OS suppressed, and only let the Apache as a product be shown. That happens when you write these two lines into the config file.
ServerSignature Off 
ServerTokens Prod

And for hardening your webserver further, these three lines should also be added to the Apache configurations file:
TraceEnabled Off
Header unset ETag
FileETag None

Directory listings can be turned off by making an entry in httpd.conf or apache2.conf file.

    Options -Indexes
        
You can list the installed modules on your Apache webserver. To disable a module, you can insert a "#" at the beginning of that line and restart the service.
Write this in a terminal window:
$ grep LoadModule /etc/httpd/conf/httpd.conf

With a default installation, Apache runs its process with user nobody or daemon. It is recommended to run Apache in its own non-privileged account. For example: run-web.
Create Apache User and Group
$ groupadd run-web
$ useradd -d /var/www/ -g run-web -s /bin/nologin run-web

Now you need to tell Apache to run with this new user and to do so, we need to make an entry in /etc/httpd/conf/httpd.conf and restart the service.
Open /etc/httpd/conf/httpd.conf with vim editor and search for keyword "User" and "Group" and there you will need to specify the username and groupname to use.
User run-web
Group run-web

By using "Allow" and "Deny" we can restrict access to directories. They are written in the httpd.conf file. Here, in this example, I'll give the examples to securing the root directory.

   Options None
   Order deny,allow
   Deny from all
   

Options "None" - will not allow users to enable any optional features. Order deny, allow - This is the order in which the "Deny" and "Allow" directives will be processed. Here it will "deny" first and "allow" next. Deny from all - This will deny request from everybody to the root directory, nobody will be able to access root directory.

You can use mod_security as a firewall for your webscripts, as it will protect the server from brute force attacks. To install the mod_security module you can use your packet installer.

Here is how to install mod_security on a Ubuntu/Debian OS.
$ sudo apt-get install libapache2-modsecurity
$ sudo a2enmod mod-security
$ sudo /etc/init.d/apache2 force-reload

To turn off CGI execution, what you really should do, if not used by your webapplication. You need to state so in the main configuration file.
Options -Includes
Options -ExecCGI

This can also be done on a per directory basis. Do like so:

Options -Includes -ExecCGI

If you allow upload to a website, you can set the maximum allowed file-size to a value between 0 (unlimited), and 2GB (2147483647 bytes). The limit can be set on a per directory basis. You write the value to the LimitRequestBody. Here we set the limit to 1MB (1024000 bytes):

LimitRequestBody 1024000

By using this directive you can set the amount of time the server will wait until it fails. The default is 300 secs. It is a good idea to set this low, on sites being subject to DDoS attacks.

TimeOut 120

MaxClients lets you set the amount of users being served simultanously. The default value is 256.

MaxClients 128

Welcome to the newst incarnation of webpages.dk... You can now find some texts here. About Web developing in a OSS environment, a new document. My old ebook about photography, while we wait for the second edition.. The old text; "The Creative Kitchen". The PHP snippet collection. Find some valuable tips here.... and ofcource you still find the photo album here also.