Apache Web Server Hardening - Points To Check




Web Server hardening is one of the very important steps which are required to be taken so that the website will be less vulnerable to attacks. In brief, below are few points to consider. 


  • Run Apache httpd server as a new Linux user other than the default user apache. 
  • Hide server signature (apache version disclosure) so that in case of runtime errors, apache version will not be disclosed to the users. Each apache version may have specific vulnerabilities which the attacker may target if he comes to know about the sever version.

  • Hide php version. Each php version may have specific vulnerabilities which the attacker may target if he comes to know about the php version.

  • Directory listing needs to be disabled. This will make sure that the contents of the website folder located on the hard disk will not be visible to the users. The user should be able to view only the file which he clicks in the web browser.

  • Apache configuration file includes many modules. It may not be required to activate all the modules. Disable the modules which are not required.

  • Disable access to directories of the website to which users are not authorized to access.

  • Apache by default follows symlinks. It is required to turn off this feature.

  • Turn off server side includes and CGI execution if not required by the website.

  • By default, apache has no limit on http request size. This may lead to Denial Of Service attacks on the website. It is required to limit this size.

  • Optional step but website owners may add SSL certificate i.e. access to website using https protocol only.

  • Install mod security and mod evasive security modules. Both these modules are free and open source and are very good tools as far as security of the website is concerned. OWASP (Open Web Application Security Project) provides core security rules set for mod security which are also required to be added to mod security installation. Brute Force, SQL Injection, Distributed Denial Of Service (DDOS) etc.. attacks are prevented to a great extent by both these modules.

  • By default, Apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol. HTTP OPTIONS such as PUT, DELETE, TRACE and CONNECT have potential risk. It is advisable to disable these HTTP OPTIONS if not necessary.

  • TRACE method is by default enabled in Apache Httpd Server. If this method is enabled an attacker can exploit it with Cross Site Tracing attack. It is advisable to disable the TRACE request on Apache server.

  • If HTTP Only and Secure flags are not set for session cookie, it is possible to steal session cookies with Cross Site Scripting attacks. It is necessary to set these flags for session cookies.

  • Clickjacking is a well-known web application vulnerability. To defence Clickjacking attack on Apache web server, use X-FRAME-OPTIONS to avoid website being loaded in i-frame.

  • Cross Site Scripting Protection (X-XSS Protection) need to be applied for the web application if it is disabled in the user browser.

  • HTTP 1.0 has security weakness related to session hijacking and directory traversal. Disable HTTP 1.0 by using mod_rewrite module.

  • By default Apache timed-out value is 300 seconds, this can lead to attacks like Slow Loris attack and Denial Of Service attack on the server. The value may be lowered to 60 sec.

  • Use prepared statements, parameterized queries with MYSQLi extension while developing SQL statements for the websites. This will minimize SQL Injection attacks.
Apache Web Server Hardening - Points To Check Apache Web Server Hardening - Points To Check Reviewed by Nikhil Bhalwankar on February 04, 2018 Rating: 5

No comments:


Powered by Blogger.