Top 10 Apache Security Configurations

Document root directory: /var/www/html  or  /var/www
Apache Configuration file: /etc/apache/apache2.conf  or  /etc/httpd/conf/httpd.conf
Apache Access Log: /var/log/httpd/access_log
Apache Error Log: /var/log/httpd/error_log

1. Make sure you have the latest Apache updates

2. Disable unused modules

3. Change Apache user account

Create a new special linux user for Apache.

# groupadd webuser
# useradd -d /var/www/ -g webuser -s /bin/nologin webuser

After creating the user, you need to tell Apache to run with this new user.

User webuser 
Group webuser

4. Remove version from Custom Error Pages

ServerSignature Off
ServerTokens Prod

5. Configure Options for the server

 Options -Indexes            //directory listing
 Options -Includes           //server side includes
 Options -ExecCGI            //CGI file execution
 Options -FollowSymLinks     //following of symlinks
 Options None                //disable all features

6. Allow and Deny access to Directories

<Directory />
   Options None
   Order deny,allow
   Deny from all

7. Use mod_security and mod_evasive Modules

Install and configure mod_security and mod_evasive

8. Limit Request Size

<Directory "/var/www/myweb1/user_uploads">
   LimitRequestBody 512000

9. Protect against DDOS attacks and Hardening

The following directives can help against DoS attacks:

  1. MaxClients
  2. TimeOut
  3. KeepAliveTimeout
  4. LimitRequestFields
  5. LimitRequestFieldSize

10. Securing Apache with SSL Certificates

Reference: LINK


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s