Best security tips for Apache
Q I've just built an Apache web server to host some websites externally. Can you give me some general security tips?
A Aside from securing the pages via HTTP authentication or SSL where applicable, there are a number of things you can do in the httpd.conf file, as the default configuration file can provide a potential attacker with some specific information to help them target their attack. Firstly, make absolutely sure the ServerTokens directory is set to Prod. When it's at its default value it will reveal the version of Apache you are using, as well as other modules you are using and potentially your operating system. While security by obscurity isn't something to recommend if you do fall behind with your versions, you don't want to give away too much information. To see what your server is currently giving away try executing
curl -I http://yourwebserver
Also make sure the ServerSignature is set to email - this will prevent your versions being disclosed on Apache's error pages. Do you want your users to have their own web-accessible folders? No? Then disable the userdir module. Similarly, are you using CGI? If not, remove the cgi-bin alias from the config. One other thing to be wary of is the Apache manual, which is sometimes aliased by default. Make sure directory indexes are forbidden, by setting Indexes in the Options section of the <Directory> directives. If you are running PHP, ensure the expose_php directive in your php.ini file is set to Off. If other people are publishing content to your web server you may also want to make sure that they do not override certain settings with a .htaccess file. Within the root <Directory> directive, set the AllowOverride directive to None, AuthConfig or another limited value; do not set it to All.
- Change DocumentRoot in Apache to avoid 404 errors
- Apache 2 and PHP
- SSH, mod_rewrite and Apache
- Configuring Apache and NAT
- Apache redirecting