10 Apache Security and Hardening Tips
Tip No. 1: Disable Apache Signature and/or Apache Banner
# ServerSignature Off
# ServerTokens ProductOnl
Tip No. 2: The Trace HTTP Request
Add the following to the web-server’s configuration file. For example alter the following file in Ubuntu: /etc/apache2/apache2.conf .
* TraceEnable off
Tip 3: Remove PHP scripts that print debug info using phpinfo()
The built-in PHP function phpinfo() prints a lot of interesting internal information about the PHP environment.
It can include list of which PHP modules are enabled, and the location of various files on the web-server and other sensitive information.
Our web security scanner finds a lot of such files. It is recommended to remove these test files from a production website.
Here is a tip hpw to find such files. Look for the files with the following name: test.php, info.php, i.php and phpinfo.php in your website directory and remove them.
Tip 4: Disable directory indexing
Directory indexing is a features found in every web-server by default. When directory indexing is enabled, the web-site prints a list of files found in the website directories
when the default page does not exists (for example index.php). Directories reported can be viewed by any visitor.
It is vulnerable in the sense that these directories can contain configuration, private and backup files which can be used by the attackers
to take your server under control.
You can fix this problem by disabling the Apache autoindex module.
In some Apache installations it is called mod_autoindex.so. In Ubuntu, you just need to remove the following files:
* /etc/apache2/mods-enabled/autoindex.load
* /etc/apache2/mods-enabled/autoindex.conf
So you can do it running the following commands:
* rm -f /etc/apache2/mods-enabled/autoindex.load
* rm -f /etc/apache2/mods-enabled/autoindex.conf
Tip 5: Disable WebDAV
ake sure that WebDAV is disabled in production websites. When WebDAV is enabled, the following commands are supported by Apache: OPTIONS, PROPFIND, etc.
These commands are sensitive from computer security point of view.
* /etc/apache2/mods-enabled/dav.load
* /etc/apache2/mods-enabled/dav_fs.conf
* /etc/apache2/mods-enabled/dav_fs.load
* /etc/apache2/mods-enabled/dav_lock.load
Tip 6: Create a chroot’ed Apache environment
Tip 7: Enable PHP basedir
Tip 8: Web Stats
Tip 9: Use Google
Most of the webmasters use common web scripts and CMS or blog software. We recommend you to frequently search for security updates using Google and register for security news at your blog/CMS website.
Tip 10: Additional Steps
If your webserver runs together with MySQL server it brings additional potential security problem. MySQL can read any files located on you server including the one located in different chrooted environments. It happens because of the FILE permission. By default only MySQL root has it.
For more info about MySQL security take a look at this article ( link to GreenSQL) .
your articles are highly appreciated from me and some people i know, good work.
the way you express yourself is very clear, i understand it very well. thanks.
nice information, many thanks to the author.
awesome blog to read…love to read it, thanks for all.
useful ! great post! thanks for sharing your view on the topic