Apache is considered to be one of the most popular web servers available for Windows and Linux OS. Its open-source and powers around 40% of the world’s websites. While it is versatile, fast, secure, and reliable, because of such wide use, just like any other system, it is also susceptible to hacking attacks, such as PHP Injection, DoS, DDoS, Cross-Site Scripting, HTTP Brute Force attacks, and much more. The risk of experiencing these can be significantly minimized not only by tweaking Apache’s setting but during the installation process on a VPS server, too. Here are some tips that will boost this web server’s security.
Disable the server-info Directive
When the directive is enabled in the “httpd.conf” configuration file, Apache’s configuration information can be seen just by accessing the “/server-info” page. This data can include such sensitive data about the server as its version, database names, system paths, and much more. The server-info page also displays your OpenSSL version and the hackers can use this to exploit the system. There are cases where malicious users targeted OpenSSL versions that are vulnerable to the Heartbleed bug.
It’s best to disable this directive by replacing the “mod_info” module in the “httpd.conf” configuration file with this:
#LoadModule info_module modules/mod_info.so
Disable the server-status Directive
When the directive is enabled, it displays information about the server’s performance, such as server load, client IP addresses, server uptime, and current HTTP requests. This can also be easily exploited by hackers.
To secure both Apache and the VPS server, it’s strongly recommended to replace this directive in the “httpd.conf” configuration file with this:
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
Disable the ServerSignature Directive
This directive adds a footer to all server-generated documents. This is very risky as it includes sensitive data about your Apache configuration: the operating system, version, and so on. It can be disabled in the “httpd.conf” configuration file with this:
Set the ServerTokens Directive to Prod
This directive controls the data sent back in the “Server” response header field. If it’s not set to “Prod”, the directive returns all information about the system in the server response headers. It’s advised to change it so that it only returns “Apache”. To do this, include the following in the “httpd.conf” configuration file:
Disable directory listing
When this is enabled, you can view the complete directory contents of the Apache and VPS server. Hackers can easily discover and view all files. This can be quickly exploited by decompiling and reverse engineering any server application or add-on to obtain the source code. This source code can reveal any possible security flaws and other sensitive data, such as passwords, database strings, and so on.
To disable directory listing, set the “Options” directive in the “httpd.conf” configuration file:
Enable only the required modules
A default Apache installation usually includes pre-installed and enabled modules, which aren’t necessarily needed. First-time users sometimes even enable all the modules in “httpd.conf” thinking it will boost system performance and ensure that everything works as it’s supposed to. This is a mistake as the Apache and the VPS server become open to possible pre-existing or future module security issues.
Users are urged to research every module before enabling any new ones and only use those that are required for website functionality. Every Apache module is listed and explained in the Apache module documentation. To disable any unwanted modules, comment out its “LoadModule“ line.
Restrict unwanted services
If some services are unneeded, such as symbolic links or CGI execution, it’s good practice to disable them as some allow remote execution of codes, or hackers can use them to view your server files. You can do this by using the “Options” directive in the “httpd.conf” configuration file by including:Options -ExecCGI -FollowSymLinks -Includes
Use the ModSecurity WAF
This open-source module is especially great for both Apache and the VPS server as it works as a web application firewall. It allows users to perform real-time traffic monitoring, prevents null-byte attacks, and masks server identity. It’s best to install this during Apache’s installation as it improves the overall security and prevents such attacks as DDoS, SQL Injections, and Cross-Site Scripting.
Enabling this is useful for inspecting the cause of certain issues as it provides data about client requests made on your server. To do so, users have to include the “mod_log_config” module in the “httpd.conf” configuration file. It provides 3 directives:
● TransferLog. This creates a log file.
● LogFormat. This is used to specify a custom logging format.
● CustomLog. This instructs Apache to use the custom format.
Following these tips is strongly advised as improved Apache security boosts the protection of your VPS server, too. Of course, users can take further actions and additionally tweak the configuration of Apache post-installation. It’s also beneficial to always make sure that everything on it is regularly updated as patches fix any security gaps the previous versions had.