Essential Apache Security Tips for System Administrators

The Apache HTTP Server is one of the world's most popular web servers, powering a significant portion of websites on the internet. However, its widespread use also makes it a common target for attackers. Implementing proper security measures for your Apache server is crucial for protecting your websites and data from vulnerabilities and attacks. This comprehensive guide covers essential Apache security tips that every system administrator should implement.

Introduction

A poorly configured Apache server can expose your organization to various security risks, including data breaches, website defacement, server hijacking, and more. By implementing the security measures outlined in this guide, you can significantly reduce these risks and create a more robust web hosting environment.

We'll explore security best practices ranging from basic configuration changes to advanced security implementations. These tips are applicable to Apache running on various Linux distributions, though some file paths may differ slightly depending on your specific setup.

1. Keep Apache Updated

Running the latest version of Apache is your first line of defense against security threats. Security vulnerabilities are regularly discovered and patched, making updates essential.

Checking Your Apache Version

apache2 -v
# or
httpd -v

Updating Apache

On Debian/Ubuntu:

sudo apt update
sudo apt upgrade apache2

On CentOS/RHEL:

sudo yum update httpd

Always read the changelog before updating production servers to understand potential compatibility issues.

2. Minimize Apache Information Leakage

By default, Apache exposes information about its version and installed modules in error pages and HTTP headers. This information helps attackers identify specific vulnerabilities in your server.

Disable Server Signature

Edit your Apache configuration file:

sudo nano /etc/apache2/apache2.conf  # Debian/Ubuntu
# or
sudo nano /etc/httpd/conf/httpd.conf  # CentOS/RHEL

Add or modify these directives:

ServerSignature Off
ServerTokens Prod

These changes hide detailed server information from error pages and reduce HTTP header information to just "Apache" without version details.

Disable ETag Headers

ETags can leak information about your server's inode numbers, which may help in certain attacks:

FileETag None

3. Implement Proper Directory Access Controls

Restricting access to your filesystem through Apache is critical for security.

Block Access to Sensitive Directories

Add these blocks to your configuration to protect sensitive locations:

<Directory />
    Options None
    AllowOverride None
    Require all denied
</Directory>

<Directory /var/www/html>
    Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

This configuration denies access to all directories by default, then explicitly allows access only to your web directory.

Disable Directory Browsing

Prevent visitors from seeing directory listings:

<Directory /var/www/html>
    Options -Indexes
</Directory>

Restrict Access to .htaccess Files

<Files ".ht*">
    Require all denied
</Files>

4. Implement Proper File Permissions

File permissions are a critical but often overlooked aspect of web server security.

Set Restrictive File Permissions

# Set appropriate ownership
sudo chown -R root:www-data /var/www/html

# Set directory permissions
sudo find /var/www/html -type d -exec chmod 750 {} \;

# Set file permissions
sudo find /var/www/html -type f -exec chmod 640 {} \;

These commands set ownership to root with the web server group having access, directories being executable only by owner and group, and files being readable only by owner and group.

Secure Configuration Files

sudo chmod 600 /etc/apache2/apache2.conf
sudo chmod 600 /etc/apache2/sites-available/*

5. Enable and Configure SSL/TLS

Securing traffic between your server and clients is essential for protecting sensitive information.

Enable SSL Module

# Debian/Ubuntu
sudo a2enmod ssl
sudo systemctl restart apache2

# CentOS/RHEL
sudo yum install mod_ssl
sudo systemctl restart httpd

Configure Strong SSL Settings

Create or edit your SSL configuration:

# Debian/Ubuntu
sudo nano /etc/apache2/mods-available/ssl.conf

# CentOS/RHEL
sudo nano /etc/httpd/conf.d/ssl.conf

Add these security-focused settings:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

These settings disable older, insecure protocols and weak ciphers.

Configure a Virtual Host with SSL

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /path/to/certificate.crt
    SSLCertificateKeyFile /path/to/private.key
    SSLCertificateChainFile /path/to/chain.crt

    # Enable HTTP Strict Transport Security
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</VirtualHost>

Don't forget to enable the headers module for HSTS:

# Debian/Ubuntu
sudo a2enmod headers
sudo systemctl restart apache2

6. Implement IP-Based Access Restrictions

Limiting access to certain parts of your website based on IP addresses can add an additional layer of security, especially for administrative areas.

Restrict Access to Admin Areas

<Directory "/var/www/html/admin">
    Options None
    AllowOverride None

    # Allow only specific IPs
    Require ip 192.168.1.100
    Require ip 10.0.0.0/24

    # Alternatively, allow all internal and deny external
    # Require all granted
    # Require not ip 192.168.1.0/24
</Directory>

Restrict Access to Sensitive Endpoints

<Location "/api/admin">
    Require ip 127.0.0.1
    Require ip ::1
</Location>

7. Protect Against Common Attacks

Enable ModSecurity Web Application Firewall

ModSecurity is a powerful web application firewall for Apache:

# Debian/Ubuntu
sudo apt install libapache2-mod-security2
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

# CentOS/RHEL
sudo yum install mod_security
sudo cp /etc/httpd/conf.d/mod_security.conf /etc/httpd/conf.d/mod_security.conf.bak

Edit the configuration file to enable protection:

sudo nano /etc/modsecurity/modsecurity.conf

Change the mode from detection to protection:

SecRuleEngine On

Restart Apache to apply the changes:

sudo systemctl restart apache2  # or httpd on CentOS/RHEL

Install OWASP ModSecurity Core Rule Set

The OWASP Core Rule Set provides protection against common web attacks:

# Debian/Ubuntu
sudo apt install modsecurity-crs
sudo ln -s /etc/modsecurity/modsecurity.conf /etc/apache2/mods-enabled/

# CentOS/RHEL
sudo yum install mod_security_crs
sudo systemctl restart httpd

Prevent Cross-Site Scripting (XSS)

Add these headers to your Apache configuration:

# Add to your virtual host configuration
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self';"

Prevent Clickjacking

Header always append X-Frame-Options SAMEORIGIN

8. Implement Rate Limiting

Rate limiting helps protect against brute force attacks and denial of service attempts.

Using mod_evasive

# Debian/Ubuntu
sudo apt install libapache2-mod-evasive
sudo mkdir -p /var/log/apache2/evasive
sudo chown -R www-data:www-data /var/log/apache2/evasive

# CentOS/RHEL
sudo yum install mod_evasive
sudo mkdir -p /var/log/httpd/evasive
sudo chown -R apache:apache /var/log/httpd/evasive

Configure mod_evasive by creating a configuration file:

# Debian/Ubuntu
sudo nano /etc/apache2/mods-available/evasive.conf

# CentOS/RHEL
sudo nano /etc/httpd/conf.d/mod_evasive.conf

Add these settings:

<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 60
    DOSLogDir "/var/log/apache2/evasive"
</IfModule>

Using mod_qos

For more advanced rate limiting:

# Debian/Ubuntu
sudo apt install libapache2-mod-qos

# CentOS/RHEL
sudo yum install mod_qos

Configure mod_qos:

<IfModule mod_qos.c>
    # Prevents more than 50 concurrent connections per IP
    QS_ClientEntries 50

    # Maximum number of active connections
    MaxClients 256

    # Maximum connections per IP
    QS_SrvMaxConnPerIP 20

    # Maximum requests per second
    QS_SrvRequestRate 4

    # Maximum simultaneous connections for POST and PUT
    QS_SrvMaxConnClose 5
</IfModule>

9. Control Resource Usage

Limiting resources helps prevent your server from being overwhelmed by malicious or poorly optimized requests.

Limit Request Size

LimitRequestBody 10240000  # Limit to approximately 10MB

Timeout Settings

Timeout 60
KeepAlive On
KeepAliveTimeout 5
MaxKeepAliveRequests 100

Control Process Creation

For prefork MPM:

<IfModule mpm_prefork_module>
    StartServers             5
    MinSpareServers          5
    MaxSpareServers         10
    MaxRequestWorkers      150
    MaxConnectionsPerChild 0
</IfModule>

10. Implement Security Through Obscurity

While security through obscurity should never be your primary defense, it can add an extra layer of protection.

Change Default Ports

Edit your Apache configuration:

# Instead of default port 80
Listen 8080

# Instead of default port 443 for SSL
Listen 8443

Remember to update your firewall rules accordingly.

Hide Apache Version in Redirects

# Set server name for redirects
ServerName localhost

11. Regular Security Auditing

Regularly auditing your Apache server helps identify and address security issues before they're exploited.

Using Apache Bench for Testing

ab -n 1000 -c 10 https://your-server.com/

Using Nikto for Vulnerability Scanning

sudo apt install nikto
nikto -h your-server.com

Using Apache Log Files

Review your logs regularly for suspicious activity:

sudo tail -f /var/log/apache2/access.log
sudo tail -f /var/log/apache2/error.log

Troubleshooting Section

Common Issues and Solutions

1. SSL Configuration Errors

Problem: Apache fails to start after SSL configuration changes.

Solution: Check the syntax of your configuration files:

sudo apachectl configtest

Look for specific SSL errors:

sudo apachectl -t -D DUMP_MODULES | grep ssl

Verify that your certificate paths are correct and files are readable by Apache.

2. ModSecurity Blocking Legitimate Traffic

Problem: After enabling ModSecurity, legitimate requests are being blocked.

Solution: Check ModSecurity logs:

sudo tail -f /var/log/apache2/modsec_audit.log

Create exceptions for false positives:

# In your ModSecurity configuration
SecRule REQUEST_URI "@beginsWith /legitimate-path" "id:1000,phase:1,pass,nolog,ctl:ruleEngine=Off"

3. Permissions Issues

Problem: "403 Forbidden" errors after applying security changes.

Solution: Check and adjust file permissions:

# Verify ownership
ls -la /var/www/html

# Fix permissions if necessary
sudo chown -R www-data:www-data /var/www/html
sudo chmod -R 750 /var/www/html

4. Rate Limiting Too Aggressive

Problem: Legitimate users being blocked by rate limiting.

Solution: Adjust your rate limiting settings:

# For mod_evasive, increase these values
DOSPageCount 5  # Was 2
DOSSiteCount 100  # Was 50

Best Practices & Optimization Tips

Security Enhancement

• Defense in Depth: Implement multiple layers of security controls
• Principle of Least Privilege: Grant only necessary permissions
• Configuration Hardening: Disable unnecessary modules and features
• Regular Updates: Keep Apache and all modules up to date
• Security Headers: Implement all recommended security headers

Performance Optimization

• HTTP/2 Support: Enable HTTP/2 for better performance:
  Copy

  sudo a2enmod http2
  # Add to VirtualHost: Protocols h2 http/1.1

• Enable Caching: Reduce server load with proper caching:
  Copy

  sudo a2enmod cache
  sudo a2enmod cache_disk

• Optimize MPM: Choose the right Multi-Processing Module for your needs
• Enable Compression: Reduce bandwidth usage:
  Copy

  sudo a2enmod deflate

Conclusion

Securing your Apache web server is an ongoing process that requires vigilance and regular maintenance. By implementing the security measures outlined in this guide, you can significantly reduce the risk of successful attacks against your web infrastructure.

Remember that security is about layers: no single measure can protect against all threats. Combining these techniques with good system administration practices creates a robust security posture for your Apache server.

Key takeaways include:

• Keep Apache and all components updated
• Minimize information disclosure
• Implement proper access controls and file permissions
• Use SSL/TLS to encrypt traffic
• Protect against common web attacks with ModSecurity
• Limit resources and implement rate limiting
• Regularly audit your server's security

By making security a priority and following these best practices, you can maintain a secure and reliable Apache web server environment.