According to Netcraft’s 2015 web server statistics, 47.7% of all websites are using Apache—making it the most popular web server in the world. Ubiquity has its price, however: the open source project is under the constant scrutiny of both malicious actors and security professionals alike.
In terms of CVEs, Apache’s HTTP server currently holds 190 documented vulnerabilities to its name—though in all fairness, it’s had a pretty good record for security, especially given its widespread use and longevity. That said, proper hardening is crucial requirement for securing Apache against today’s cyber threats. The following are 10 ways to harden Apache for a strong security posture.
1. Disable Apache version/OS display on error
Apache’s error pages display web server information such version and OS by default—as well as information regarding Apache modules installed on the server. Unfortunately, much of this information is exploitable by would-be hackers. To prevent accidental leakage of privileged server information, you’ll need to make changes to Apache configuration file:
- ServerSignature value needs to be set to Off.
- ServerTokens value can be set to Prod. This returns only Apache as product in the server response header on every page request.
2. Disable directory listing display and file system traversal
By default, Apache will list all files in a directory if a corresponding index page does not exist. This should be turned off, since it reveals sensitive information to unprivileged viewers. To turn off directory listing, you’ll need to make a new entry in Apache’s configuration file with the Options directive for the directory in question.
Additionally, server files should be protected by default to prevent unauthorized access to the filesystem. Adding the following block to Apache’s configuration file will effectively lockdown default access to filesystem locations:
<directory "="">Require all denied
3. Run Apache as a separate user and group
The Apache web server runs its processes under user nobody or daemon by default, but should instead be configured to run in its own non-privileged account/group for better isolation. To make this change, you’ll need to add/configure this user and group and instruct Apache to run as said user. This involves changes to Apache’s configuration file followed by a service restart.
4. Install mod_security and mod_evasive modules
mod_security and mod_evasive are special modules designed for bolstering Apache security. They should be installed to bolster Apache’s out-of-the-box security mechanisms:
- mod_security: a firewall for web applications that enables real-time traffic monitoring and protection against brute force attacks.
- mod_evasive: an efficient mechanism for detecting and mitigating DDoS attacks processes it very well. It prevents DDOS attacks from doing as much damage.
5. Protect system settings
.htaccess files are used in Apache to set directory-level configurations and can override system-wide security settings. Subsequently, highly-secure environments should prohibit the creation of .htaccess files by users. To enforce this, add the following to your Apache configuration file:
<Directory "/">AllowOverride None Directory>
6. Limit request size
Apache by default does not limit the size of HTTP requests, making it highly prone to DoS attacks when using the out-of-the-box configuration. Limiting the request size can help to fix this, so you’ll want to add an Apache directive to the VirtualHost section in question in your configuration file:
The limit is set to 1 MB in the above example.
7. Harden for DDoS attacks
DDoS attack methods vary and can be difficult to mitigate. That said, the following directives can be tweaked to minimize the efficacy of an attack:
- TimeOut: sets the amount of time the server waits before failing (default is 300 seconds). This value should be set as low as possible, keeping in mind that certain web requests will require more time to execute (e.g., database-driven form submissions, dynamic content)
- MaxClients (or MaxRequestWorkers): allows a limit to be set on simultaneous connections to be served, with new connections queued if the limit is reached. This value should be configured based on an organization’s expected traffic load.
- KeepAliveTimeout: sets the amount of time Apache will wait for a subsequent request before closing the connection (default is 5 seconds).
- LimitRequestFields: allows a limit to be set on the number of HTTP request header fields accepted from clients (default is 100). This number should be lowered accordingly based on your organization’s needs.
- LimitRequestFieldSize: sets the size limit of HTTP Request headers.
8. Disable following of symbolic links
Apache follows symlinks by default, which can easily result in a weakened security posture due accidental or malicious misconfiguration. A symbolic link allows references to files and directories to be made with absolute/relative paths. For example, creating a symbolic link to “/” in the Apache server document root directory would allow access to otherwise restricted files and directories.
To disable this, add the following to your Apache configuration file:
9. Disable unused modules
Apache is widely lauded for its modularity—extensive use of modules makes the web server highly extensible and customizable. Many modules are written by 3rd parties, however—and are known to contain exploitable vulnerabilities. For this reason, unused modules should be disabled to reduce the web server’s attack surface.
The following is a list of Apache modules enabled by default, but usually not needed. They should be disabled if not in use:
10. Disable Apache server-info and server-status
Again—as is the case with item #1 of this list—Apache’s configuration file should be updated to prevent accidental leakage of privileged server information. The following should be disabled:
- server-info: displays information regarding Apache’s configuration.
- server-status: lists information regarding the server’s performance (uptime, load, requests, and more.).
In short, the 10 ways listed above should serve as a starting point for Apache hardening efforts—in addition to identifying and remediating Apache's documented vulnerabilities per the CVE database. Fortunately, UpGuard's Apache server hardening policy can automatically scan for these items with a few mouse clicks.