Apache Security Configurations for Enterprise Systems
As an enterprise system administrator, ensuring the security of your Apache web server is crucial to protect against common threats such as SQL injection, cross-site scripting (XSS), and denial-of-service (DoS) attacks. In this article, we will discuss 22 essential Apache security configurations to harden your web server.
Table of Contents
- Disable Directory Browsing
- Set Secure Headers
- Configure SSL/TLS Encryption
- Enable ModSecurity
- Use Strong Passwords
- Limit Login Attempts
- Disable PHP Safe Mode
- Configure PHP Error Handling
- Restrict File Uploads
- Set up Firewall Rules
- Monitor Server Logs
- Use a Web Application Firewall (WAF)
- Implement Two-Factor Authentication (2FA)
- Configure Apache’s IP Address Filtering
- Use the
IndexesDirective to Protect Sensitive Data - Protect Against SQL Injection Attacks
- Secure Your Apache Configuration Files
- Prevent Remote Code Execution (RCE) Attacks
- Limit the Number of Processes
- Configure MPM Modules for Improved Performance
- Set up Apache’s HTTP Response Splitting Protection
- Regularly Update and Patch Your Apache Installation
Disable Directory Browsing
To prevent unauthorized users from accessing your web server directory, add the following configuration to your Apache configuration file:
bash
Options -Indexes
This directive will disable directory browsing for all directories on your server.
Set Secure Headers
To ensure that your web server sends secure headers to clients, add the following configuration:
bash
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options SAMEORIGIN
These headers will prevent cross-site scripting (XSS) attacks, protect against frame injection attacks, and specify that your web server only communicates over a secure connection.
Configure SSL/TLS Encryption
To enable SSL/TLS encryption on your Apache web server, add the following configuration:
bash
<VirtualHost *:443>
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /path/to/your/certificate
</VirtualHost>
This configuration will enable HTTPS connections to your web server and use the specified certificate.
Enable ModSecurity
To protect against common web attacks, such as SQL injection and cross-site scripting (XSS), add the following configuration:
bash
<IfModule mod_security2.c>
SecFilterEngine On
SecFilterScanPOST On
</IfModule>
This configuration will enable the ModSecurity module on your Apache web server.
Use Strong Passwords
To ensure that users use strong passwords when accessing your web server, add the following configuration:
bash
AuthUserFile /path/to/your/auth/user/file
AuthName "Your Authentication Realm"
These directives will specify the authentication file and realm for your web server.
Limit Login Attempts
To prevent brute-force attacks on your web server, add the following configuration:
bash
MaxRequestsPerChild 1000
This directive will limit the number of requests that a client can make to your web server within a certain time period.
Disable PHP Safe Mode
To ensure that PHP scripts are executed securely on your Apache web server, add the following configuration:
bash
php_value safe_mode off
This directive will disable PHP’s safe mode feature.
Configure PHP Error Handling
To specify how PHP errors are handled on your Apache web server, add the following configuration:
bash
php_value display_errors Off
These directives will prevent PHP errors from being displayed to clients.
Restrict File Uploads
To ensure that file uploads are restricted on your Apache web server, add the following configuration:
bash
<FilesMatch ".(jpg|jpeg)$">
Order allow,deny
Deny from all
</FilesMatch>
These directives will prevent client-side JavaScript code from uploading files to your web server.
Set up Firewall Rules
To ensure that incoming and outgoing network traffic is restricted on your Apache web server, add the following configuration:
“`bash
Allow incoming HTTP requests on port 80
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
Block incoming HTTP requests from all other ports
iptables -A INPUT -p tcp ! –dport 80 -j DROP
Allow outgoing HTTP requests on port 80
iptables -A OUTPUT -p tcp –sport 80 -j ACCEPT
Drop outgoing HTTP requests from all other ports
iptables -A OUTPUT -p tcp ! –sport 80 -j DROP
“`
These commands will configure a basic firewall setup for your Apache web server.
Monitor Server Logs
To ensure that your Apache web server’s access logs are monitored, add the following configuration:
bash
CustomLog "/var/log/apache2/access.log" combined
This directive will specify the location of your Apache access log file.
Use a Web Application Firewall (WAF)
To protect against common web attacks on your Apache web server, consider using a Web Application Firewall (WAF).
Implement Two-Factor Authentication (2FA)
To ensure that users use two-factor authentication when accessing your web server, consider implementing an authenticator app or token-based system.
Configure Apache’s IP Address Filtering
To prevent unauthorized access to your Apache web server based on client-side IP addresses, add the following configuration:
bash
SetEnvIf Remote_ADDR 192.168.0.1 env_var_allow_access
Order allow,deny
Allow from env=env_var_allow_access
Deny from all
This directive will only allow access to your Apache web server if the client-side IP address is within a specified range.
Use the Indexes Directive to Protect Sensitive Data
To prevent directory browsing on your Apache web server for sensitive data, add the following configuration:
bash
IndexIgnore *
These directives will disable directory browsing and prevent clients from accessing sensitive files.
Protect Against SQL Injection Attacks
To protect against SQL injection attacks on your Apache web server, consider using prepared statements or parameterized queries in your PHP scripts.
Secure Your Apache Configuration Files
To ensure that your Apache configuration files are secure, consider running the following command:
bash
chmod 600 /path/to/your/apache/config/file
This command will set the permissions for your Apache configuration file to read-only and prevent unauthorized access.
Prevent Remote Code Execution (RCE) Attacks
To protect against RCE attacks on your Apache web server, consider disabling PHP’s eval() function in your PHP scripts:
php
ini_set('disable_function', 'eval');
This directive will disable the eval() function in PHP and prevent attackers from executing malicious code.
Limit the Number of Processes
To prevent resource exhaustion on your Apache web server, consider limiting the number of processes using the following configuration:
bash
MaxRequestWorkers 1000
These directives will limit the number of worker threads that can be created by your Apache web server.
Configure MPM Modules for Improved Performance
To optimize performance on your Apache web server, consider configuring MPM (Multi-Processing Module) modules. For example, you could use the Worker MPM module to create multiple processes that handle requests concurrently:
“`bash
ServerName example.com
DocumentRoot /var/www/html
<IfModule mpm_worker.c>
StartServers 5
MinSpareThreads 10
MaxSpareThreads 20
ThreadLimit 64
ThreadsPerChild 25
</IfModule>
“`
This configuration will start five child processes and allow up to twenty spare threads for each process.
Set up Apache’s HTTP Response Splitting Protection
To protect against HTTP response splitting attacks on your Apache web server, add the following configuration:
“`bash
ServerName example.com
DocumentRoot /var/www/html
<IfModule mod_headers.c>
Header always set Content-Type "text/html; charset=UTF-8"
RequestHeader unset X-XSS-Protection
</IfModule>
“`
This directive will specify the content type for responses from your Apache web server and prevent clients from setting their own custom headers.
Regularly Update and Patch Your Apache Installation
To ensure that your Apache installation is secure, regularly update and patch your package repository:
bash
apt-get update && apt-get upgrade -y
This command will update your package repository and install the latest available versions of packages on your system.
