In this post I will be showing you how to make your Apache server a bit more secure (apache hardening) using some common methods. If you have any questions feel free to ask in the comments below.
The first thing we will be doing to harden apache is disabling server tokens/signatures. This is actually a very easy thing to do and is recommended because it helps hide the OS version as-well as what version of Apache you are running from pages such as 404 (file not found) errors.
To disable server tokens/signatures on Ubuntu or Debian based systems simply run the following commands:
echo "### DISABLE TOKENS/SIGNATURES ServerSignature Off ServerTokens Prod" >> /etc/apache2/apache2.conf # Add entries into Apache config
service apache2 restart # Restart Apache
To disable server tokens/signatures on Red Hat, CentOS, or Fedora based systems simply run the following commands instead:
echo "### DISABLE TOKENS/SIGNATURES ServerSignature Off ServerTokens Prod" >> /etc/httpd/conf/httpd.conf # Add entries into Apache config
service httpd restart # Restart Apache
Install and Enable mod_security
The next thing we will do is install and enable the mod_security module for Apache, this helps secure our server against brute force attacks as-well as acting like a firewall to block common exploits. For more information please click here.
To install mod_security on Ubuntu or Debian based systems run the following:
sudo apt-get install libapache2-modsecurity sudo service apache2 restart # Restart Apache, it will be enabled by default
To install mod_security on CentOS, Red Hat, and Fedora based systems run the following instead:
sudo yum install mod_security && sudo service httpd restart
Install and Enable mod_evasive
You may also want to install mod_evasive as it will help to stop some DOS and DDOS attacks, while it probably won’t stop everything it can still be useful and is worth installing.
To install mod_evasive on Ubuntu or Debian based systems run the following instead:
sudo apt-get install libapache2-mod-evasive && sudo service apache2 restart
To install mod_evasive on CentOS, Red Hat, and Fedora based systems run the following instead:
sudo rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm sudo yum install yum-plugin-protectbase.noarch sudo yum install mod_evasive sudo service httpd restart
Last but not least if you haven’t done so already you may want to generate a free SSL certificate so that traffic between your Apache server and users will be encrypted. I hope you enjoyed this quick and simple guide, please don’t forget to like/share/comment. Thanks! =)