2/16/12

10 Tip

o Sec e Yo

Apache Web Se e on UNIX / Lin

Home About Free eBook Archives Best of the Blog Contact

Ads b Google Apache Apache PHP Linu

Web Server Apache 2 SSL

10 Tips to Secure Your Apache Web Server on UNIX / Linux

by Ramesh Natarajan on March 22, 2011
3 Li e 33

If you are a sysadmin, you should secure your Apache web server by following the 10 tips mentioned in this article.

1. Disable unnecessary modules

If you are planning to install apache from source, you should disable the following modules. If you do ./configure help, youll see all available modules that you can disable/enable. userdir Mapping of requests to user-specific directories. i.e ~username in URL will get translated to a directory in the server autoindex Displays directory listing when no index.html file is present status Displays server stats env Clearing/setting of ENV vars setenvif Placing ENV vars on headers cgi CGI scripts actions Action triggering on requests negotiation Content negotiation alias Mapping of requests to different filesystem parts include Server Side Includes filter Smart filtering of request version Handling version information in config files using IfVersion as-is as-is filetypes Disable all of the above modules as shown below when you do ./configure
.cni e\ /ofg -eal- l\ -nbe -eal-o\ -nbe -d al- ed \ -i be i -d al- one \ -i bea id -d al- a -i be \ -d al-n \ -i bee -d al-ee i \ -i be n f -d al-g \ -i beci -d al-cin \ -i bea o -d al-eoi in\ -i beng a o -d al-la \ -i beai

. hegeek

ff.com/2011/03/apache-ha dening/

1/10

2/16/12
-d al-nld \ -i beic e -d al-i e \ -i befl -d al-e in\ -i be o -d al- i -i bea

10 Tip

o Sec e Yo

Apache Web Se e on UNIX / Lin

If you enable ssl, and disable mod_setenv, youll get the following error. Error: Syntax error on line 223 of /usr/local/apache2/conf/extra/httpd-ssl.conf: Invalid command BrowserMatch, perhaps misspelled or defined by a module not included in the server configuration Solution: If you use ssl, dont disable setenvif. Or, comment out the BrowserMatch in your httpd-ssl.conf, if you disable mod_setenvif. After the installation, when you do httpd -l, youll see all installed modules.
#/ /oa/pce/i/ p lclaah2bnh d l Cmie i mdl : opld n o e c ec o . mda h_iec o_ nfl. mda h_eal. o_ ndf c mda h_o . o_ h c mda h_ opiec o_ g fl. mda h_ e. o_ c mda h_eal. o_ df c mda hb i. o_ _a cc mdlgcni. o_o_ofgc md lc o_ . peokc f . h pc ec _o . mdmm. o_iec mdd . o_i c md oc o_ .

In this example, we have the following apache modules installed.

core.c Apache core module mod_auth* For various authentication modules mod_log_config.c Log client request. provides additional log flexibilities. mod_ssl.c For SSL prefork.c For MPM (Multi-Processing Module) module httpd_core.c Apache core module mod_mime.c For setting document MIME types mod_dir.c For trailing slash redirect on directory paths. if you specify url/test/, it goes to url/test/index.html mod_so.c For loading modules during start or restart

2. Run Apache as separate user and group

By default, apache might run as nobody or daemon. It is good to run apache in its own non-privileged account. For example: apache. Create apache group and user.
gopd aah ad pce ead- / /oa/pce/ dc - aah - /i/a eaah d d lclaah2h o g pce bnfl pce

Modify the httpd.conf, and set User and Group appropriately.

# ih p.of dcn Ue aah pce Gopaah pce

. hegeek

ff.com/2011/03/apache-ha dening/

2/10

2/16/12

10 Tip

o Sec e Yo

Apache Web Se e on UNIX / Lin

After this, if you restart apache, and do ps -ef, youll see that the apache is running as apache (Except the 1st httpd process, which will always run as root).
#p -f e o o aah pce aah pce aah pce aah pce aah pce ge - h p p i ak'pi $ ' n 1

3. Restrict access to root directory (Use Allow and Deny)

Secure the root directory by setting the following in the httpd.conf
<ie o / D c > O in Nn p o oe Od dn,lo e e al Dn fo al e m l <D e o > /i c

In the above: Options None Set this to None, which will not enable any optional extra features. Order deny,allow This is the order in which the Deny and Allow directivites should be processed. This processes the deny first and allow next. Deny from all This denies request from everybody to the root directory. There is no Allow directive for the root directory. So, nobody can access it.

4. Set appropriate permissions for conf and bin directory

bin and conf directory should be viewed only by authorized users. It is good idea to create a group, and add all users who are allowed to view/modify the apache configuration files to this group. Let us call this group: apacheadmin Create the group.
gopd aahamn ad pcedi

Allow access to bin directory for this group.

con- o :pcedi / /oa/pce/i h R o aahamn lclaah2bn cmd- 70/ /oa/pce/i ho R 7 lclaah2bn

Allow access to conf directory for this group.

con- o :pcedi / /oa/pce/of h R o aahamn lclaah2cn cmd- 70/ /oa/pce/of ho R 7 lclaah2cn

Add appropriate members to this group. In this example, both ramesh and john are part of apacheadmin
# i/ cgop e / aahamn :11 aehjh pcedi: 12: m ,on

5. Disable Directory Browsing

If you dont do this, users will be able to see all the files (and directories) under your root (or any sub-directory). For example, if they go to http://{your-ip}/images/ and if you dont have an index.html under images, theyll see all the image files (and the subdirectories) listed in the browser (just like a ls -1 output). From here, they can click on the individual image file to view it, or click on a sub-directory to see its content. To disable directory browsing, you can either set the value of Options directive to None or -Indexes. A in front of the option name will remove it from the current list of options enforced for that directory. Indexes will display a list of available files and sub-directories inside a directory in the browser (only when no index.html is present inside that folder). So, Indexes should not be allowed.
<ie o / D c > O in Nn p o oe Od al ,e e lo dn Al fo al lo m l <D e o > /i c

. hegeek

ff.com/2011/03/apache-ha dening/

3/10

2/16/12
( ) o <ie o / D c > O in -nee p o Id Od al ,e e lo dn Al fo al lo m l <D e o > /i c

10 Tip

o Sec e Yo

Apache Web Se e on UNIX / Lin

6. Don t allow .htaccess

Using .htaccess file inside a specific sub-directory under the htdocs (or anywhere ouside), users can overwrite the default apache directives. On certain situations, this is not good, and should be avoided. You should disable this feature. You should not allow users to use the .htaccess file and override apache directives. To do this, set AllowOverride None in the root directory.
<ie o / D c > O in Nn p o oe Al Oe ieNn lo d oe Od al ,e e lo dn Al fo al lo m l <D e o > /i c

7. Disable other Options

Following are the available values for Options directive: Options All All options are enabled (except MultiViews). If you dont specify Options directive, this is the default value. Options ExecCGI Execute CGI scripts (uses mod_cgi) Options FollowSymLinks If you have symbolic links in this directory, it will be followed. Options Includes Allow server side includes (uses mod_include) Options IncludesNOEXEC Allow server side includes without the ability to execute a command or cgi. Options Indexes Disable directory listing Options MultiViews - Allow content negotiated multiviews (uses mod_negotiation) Options SymLinksIfOwnerMatch Similar to FollowSymLinks. But, this will follow only when the owner is same between the link and the original directory to which it is linked. Never specify Options All. Always specify one (or more) of the options mentioned above. You can combine multiple options in one line as shown below.
O in Ic d FloSmik p o nl e ol Ln

The + and in front of an option value is helpful when you have nested direcotires, and would like to overwrite an option from the parent Directory directive. In this example, for /site directory, it has both Includes and Indexes:
<ie o /ie D c > O in Ic d Id e p o nl e ne Al Oe ieNn lo d oe Od al ,e e lo dn Al fo al lo m l <D e o > /i c

For /site/en directory, if you need Only Indexes from /site (And not the Includes), and if you want to FollowSymLinks only to this directory, do the following.
<ie o /iee> D c /n O in -nld +ol Smik p o Ic e Flo Ln Al Oe ieNn lo d oe Od al ,e e lo dn Al fo al lo m l <D e o > /i c

/site will have Includes and Indexes /site/en will have Indexes and FollowSymLink

8. Remove unwanted DSO modules

If you have loaded any dynamic shared object modules to the apache, theyll be present inside the httpd.conf under LoadModule directive. Please note that the statically compiled apache modules will not be listed as LoadModule directive.

. hegeek

ff.com/2011/03/apache-ha dening/

4/10

2/16/12

10 Tip

o Sec e Yo

Apache Web Se e on UNIX / Lin

Comment out any unwanted LoadModules in the httpd.conf

ge LaMdl / p odo e /oa/pce/ofh p.of lclaah2cn/ dcn

9. Restrict access to a specific network (or ip-address)

If you want your site to be viewed only by a specific ip-address or network, do the following: To allow a specific network to access your site, give the network address in the Allow directive.
<ie o /ie D c > O in Nn p o oe Al Oe ieNn lo d oe Od dn,lo e e al Dn fo al e m l Al fo 1.0002 lo m 01../4 <D e o > /i c

To allow a specific ip-address to access your site, give the ip-address in the Allow directive.
<ie o /ie D c > O in Nn p o oe Al Oe ieNn lo d oe Od dn,lo e e al Dn fo al e m l Al fo 1.012 lo m 01..1 <D e o > /i c

10. Don t display or send Apache version (Set ServerTokens)

By default, the server HTTP response header will contains apache and php version. Something similar to the following. This is harmful, as we dont want an attacker to know about the specific version number.
S e:Aah/..7(n )PP535 e pce221 Ui H/..

To avoid this, set the ServerTokens to Prod in httpd.conf. This will display Server: Apache without any version information.
# ih p.of dcn S eTkn Po e oe d

Following are possible ServerTokens values: ServerTokens ServerTokens ServerTokens ServerTokens ServerTokens ServerTokens Prod displays Server: Apache Major displays Server: Apache/2 Minor displays Server: Apache/2.2 Min displays Server: Apache/2.2.17 OS displays Server: Apache/2.2.17 (Unix) Full displays Server: Apache/2.2.17 (Unix) PHP/5.3.5 (If you dont specify any ServerTokens value, this is the default)

Apart from all the above 10 tips, make sure to secure your UNIX / Linux operating system. There is no point in securing your apache, if your OS is not secure. Also, always keep your apache version upto date. The latest version of the apache contains fixes for all the known security issues. Make sure to review your apache log files frequently.

Additional reading on apache

How To Install Apache 2 with SSL on Linux (with mod_ssl, openssl) 9 Tips to Use Apachectl and Httpd like a Power User XAMPP: Easy Apache, MySQL, PHP, Perl Install How To Install Or Upgrade LAMP Stack Using Yum

. hegeek

ff.com/2011/03/apache-ha dening/

5/10

2/16/12

10 Tip

o Sec e Yo

Apache Web Se e on UNIX / Lin

Li e

33

Share

Comment

If you enjoyed this article, you might also like..

1. 2. 3. 4. 5. 50 Linux Sysadmin Tutorials 50 Most Frequently Used Linux Commands (With Examples) Top 25 Best Linux Performance Monitoring and Debugging Tools Mommy, I found it! 15 Practical Linux Find Command Examples Linux 101 Hacks 2nd Edition eBook Awk Introduction 7 Awk Print Examples Advanced Sed Substitution Examples 8 Essential Vim Editor Navigation Fundamentals 25 Most Frequently Used Linux IPTables Rules Examples Turbocharge PuTTY with 12 Powerful Add-Ons

Tags: Apache Hardening, Apache Security { 8 comments read them below or add one } 1 feseha March 22, 2011 at 4:33 am Great stuff as usual! Keep up the good/geek stuff! Feseha 2 Francisco Fiesta March 22, 2011 at 5:35 am Im a newbie with Apache. I can just follow a how-to to get working an Apache php mysql in order to run Joomla! But, after this, considering all these security advices, will I need to run any of those non-secure modules that I shouldnt load? Is that configuration suitable to run Joomla!? Thanks for the article! 3 j March 22, 2011 at 5:48 am nice post man. thx 4 chris adam March 22, 2011 at 3:04 pm If you cannot allow .htaccess then most php based website cms (drupal wordpress), will not work. Excellent article but not the .htaccess bit. thanx
. hegeek ff.com/2011/03/apache-ha dening/ 6/10

2/16/12

10 Tip

o Sec e Yo

Apache Web Se e on UNIX / Lin

5 ajay March 23, 2011 at 6:36 am World needs gud brains like u.. God bless u. nice stuff 6 Anonymous March 24, 2011 at 7:11 am Thanks, Chris Adam for you answer, its useful for me. 7 Mhabub Mamun March 26, 2011 at 5:40 am Very good article . Thank You 8 hotpotatoe June 14, 2011 at 11:48 am Very good article. very useful tips, thanks Leave a Comment Name E-mail Website

Notify me of followup comments via e-mail

Submit

Previous post: Linux IPTables: Incoming and Outgoing Rule Examples (SSH and HTTP) Next post: Quick Info about the Upcoming eBook Sign up for our free email newsletter ou@address.com RSS Twitter Facebook
Sign U

Search

EBOOKS

. hegeek

ff.com/2011/03/apache-ha dening/

7/10

2/16/12

10 Tip

o Sec e Yo

Apache Web Se e on UNIX / Lin

POPULAR POSTS
12 Amazing and Essential Linux Books To Enrich Your Brain and Library 50 UNIX / Linux Sysadmin Tutorials 50 Most Frequently Used UNIX / Linux Commands (With Examples) How To Be Productive and Get Things Done Using GTD 30 Things To Do When you are Bored and have a Computer Linux Directory Structure (File System Structure) Explained with Examples Linux Crontab: 15 Awesome Cron Job Examples Get a Grip on the Grep! 15 Practical Grep Command Examples Unix LS Command: 15 Practical Examples 15 Examples To Master Linux Command Line History Top 10 Open Source Bug Tracking System Vi and Vim Macro Tutorial: How To Record and Play Mommy, I found it! -- 15 Practical Linux Find Command Examples 15 Awesome Gmail Tips and Tricks 15 Awesome Google Search Tips and Tricks RAID 0, RAID 1, RAID 5, RAID 10 Explained with Diagrams Can You Top This? 15 Practical Linux Top Command Examples Top 5 Best System Monitoring Tools
. hegeek ff.com/2011/03/apache-ha dening/ 8/10

2/16/12

10 Tip

o Sec e Yo

Apache Web Se e on UNIX / Lin

Top 5 Best Linux OS Distributions How To Monitor Remote Linux Host using Nagios 3.0 Awk Introduction Tutorial 7 Awk Print Examples How to Backup Linux? 15 rsync Command Examples The Ultimate Wget Download Guide With 15 Awesome Examples Top 5 Best Linux Text Editors Packet Analyzer: 15 TCPDUMP Command Examples The Ultimate Bash Array Tutorial with 15 Examples 3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id Unix Sed Tutorial: Advanced Sed Substitution Examples UNIX / Linux: 10 Netstat Command Examples The Ultimate Guide for Creating Strong Passwords 6 Steps to Secure Your Home Wireless Network Turbocharge PuTTY with 12 Powerful Add-Ons

About The Geek Stuff

My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about Ramesh Natarajan and the blog.

Support Us
Support this blog by purchasing one of my ebooks. Bash 101 Hacks eBook Sed and Awk 101 Hacks eBook
. hegeek ff.com/2011/03/apache-ha dening/ 9/10

2/16/12

10 Tip

o Sec e Yo

Apache Web Se e on UNIX / Lin

Vim 101 Hacks eBook Nagios Core 3 eBook

Contact Us
Email Me : Use this Contact Form to get in touch me with your comments, questions or suggestions about this site. You can also simply drop me a line to say hello!. Follow us on Twitter Become a fan on Facebook Copyright 20082012 Ramesh Natarajan. All rights reserved | Terms of Service | Advertise

. hegeek

ff.com/2011/03/apache-ha dening/

10/10