Image: Jack Wallen
Apache is one of the most widely used web servers on the planet, and with that popularity comes a need to ensure its security. Although the platform that most often hosts Apache (Linux) enjoys a level of security many other platforms do not, that doesn’t mean you should install and forget the open source web server. Considering the need for security is at an all-time high, you should do everything you can to secure your out of the box Apache 2 installation.
Here are four tips you can implement (three with ease and one with a bit of research) that bring added security to your Apache installation.
1: Run only necessary modules
Out of the box, Apache 2 enables a number of modules you might not need (only you can decide what modules should be running on your server). But how do you find out which modules are running? And if you want to disable a module or two, how do you prevent unnecessary modules from running?
First, you need to find out which modules are enabled on your system. I’ll demonstrate how to do this from an Apache 2 installation on Ubuntu Server 16.04.
Open a terminal window and issue the command sudo ls /etc/apache2/mods-enabled/—you should see output similar to what’s in Figure A.
Apache 2 offers a handy tool for disabling modules. Let’s say you want to disable the autoindex module. To prevent the autoindex module from loading, you would issue the command:
sudo a2dismod autoindex
After running the command, you will prompted to okay disabling the module by typing in the phrase Yes, do as I say! Note: Only modules that could have a negative impact on the server’s ability to function will give you that warning. Say you want to disable the status module; you would issue the command sudo a2dismod status, and the module will be disabled.
After you disable the necessary modules, restart Apache with the following command:
sudo service apache2 restart
2: Enable ModSecurity
ModSecurity is a free Web Application Firewall that works with Apache. It uses a flexible rule engine to perform simple and complex operations to prevent attacks like SQL injection, cross-site scripting, Trojans, bad user agents, session hijacking, and much more.
You should understand that ModSecurity is incredibly complex and can alter your site’s ability to serve pages. It would be wise to fully understand ModSecurity before enabling this feature. For more information, check out the official ModSecurity documentation.
SEE: Network Security Policy (Tech Pro Research)
By default, ModSecurity isn’t installed. Although the process for installation is fairly simple, the configuration can be daunting. To install ModSecurity, follow these steps.
- Open a terminal window on your Apache server.
- Issue the command sudo apt-get install libapache2-modsecurity.
- Rename the sample config file with the command sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf.
- Open the newly created file for editing with the command sudo nano /etc/modsecurity/modsecurity.conf.
- Add the line SecRuleEngine On in the Rule engine initialization section.
- Restart Apache with the command sudo service apache2 restart.
Now you need to edit the ModSecurity configuration file. Open that file with the command sudo nano /etc/apache2/mods-enabled/security2.conf and add the following lines:
IncludeOptional "/usr/share/modsecurity-crs/*.conf" IncludeOptional "/usr/share/modsecurity-crs/base_rules/*.conf
Save and close that file and restart Apache with the command sudo service apache2 restart.
If you wind up getting errors on your site, you will need to comb through /var/log/apache2/error.log and look for errors with entries like [id “960017”] (which is a Forbidden 403 error). Once you find that, you can disable those rules (by ID) by using the SecRuleRemoveById option in your Apache directives.
3: Limit large requests
By default, Apache does not set a limit to the size of HTTP requests it will accept; this can lead to an attacker sending a lot of data to take down the server. This is configured on a per-directory basis.
Say, for instance, you created a directive to serve up the folder /var/www/clients. That directive might look like the following:
Alias /clients "/var/www/clients" <Directory /var/www/clients/> Options +FollowSymlinks AllowOverride All <IfModule mod_dav.c> Dav off </IfModule> SetEnv HOME /var/www/clients SetEnv HTTP_HOME /var/www/clients </Directory>
Say you want to lock down that directory to requests not larger than 100K—you would add the following line under AllowOverride All:
Save and close that file. Reload Apache (you don’t have to do a full restart) with the command:
sudo service apache2 reload
4: Restrict browsing to specific directories
You don’t want users to be able to browse outside of specific directories.
Let’s say you have a Nextcloud site served from your Apache server, and that is all you want anyone to be able to see; you have to deny access to the document root and then allow access to the Nextcloud directory. For the purposes of this example, we’ll say the document root is /var/www/ and the Nextcloud directory is /var/www/nextcloud.
First, we must open /etc/apache2/apache2.conf. Locate the document root directive (it will begin with <Directory />) and change that directive to reflect the following:
<Directory /> Order Deny,Allow Deny from all Options None AllowOverride None </Directory>
Save and close that file. Open the configuration file for Nextcloud within /etc/apache2/sites-enabled and add the following under <Directory /var/www/nextcloud/>:
Order Allow,Deny Allow from all
Reload Apache with the command sudo service apache2 reload. You should now receive a Forbidden warning when attempting to view the document root, and your Nextcloud site should work as expected.
There are plenty of ways to secure your Apache server. Start with with these four tips (remember to do more research about ModSecurity), and then find even more ways to keep your web server locked down against attacks and malicious users.