Press "Enter" to skip to content

Hardening your Apache server (Part 1)

This post will show you how to add the first security layer to your Apache web server based on an installation of Apache 2.4 in CentOS.

All changes will be made on “/etc/httpd/conf/httpd.conf” file and it will be necessary to reload httpd service after changes are performed.

1- Avoid showing the Apache version

By default, error HTTP response codes (302, 403, 404, etc) show the version of Apache running on your server:

In order to avoid that you must add the following two lines to the end of “/etc/httpd/conf/httpd.conf” file:

After reload httpd service, the responses should show only ‘Apache’:

2- Restrict the HTTP Method of the requests

Most of web applications only need GET, POST and HEAD methods. Allowing TRACE method is dangerous since it can be used to bybpass XSS protections and steal session cookies. TRACE request returns to the client the information received by the server in that request. Here is an example how can be used to steal cookies:

To disable TRACE requests you must add the following line to httpd.conf file:

To know if you have enabled TRACE method on your server you can execute the following command:

If you get a response “405 Method Not Allowed” means it is disabled. You can also use nmap tool to check which HTTP Methods you have enabled:

Finally you can disable other HTTP Methods such as PUT, OPTIONS, etc with the following directive on httpd.conf:

3- Deny CGI script execution

If your website doesn’t need to run any CGI script on server side, you should deny access to the default CGI binaries path:

Also you should comment the following line which indicates that scripts can be executed on those paths:

4- Disable default options

If you are not using CGI scripts or SSI Includes on server side you must disble those options in order to avoid Apache from interpreting those commands on .shtml o .cgi files.  In addition, directory indexing is enabled by default, you must disable it too to avoid people navigating through your website directories:

5- Enable HttpOnly flag

When an HttpOnly flag is used, JavaScript will not be able to read this authentication cookie in case of XSS exploitation. Is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

You should add the following line to httpd.conf:

Reload httpd service and check if now, HttpOnly is being added to the headers:

6- Deny direct HTTP requests against the server IP

If you have a domain published in Apache server and you are not using <VirtualHost> directives, probably if someone makes a request against the server IP (http://X.X.X.X) he will access to your domain as he was browsing normally to your website.

This is an unwanted situation since all Internet bots will get a 200 response code when they test your server IP. In order to avoid this situation you can deny all requests against the server IP by spliting the requests with <VirtualHost> directive:

7- Block requests based on User-Agent

On Internet there are thousands of unwanted bots, hacking tools and vulnerability scanners that use their own User-Agent on HTTP requests. You can deny all requests that come from those User-agents in order to avoid they obtain information about your website or exploit it.

Here is a good example of config in httpd.conf to block those User-Agents:

Now if we try to scan or website with some vulnerability scanner such as ‘sqlmap’ or ‘wpscan’ we won’t get any information (unless we spoof the User-Agent).

Example 1 (Sqlmap)

Example 2 (WPscan)

8- Disable all unnecessary Apache modules

It is recommended to disable all unnecessary Apache modules from “/etc/httpd/conf.modules.d/” file. You only have to comment those lines that you want to disable and reload httpd service.

For example, if you are not using your Apache server as proxy, you can disable the following modules:

I hope these guidelines help you to harden your server. I will post more security tips to harden Apache server as well as other services.

3 Comments

  1. Tommy Cano
    Tommy Cano 25 February, 2018

    I work with an Apache server and this information will come in handy. Thank you.

    • Carlos Martin
      Carlos Martin 25 February, 2018

      Thanks for your comment. I hope these posts can help someone 🙂

  2. Karel Pičman
    Karel Pičman 11 June, 2019

    Add 7)
    1. The last condition can’t be with ‘OR’. It should be just “RewriteCond %{HTTP_USER_AGENT} webshag [NC]”
    2. The condition “RewriteCond %{HTTP_USER_AGENT} ^ [NC,OR]” is wrong. It catches all user agents including the right ones.
    3. The entire block should be enclosed with …

    Otherwise perfect.

Leave a Reply to Karel Pičman Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.