Top 7 steps to secure a server running Apache

top 7 steps to secure a server running Apache

Apache is the most common web servers in use today. The huge community in close collaboration with cPanel is a great catalyst at adding to the adoption rate. At the moment it has some tough competition from the likes of LiteSpeed and nginx but Apache is still a favorite among beginners. Even though Apache is great for beginners it has its flaws, mainly security flaws. Unlike shared hosting, when you upgrade to a dedicated server, you must secure your own server. Use the top 7 ways in this article to secure your Apache web server.

 

  1. 1. Hide all sensitive information about your server: The first and surprisingly effective way of protecting an Apache server is to hide its version along with other sensitive information. Open the httpd.conf file and add or edit the following:
  • ServerSignature Off
  • ServerTokens Prod

 

  1. 2. Create a separate user account and group for Apache: In the worst case scenario, when Apache has a separate user account and group your other installations cannot be compromised even if Apache has been compromised. Create a separate user for Apache and open the httpd.conf, now edit the following
  • User apache
  • Group apache

 

  1. 3. Restrict access to files outside the root: Restricting access to files outside the web root directory adds a layer of security. The override we recommend below will need you to define an option or override for each directory that needs it explicitly. Use the following command if you know what you are doing:
  • <Directory />
  • Order Deny,Allow
  • Deny from all
  • Options None
  • AllowOverride None
  • </Directory>
  • <Directory /html>
  • Order Allow,Deny
  • Allow from all
  • </Directory>

 

  1. 4. Install the modsecurity module for Apache: Modsecurity is particularly effective against SQL injections and preventing http attacks. To install modsecurity –
  • On CentOS:
  • yum install mod_security
  • On Ubuntu:
  • apt-get install mod_security.
  • service httpd restart

 

  1. 5. Disable the modules you don’t need: Go through the Apache module documentation to identify the ones your website doesn’t need and use the command below to search for modules:
  • grep LoadModule httpd.conf
  • To disable a module add the “#” sign in front of its name.

 

  1. 6. Lower the Timeout value: One of the ways to lower the impact of a DDoS attack is to lower the default value of the timeout directive from 300 to a lower number like 30 or 45. Open the httpd.conf file and edit the following:
  • Timeout 45

 

  1. 7. Limit large data requests: Another way of lowering the impact of a DDoS attack is to lower the value of a http request to a number your website can work with. For example: 1 mb. Open the httpd.conf file and edit the following:
  • LimitRequestBody 10485760

Leave a Reply

Your email address will not be published. Required fields are marked *