A fresh installation of Apache will, when an error happens, show the name of your operating system, along the version of Apache. Also shown is information of which modules have been installed in the Apache webserver.
Here is how to fix that. Open the configurations file here:
$ vim /etc/apache/apache2.conf
And then find where the entry "ServerSignature" is located. It is by default set to On. You will have to change that into Off. And we will make the name of the OS suppressed, and only let the Apache as a product be shown. That happens when you write these two lines into the config file.
And for hardening your webserver further, these three lines should also be added to the Apache configurations file:
Header unset ETag
Directory listings can be turned off by making an entry in httpd.conf or apache2.conf file.
You can list the installed modules on your Apache webserver. To disable a module, you can insert a "#" at the beginning of that line and restart the service.
Write this in a terminal window:
$ grep LoadModule /etc/httpd/conf/httpd.conf
With a default installation, Apache runs its process with user nobody or daemon. It is recommended to run Apache in its own non-privileged account. For example: run-web.
Create Apache User and Group
$ groupadd run-web
$ useradd -d /var/www/ -g run-web -s /bin/nologin run-web
Now you need to tell Apache to run with this new user and to do so, we need to make an entry in /etc/httpd/conf/httpd.conf and restart the service.
Open /etc/httpd/conf/httpd.conf with vim editor and search for keyword "User" and "Group" and there you will need to specify the username and groupname to use.
By using "Allow" and "Deny" we can restrict access to directories. They are written in the httpd.conf file. Here, in this example, I'll give the examples to securing the root directory.
Deny from all
Options "None" - will not allow users to enable any optional features. Order deny, allow - This is the order in which the "Deny" and "Allow" directives will be processed. Here it will "deny" first and "allow" next. Deny from all - This will deny request from everybody to the root directory, nobody will be able to access root directory.
You can use mod_security as a firewall for your webscripts, as it will protect the server from brute force attacks. To install the mod_security module you can use your packet installer.
Here is how to install mod_security on a Ubuntu/Debian OS.
$ sudo apt-get install libapache2-modsecurity
$ sudo a2enmod mod-security
$ sudo /etc/init.d/apache2 force-reload
To turn off CGI execution, what you really should do, if not used by your webapplication. You need to state so in the main configuration file.
This can also be done on a per directory basis. Do like so:
Options -Includes -ExecCGI
If you allow upload to a website, you can set the maximum allowed file-size to a value between 0 (unlimited), and 2GB (2147483647 bytes). The limit can be set on a per directory basis. You write the value to the LimitRequestBody. Here we set the limit to 1MB (1024000 bytes):
By using this directive you can set the amount of time the server will wait until it fails. The default is 300 secs. It is a good idea to set this low, on sites being subject to DDoS attacks.
MaxClients lets you set the amount of users being served simultanously. The default value is 256.