Harden the Apache Web Server on CentOS 7<\/p>\n
[root@clusterserver1 conf]# yum install httpd
\nLoaded plugins: fastestmirror
\nLoading mirror speeds from cached hostfile
\n* base: mirror.vodien.com
\n* epel: mirrors.hustunique.com
\n* extras: mirror.vodien.com
\n* updates: mirror.vodien.com
\nResolving Dependencies
\n–> Running transaction check
\n—> Package httpd.x86_64 0:2.4.6-40.el7.centos will be installed
\n–> Finished Dependency Resolution<\/p>\n
Dependencies Resolved<\/p>\n
==========================================================================================================================
\nPackage\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Arch\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Version\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Repository\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Size
\n==========================================================================================================================
\nInstalling:
\nhttpd\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 x86_64\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.4.6-40.el7.centos\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 base\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.7 M<\/p>\n
Transaction Summary
\n==========================================================================================================================
\nInstall\u00a0 1 Package<\/p>\n
Total download size: 2.7 M
\nInstalled size: 9.4 M
\nIs this ok [y\/d\/N]: y
\nDownloading packages:
\nhttpd-2.4.6-40.el7.centos.x86_64.rpm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 | 2.7 MB\u00a0 00:00:01
\nRunning transaction check
\nRunning transaction test
\nTransaction test succeeded
\nRunning transaction
\nInstalling : httpd-2.4.6-40.el7.centos.x86_64\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\/1
\nVerifying\u00a0 : httpd-2.4.6-40.el7.centos.x86_64\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1\/1<\/p>\n
Installed:
\nhttpd.x86_64 0:2.4.6-40.el7.centos<\/p>\n
Complete!<\/p>\n
Hide the Apache version<\/p>\n
Visit your web server in Firefox. Activate Firebug by clicking the Firebug icon on the top right side.<\/p>\n
If you check the HTTP response headers in Firebug, it will show the Apache version along with your operating system name and version, as shown in this screenshot:<\/p>\n
[root@clusterserver1 test]# curl -I http:\/\/localhost\/tetete
\nHTTP\/1.1 404 Not Found
\nDate: Sun, 03 Jan 2016 17:20:18 GMT
\nServer: Apache\/2.4.6 (CentOS)
\nContent-Type: text\/html; charset=iso-8859-1<\/p>\n
echo “Change Apache Security”<\/p>\n
sed -i “s\/^ServerTokens OS$\/ServerTokens Prod\/” \/etc\/httpd\/conf\/httpd.conf
\nsed -i “s\/^ServerSignature On$\/ServerSignature Off\/” \/etc\/httpd\/conf\/httpd.conf<\/p>\n
echo “ServerTokens Prod”\u00a0 >> \/etc\/httpd\/conf\/httpd.conf
\necho “ServerSignature Off”\u00a0 >> \/etc\/httpd\/conf\/httpd.conf
\necho “UseCanonicalName On” >> \/etc\/httpd\/conf\/httpd.conf
\necho “TraceEnable Off” >> \/etc\/httpd\/conf\/httpd.conf<\/p>\n
systemctl restart httpd<\/p>\n
cat \/etc\/httpd\/conf\/httpd.conf | egrep ‘ServerTokens|ServerSignature’<\/p>\n
[root@clusterserver1 test]# curl -I http:\/\/localhost\/tetete
\nHTTP\/1.1 404 Not Found
\nDate: Sun, 03 Jan 2016 17:22:35 GMT
\nServer: Apache
\nContent-Type: text\/html; charset=iso-8859-1<\/p>\n
[root@clusterserver1 test]#<\/p>\n
Turn off directory listing<\/p>\n
Directory listing in the absence of an index file is enabled by default in Apache.<\/p>\n
Directory listing displays all the files from the Apache web root directory. If this is enabled,
\nthen a hacker can easily view any file, analyze it, and obtain sensitive information about an application of your Apache server.<\/p>\n
turn off this setting by using the Options directive in the Apache configuration file for a specific web directory.
\nvi \/etc\/httpd\/conf\/httpd.conf<\/p>\n
Find the section that begins with Directory \/var\/www\/html and add -Indexes in the Options directive:
\n<Directory \/var\/www\/html\/>
\nOptions -Indexes
\nAllowOverride None
\nRequire all granted
\n<\/Directory><\/p>\n
Save the file and restart Apache service to reflect these changes.
\nsystemctl restart httpd<\/p>\n
Disable Apache directory indexes<\/p>\n
sed -i \\
\n-e ‘s~^IndexOptions \\(.*\\)$~#IndexOptions \\1~g’ \\
\n-e ‘s~^IndexIgnore \\(.*\\)$~#IndexIgnore \\1~g’ \\
\n-e ‘s~^AddIconByEncoding \\(.*\\)$~#AddIconByEncoding \\1~g’ \\
\n-e ‘s~^AddIconByType \\(.*\\)$~#AddIconByType \\1~g’ \\
\n-e ‘s~^AddIcon \\(.*\\)$~#AddIcon \\1~g’ \\
\n-e ‘s~^DefaultIcon \\(.*\\)$~#DefaultIcon \\1~g’ \\
\n-e ‘s~^ReadmeName \\(.*\\)$~#ReadmeName \\1~g’ \\
\n-e ‘s~^HeaderName \\(.*\\)$~#HeaderName \\1~g’ \\
\n\/etc\/httpd\/conf\/httpd.conf<\/p>\n
Disable unnecessary modules<\/p>\n
By default Apache comes with lots of unnecessary installed modules. It is a good policy to disable any unnecessary modules that are not in use.<\/p>\n
You can list all enabled modules on your server using the following command<\/p>\n
\/etc\/httpd\/conf.modules.d<\/p>\n
mv 00-dav.conf 00-dav.conf.bk<\/p>\n
mv 00-lua.conf 00-lua.conf.bk<\/p>\n
systemctl restart httpd<\/p>\n
sed -i \\
\n-e ‘s~^LanguagePriority \\(.*\\)$~#LanguagePriority \\1~g’ \\
\n-e ‘s~^ForceLanguagePriority \\(.*\\)$~#ForceLanguagePriority \\1~g’ \\
\n-e ‘s~^AddLanguage \\(.*\\)$~#AddLanguage \\1~g’ \\
\n\/etc\/httpd\/conf\/httpd.conf<\/p>\n
sed -i \\
\n-e ‘s~^\\(LoadModule .*\\)$~#\\1~g’ \\
\n-e ‘s~^#LoadModule mime_module ~LoadModule mime_module ~g’ \\
\n-e ‘s~^#LoadModule log_config_module ~LoadModule log_config_module ~g’ \\
\n-e ‘s~^#LoadModule setenvif_module ~LoadModule setenvif_module ~g’ \\
\n-e ‘s~^#LoadModule status_module ~LoadModule status_module ~g’ \\
\n-e ‘s~^#LoadModule authz_host_module ~LoadModule authz_host_module ~g’ \\
\n-e ‘s~^#LoadModule dir_module ~LoadModule dir_module ~g’ \\
\n-e ‘s~^#LoadModule alias_module ~LoadModule alias_module ~g’ \\
\n-e ‘s~^#LoadModule expires_module ~LoadModule expires_module ~g’ \\
\n-e ‘s~^#LoadModule deflate_module ~LoadModule deflate_module ~g’ \\
\n-e ‘s~^#LoadModule headers_module ~LoadModule headers_module ~g’ \\
\n-e ‘s~^#LoadModule alias_module ~LoadModule alias_module ~g’ \\
\n\/etc\/httpd\/conf.modules.d\/00-base.conf<\/p>\n
Disable Apache language based content negotiation<\/p>\n
# sed -i \\
\n-e ‘s~^LanguagePriority \\(.*\\)$~#LanguagePriority \\1~g’ \\
\n-e ‘s~^ForceLanguagePriority \\(.*\\)$~#ForceLanguagePriority \\1~g’ \\
\n-e ‘s~^AddLanguage \\(.*\\)$~#AddLanguage \\1~g’ \\
\n\/etc\/httpd\/conf\/httpd.conf<\/p>\n
Turn off server-side includes (SSI) and CGI execution<\/p>\n
Server-side includes (SSI) are directives present on Web applications that are placed in HTML pages. An SSI attack allows a web application to be exploited by remotely executing arbitrary codes. The attacker can access sensitive information like password files, and execute shell commands. It is recommended that you disable server side includes and CGI execution if they are not needed.<\/p>\n
To do this, edit the main Apache config file:<\/p>\n
\/etc\/httpd\/conf\/httpd.conf<\/code><\/pre><\/p>\n
Find the section that begins with Directory \/var\/www\/html, Add -ExecCGI and -Includes in option directive:
\n<Directory \/var\/www\/html\/>
\nOptions -Indexes -FollowSymLinks -ExecCGI -Includes
\nAllowOverride None
\nRequire all granted
\n<\/Directory><\/p>\n
nano \/etc\/httpd\/conf\/httpd.conf<\/p>\n
Add the following line:
\n<Directory \/var\/www\/html\/www.vhost1.com\/>
\nOptions -Includes -ExecCGI
\n<\/Directory><\/p>\n
Save the file and restart Apache.<\/p>\n
Limit request size<\/p>\n
By default Apache has no limit on the size of the HTTP request. This can allow hackers to send large number of data.<\/p>\n
You can limit the requests size by using the Apache directive LimitRequestBody in combination with the Directory tag. This can help protect your web server from a denial of service (DOS) attack.<\/p>\n
Suppose you have a site (www.example.com), where you allow uploads, and you want to limit the upload size on this site.<\/p>\n
You can set value from 0 (unlimited) to 2147483647 (2GB) in the main Apache config file.<\/p>\n
For example, to limit the request size for the \/var\/www\/html\/www.example.com directory to 200K:<\/p>\n
\/etc\/httpd\/conf\/httpd.conf<\/p>\n
Add the following line:
\n<Directory \/var\/www\/html\/www.example.com>
\nLimitRequestBody 204800
\n<\/Directory><\/p>\n
Disallow browsing outside the document root<\/p>\n
Unless you have a specific need, it is recommended to restrict Apache to being only able to access the document root.<\/p>\n
You can secure the root directory \/ with Allow and Deny options in the httpd.conf file.<\/p>\n
\/etc\/httpd\/conf\/httpd.conf<\/p>\n
Add\/edit the following line:
\n<Directory \/>
\nOptions None
\nOrder deny,allow
\nDeny from all
\n<\/Directory><\/p>\n
Save the file and restart Apache:
\nsudo apachectl restart<\/p>\n
\u2022Options None : This will turn off all options
\n\u2022Order deny,allow : The order in which the allow and deny commands are applied
\n\u2022Deny from all : This will deny request from all to the root directory<\/p>\n
Secure Apache from clickjacking attacks<\/p>\n
Clickjacking, also known as “User Interface redress attack,” is a malicious technique to collect an infected user’s clicks. Clickjacking tricks the victim (visitor) into clicking on an infected site.<\/p>\n
To avoid this, you need to use X-FRAME-OPTIONS to prevent your website from being used by clickjackers.<\/p>\n
You can do this by editing the httpd.conf file:
\nsudo nano \/etc\/httpd\/conf\/httpd.conf<\/p>\n
Add the following line:
\nHeader append X-FRAME-OPTIONS “SAMEORIGIN”<\/p>\n
Disable ETag<\/p>\n
ETags (entity tags) are a well-known point of vulnerability in Apache web server.
\nETag is an HTTP response header that allows remote users to obtain sensitive information like inode number, child process ids, and multipart MIME boundary. ETag is enabled in Apache by default.<\/p>\n
To prevent this vulnerability, disabling ETag is recommended.<\/p>\n
You can do this by editing httpd.conf file:<\/p>\n
\/etc\/httpd\/conf\/httpd.conf<\/p>\n
Add the following line:
\nFileETag None<\/p>\n
HTTP request methods<\/p>\n
Apache support the OPTIONS, GET, HEAD, POST, CONNECT, PUT, DELETE, and TRACE method in HTTP 1.1 protocol.
\nSome of these may not be required, and may pose a potential security risk. It is a good idea to only enable HEAD, POST, and GET for web applications.<\/p>\n
You can do this by editing the httpd.conf file:<\/p>\n
\/etc\/httpd\/conf\/httpd.conf<\/p>\n
Find the section that begins with Directory \/var\/www\/html. Add the following lines under this section:
\n<LimitExcept GET POST HEAD>
\ndeny from all
\n<\/LimitExcept><\/p>\n
Save the file and restart Apache:<\/p>\n
Secure Apache from XSS attacks<\/p>\n
Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.<\/p>\n
You can do this by editing the httpd.conf file:<\/p>\n
\/etc\/httpd\/conf\/httpd.conf<\/p>\n
Add the following line:
\n<IfModule mod_headers.c>
\nHeader set X-XSS-Protection “1; mode=block”
\n<\/IfModule><\/p>\n
HTTP request methods<\/p>\n
Apache support the OPTIONS, GET, HEAD, POST, CONNECT, PUT, DELETE, and TRACE method in HTTP 1.1 protocol. Some of these may not be required, and may pose a potential security risk. It is a good idea to only enable HEAD, POST, and GET for web applications.<\/p>\n
You can do this by editing the httpd.conf file:
\nsudo nano \/etc\/httpd\/conf\/httpd.conf<\/p>\n
Find the section that begins with Directory \/var\/www\/html. Add the following lines under this section:
\n<LimitExcept GET POST HEAD>
\ndeny from all
\n<\/LimitExcept><\/p>\n
Save the file and restart Apache:<\/p>\n
sudo apachectl restart<\/p>\n
Secure Apache from XSS attacks<\/p>\n
Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.<\/p>\n
You can do this by editing the httpd.conf file:<\/p>\n
\/etc\/httpd\/conf\/httpd.conf<\/p>\n
Add the following line:
\n<IfModule mod_headers.c>
\nHeader set X-XSS-Protection “1; mode=block”
\n<\/IfModule><\/p>\n","protected":false},"excerpt":{"rendered":"
Harden the Apache Web Server on CentOS 7<\/p>\n
[root@clusterserver1 conf]# yum install httpd Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.vodien.com * epel: mirrors.hustunique.com * extras: mirror.vodien.com * updates: mirror.vodien.com Resolving Dependencies –> Running transaction check —> Package httpd.x86_64 0:2.4.6-40.el7.centos will be installed –> Finished Dependency Resolution<\/p>\n
Dependencies Resolved<\/p>\n
========================================================================================================================== Package […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5595"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5595"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5595\/revisions"}],"predecessor-version":[{"id":5596,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5595\/revisions\/5596"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5595"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}