Security Hardening Overview
This guide implements advanced security measures to protect your Apache web server against common threats and vulnerabilities.
11
Security Steps
~60
Minutes
Advanced
Difficulty
Production
Ready
Before You Begin - Critical Security Notes
- Backup: Create full system and configuration backups before proceeding
- Testing: Test all configurations in a staging environment first
- SSL Certificates: Have valid SSL certificates ready for HTTPS configuration
- Access: Ensure you have alternative access methods (console, KVM) in case of lockout
- Documentation: Document all changes made for future reference
- Monitoring: Have monitoring tools ready to detect issues after hardening
1
Hide Apache Version and OS Information
5 minutes
Command
sudo nano /etc/apache2/conf-available/security.conf
Configuration
ServerTokens Prod
ServerSignature Off
Prevent Apache from revealing version and OS information in HTTP headers and error pages
Security Impact: Hiding server information makes it harder for attackers to identify specific vulnerabilities in your Apache version.
2
Disable Unnecessary Modules
3 minutes
Commands
sudo a2dismod status
sudo a2dismod info
sudo a2dismod autoindex
sudo a2dismod userdir
sudo a2dismod cgi
Disable Apache modules that are not needed to reduce attack surface
Security Impact: Each enabled module increases the potential attack surface. Only enable modules that are absolutely necessary.
3
Configure Secure HTTP Headers
10 minutes
Enable Module
sudo a2enmod headers
Create Configuration
sudo nano /etc/apache2/conf-available/security-headers.conf
Security Headers Configuration
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self'"
Enable Configuration
sudo a2enconf security-headers
Add security headers to protect against common web vulnerabilities
Security Impact: Security headers provide additional protection against XSS, clickjacking, MIME sniffing, and other attacks.
4
Restrict Access to Root Directory
5 minutes
Edit Configuration
sudo nano /etc/apache2/apache2.conf
Root Directory Configuration
<Directory />
Options None
AllowOverride None
Require all denied
</Directory>
Secure the root directory to prevent unauthorized access
Security Impact: This configuration ensures that the root directory is completely locked down by default.
5
Configure Secure Document Root
5 minutes
Edit Site Configuration
sudo nano /etc/apache2/sites-available/000-default.conf
Document Root Configuration
<Directory /var/www/html>
Options -Indexes -Includes -ExecCGI
AllowOverride None
Require all granted
</Directory>
Secure the document root directory with restrictive permissions
Security Impact: Removes dangerous options like directory listing, includes, and CGI execution from the web root.
6
Implement Rate Limiting
8 minutes
Install mod_evasive
sudo apt install libapache2-mod-evasive -y
Enable Module
sudo a2enmod evasive
Configure mod_evasive
sudo nano /etc/apache2/mods-available/evasive.conf
Rate Limiting Configuration
DOSHashTableSize 2048
DOSPageCount 2
DOSPageInterval 1
DOSSiteCount 50
DOSSiteInterval 1
DOSBlockingPeriod 600
Install and configure mod_evasive to prevent DoS attacks
Security Impact: mod_evasive helps protect against DoS and DDoS attacks by limiting requests per page and site.
7
Configure SSL/TLS Security
10 minutes
Enable SSL Module
sudo a2enmod ssl
Configure SSL
sudo nano /etc/apache2/mods-available/ssl.conf
SSL/TLS Configuration
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder On
SSLSessionTickets Off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
Configure strong SSL/TLS encryption and disable weak protocols
Security Impact: This configuration ensures only secure TLS versions and strong ciphers are used.
8
Limit Request Size and Timeouts
5 minutes
Create Limits Configuration
sudo nano /etc/apache2/conf-available/limits.conf
Limits Configuration
LimitRequestBody 10485760
LimitRequestFields 40
LimitRequestFieldSize 8190
LimitRequestLine 4094
Timeout 60
KeepAliveTimeout 5
Enable Configuration
sudo a2enconf limits
Set limits on request size and timeouts to prevent resource exhaustion
Security Impact: These limits help prevent resource exhaustion attacks and improve server performance.
9
Configure Log Security
5 minutes
Create Log Configuration
sudo nano /etc/apache2/conf-available/log-security.conf
Logging Configuration
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_security
CustomLog ${APACHE_LOG_DIR}/access.log combined_security
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
Enable Configuration
sudo a2enconf log-security
Configure secure logging with proper format and level
Security Impact: Proper logging is essential for security monitoring and incident response.
10
Set Proper File Permissions
3 minutes
Set File Permissions
sudo chown -R root:root /etc/apache2/
sudo chmod -R 644 /etc/apache2/
sudo chmod -R +X /etc/apache2/
sudo chown -R www-data:www-data /var/www/
sudo chmod -R 755 /var/www/
Set secure file and directory permissions for Apache configuration and web content
Security Impact: Proper file permissions prevent unauthorized access to configuration files and web content.
11
Enable and Test Configuration
2 minutes
Test and Apply Configuration
sudo a2enconf security
sudo apache2ctl configtest
sudo systemctl reload apache2
Enable security configurations and test Apache configuration
Security Impact: Always test configuration changes before applying them to ensure Apache starts correctly.
Security Monitoring Tools
Essential tools for ongoing security monitoring and threat detection
fail2ban
Install Command
sudo apt install fail2ban -y
Config: /etc/fail2ban/jail.local
Automatically ban IPs that show malicious behavior
logwatch
Install Command
sudo apt install logwatch -y
Daily log analysis and reporting tool
rkhunter
Install Command
sudo apt install rkhunter -y
Rootkit detection and system security scanner
Ongoing Maintenance Tasks
Regular security maintenance to keep your hardened Apache server secure
Regular Updates
Weekly
Command
sudo apt update && sudo apt upgrade apache2 -y
Keep Apache and system packages updated
Log Review
Daily
Command
sudo tail -f /var/log/apache2/error.log
Monitor error logs for suspicious activity
SSL Certificate Check
Monthly
Command
sudo openssl x509 -in /path/to/cert.pem -noout -dates
Verify SSL certificate expiration dates
Security Scan
Weekly
Command
sudo rkhunter --check
Run security scans to detect vulnerabilities