in Resources

Securing Your Apache Web Server: An In-Depth Hardening Guide

Hey there! Setting up a truly secure Apache web server is crucial for any organization hosting web applications. This comprehensive guide dives into expert-recommended steps for hardening and securing your Apache installation.

As a fellow technology geek, I understand how important it is to properly lock down infrastructure like web servers. After all, Apache powers over 30% of all active websites – making it a prime target for attackers!

Proper hardening is key to avoiding disasters…which is what we‘ll cover today.

Why Apache Security Matters

Before jumping into the hardening steps, let‘s briefly discuss why properly securing Apache is so critical:

  • Web apps are vulnerable: The average web application has over 15 vulnerabilities and gets attacked over 100 times per day according to statistics from Positive Technologies. Flaws like SQL injection and cross-site scripting are unfortunately very common.

  • Apache is widespread: Given Apache‘s dominance, hackers are intimately familiar with how to exploit it. Locking things down proactively is essential.

  • Defaults are insecure: Out of the box, Apache leaks version details, runs as root, and has unnecessary modules enabled. Easy wins for attackers!

  • Updates lag: Newly discovered vulnerabilities can live for years before patches are available. Configuration hardening protects against zero-days.

The risks are real. Now let‘s talk about hardening steps…

Prerequisite Assumptions

Before we get started, I‘m assuming you have:

  • Apache 2.4+ installed on a Linux server
  • Basic knowledge for editing Apache configuration files
  • Access to modify Apache‘s configuration

If you‘re unsure about any prerequisites, I suggest reviewing Apache‘s great documentation.

Remove Version Details from Server Headers

One quick win is removing the exact version details that Apache announces in server headers:

Server: Apache/2.4.54 (Unix)

Exposing the version gives attackers information like:

  • Known vulnerabilities to target
  • Differences between Apache releases
  • Errors that leak system details

To suppress this, edit httpd.conf and add:

ServerTokens Prod  
ServerSignature Off

This will replace the header with just "Apache" rather than a full banner.

According to my research, major sites like Facebook, Google, and Twitter all hide their server details. So you‘ll be in good company!

Disable Directory Listings

Another risky default is having Apache render auto-generated directory listings. This reveals too much internal filesystem structure if directories aren‘t properly secured.

Disable this by finding the <Directory> block for your document root in httpd.conf and setting Options to -Indexes like:

<Directory "/var/www/html">
  Options -Indexes
</Directory>

Now browsing directories will return a 403 error rather than leaking their contents. I‘d recommend explicitly allowing indexes only where needed rather than globally.

Remove Unneeded Modules

The out of the box Apache install includes many modules that aren‘t necessary for most sites. Some of these like mod_status even expose sensitive internal server information!

Often forgotten modules that increase attack surface include:

  • mod_status – Leaks server statistics and configuration data.
  • mod_info – Reveals system information if misconfigured.
  • mod_userdir – Allows user content publication from ~/public_html/ directories.

I suggest reviewing the loaded modules against your requirements and disabling anything unnecessary. Comment out unneeded LoadModule directives and restart Apache.

Going forward, only enable modules deliberately rather than enabling by default.

Run Apache as a Non-Root User

Probably my favorite hardening technique is running Apache under its own non-privileged user and group rather than root.

Create a user like apache then update httpd.conf:

User apache
Group apache

Additionally, be sure to update ownership of your web roots:

chown -R apache:apache /var/www/html

According to Positive Technologies, over 30% of vulnerabilities in Apache are rated high severity due to running as root. So transitioning to a less privileged user contains the blast radius of bugs or misconfigurations!

Restrict Web Root Permissions

While Apache requires read access to web roots, write access risks malicious uploads or defacements.

I suggest making your web content read only for "others" via permissions like:

find /var/www/html -type d -exec chmod 750 {} \;
find /var/www/html -type f -exec chmod 640 {} \;

This still allows the apache user write access, but removes permissions from other system users.

Disable Dangerous HTTP Methods

Did you know Apache enables some downright dangerous HTTP methods by default like PUT and DELETE? These allow arbitrary file writes or deletions from attackers.

Fight back by restricting your site‘s <Directory> block to only allow GET, HEAD, POST: 

<LimitExcept GET POST HEAD>
  Require all denied 
</LimitExcept>

According to my research, major sites like Facebook and LinkedIn all block unsupported methods like this.

Unless you have an API that specifically requires PUT/DELETE, disable them globally. Less surface area for attackers!

Set Secure Session Cookies

Cookies containing session IDs or user data should be marked with the HttpOnly and Secure flags for security:

  • HttpOnly – Prevents JavaScript access on the client
  • Secure – Ensures transmission only over HTTPS

Enable these by adding a header rule like:

Header edit Set-Cookie (.*) "$1;HttpOnly;Secure"

This can mitigate the impact of XSS flaws by preventing session theft through malicious scripts. It‘s a simple change that improves defense-in-depth.

Redirect All Traffic to HTTPS

Always use encrypted HTTPS connections rather than unsecured HTTP. Add a catch-all redirect to httpd.conf:

<VirtualHost *:80>
  RewriteEngine On 
  RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]  
</VirtualHost>

This seamlessly transitions any HTTP traffic to HTTPS on port 443 with a 301 status.

According to Google Transparency Reports, over 90% of traffic is now encrypted. So requiring HTTPS should be a no-brainer!

Use Only Strong Encryption Protocols and Ciphers

Old SSL/TLS versions like SSLv2 and SSLv3 are deprecated due to vulnerabilities like POODLE or BEAST. Require the latest TLS: 

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder on 
SSLCipherSuite HIGH:!MEDIUM

Additionally, prioritizing ciphers via SSLHonorCipherOrder on and a strong cipher suite improves encryption strength.

I‘d also suggest reviewing the Mozilla SSL Configuration Generator for best practices.

Conclusion and Next Steps

Whew, we covered a ton of ground! Properly hardening your Apache server is crucial for security, so I hope these tips give you a solid starting point.

Some next steps I recommend:

  • Monitor logs: Catch any anomalies or unauthorized changes.
  • Integrate a WAF: Add defenses like mod_security or commercial WAFs.
  • Harden the OS: Apply Linux best practices like reduced surface area, SELinux, etc.
  • Regularly patch: Track updates closely and apply security fixes ASAP.

With robust hardening in place, Apache can reliably serve content with minimized risk. Let me know if you have any other recommended tips or feedback on securing Apache! I‘m always happy to help fellow geeks strengthen their web server security posture.

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.