{"id":117,"date":"2012-06-11T05:55:49","date_gmt":"2012-06-11T05:55:49","guid":{"rendered":"http:\/\/rmohan.com\/?p=117"},"modified":"2012-06-11T05:55:49","modified_gmt":"2012-06-11T05:55:49","slug":"10-apache-security-and-hardening-tips","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=117","title":{"rendered":"10 Apache Security and Hardening Tips"},"content":{"rendered":"<p><strong>10 Apache Security and Hardening Tips<\/strong><\/p>\n<p>Tip No. 1: Disable Apache Signature and\/or Apache Banner<\/p>\n<p># ServerSignature Off<br \/>\n# ServerTokens ProductOnl<\/p>\n<p>Tip No. 2: The Trace HTTP Request<\/p>\n<p>Add the following to the web-server&#8217;s configuration file. For example alter the following file in Ubuntu: \/etc\/apache2\/apache2.conf .<\/p>\n<p>    * TraceEnable off<\/p>\n<p>Tip 3: Remove PHP scripts that print debug info using phpinfo()<\/p>\n<p>The built-in PHP function phpinfo() prints a lot of interesting internal information about the PHP environment.<br \/>\nIt can include list of which PHP modules are enabled, and the location of various files on the web-server and other sensitive information.<br \/>\nOur web security scanner finds a lot of such files. It is recommended to remove these test files from a production website.<\/p>\n<p>Here is a tip hpw to find such files. Look for the files with the following name: test.php, info.php, i.php and phpinfo.php in your website directory and remove them.<\/p>\n<p>Tip 4: Disable directory indexing<\/p>\n<p>Directory indexing is a features found in every web-server by default. When directory indexing is enabled, the web-site prints a list of files found in the website directories<br \/>\nwhen the default page does not exists (for example index.php). Directories reported can be viewed by any visitor.<br \/>\nIt is vulnerable in the sense that these directories can contain configuration, private and backup files which can be used by the attackers<br \/>\nto take your server under control.<\/p>\n<p>You can fix this problem by disabling the Apache autoindex module.<br \/>\nIn some Apache installations it is called mod_autoindex.so. In Ubuntu, you just need to remove the following files:<\/p>\n<p>    * \/etc\/apache2\/mods-enabled\/autoindex.load<br \/>\n    * \/etc\/apache2\/mods-enabled\/autoindex.conf<\/p>\n<p>So you can do it running the following commands:<\/p>\n<p>    * rm -f \/etc\/apache2\/mods-enabled\/autoindex.load<br \/>\n    * rm -f \/etc\/apache2\/mods-enabled\/autoindex.conf<\/p>\n<p>Tip 5: Disable WebDAV<\/p>\n<p>ake sure that WebDAV is disabled in production websites. When WebDAV is enabled, the following commands are supported by Apache: OPTIONS, PROPFIND, etc.<br \/>\nThese commands are sensitive from computer security point of view.<\/p>\n<p>    * \/etc\/apache2\/mods-enabled\/dav.load<br \/>\n    * \/etc\/apache2\/mods-enabled\/dav_fs.conf<br \/>\n    * \/etc\/apache2\/mods-enabled\/dav_fs.load<br \/>\n    * \/etc\/apache2\/mods-enabled\/dav_lock.load<\/p>\n<p>Tip 6: Create a chroot&#8217;ed Apache environment<\/p>\n<p>Tip 7: Enable PHP basedir<\/p>\n<p>Tip 8: Web Stats<\/p>\n<p>Tip 9: Use Google<\/p>\n<p>Most of the webmasters use common web scripts and CMS or blog software. We recommend you to frequently search for security updates using Google and register for security news at your blog\/CMS website.<\/p>\n<p>Tip 10: Additional Steps<\/p>\n<p>If your webserver runs together with MySQL server it brings additional potential security problem. MySQL can read any files located on you server including the one located in different chrooted environments. It happens because of the FILE permission. By default only MySQL root has it.<br \/>\nFor more info about MySQL security take a look at this article ( link to GreenSQL) .<\/p>\n","protected":false},"excerpt":{"rendered":"<p>10 Apache Security and Hardening Tips<\/p>\n<p>Tip No. 1: Disable Apache Signature and\/or Apache Banner<\/p>\n<p># ServerSignature Off # ServerTokens ProductOnl<\/p>\n<p>Tip No. 2: The Trace HTTP Request<\/p>\n<p>Add the following to the web-server&#8217;s configuration file. For example alter the following file in Ubuntu: \/etc\/apache2\/apache2.conf .<\/p>\n<p> * TraceEnable off<\/p>\n<p>Tip 3: Remove PHP scripts [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/117"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=117"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/117\/revisions"}],"predecessor-version":[{"id":831,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/117\/revisions\/831"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}