The web server has a crucial role in web-based applications. Since most of us leave it to the default configuration, it can leak sensitive data regarding the web server. Apache is one of the most popular and widely used out of all of them. Because of this popularity, it is also most vulnerable to cyber-attacks.
By applying numerous configuration tweaks we can make Apache withstand malicious attacks up to a limit. Most common misconfiguration and hardening techniques are:
Hide Server Version Banner
The default Apache configuration will expose the server version. This information might help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of the server.
Alter Server Banner
Change server details to misdirect the attacker.
Disable Directory Listing
By Apache’s default configuration, If your web server root directory doesn’t contain index.html, the user can see all files and subdirectories listed in the web root.
Make use of mod_security
mod_security works as a firewall for web applications. It can also be used for real-time web application monitoring and logging. You can install mod_security from your default package installer.
Make use of mod_evasive
mod_evasive provides effective actions against Distributed Denial of Service (DDoS/DoS) attack or brute force attack. Its capabilities also extend to work with ipchains, firewalls, routers, and more. mod_evasive reports events via email and syslog facilities.
Hide ETag Header
The ETag header involves quite a significant number of sensitive details regarding your server. It's interesting that for PCI-compliance it is required to hide the Etag header.
Disable CGI and SSI
SSIs are directives present on web applications used to feed an HTML page with dynamic contents. They are also capable of opening your website up to a certain number of security issues if left unchecked. The same case happens for the CGI scripts. So as to prevent hackers from injecting malicious scripts in your code.
Setting the HTTP Limits
Setting up some HTTP limits can defend against DDoS (Distributed Denial of Service) attack, it is really easy if you know the sort of actions to look out for.
Enable XSS Protection Header
Cross-site scripting (XSS) is a common vulnerability found in web applications. X-XSS-Protection header can prevent some level of XSS (cross-site-scripting) attacks.
A more detailed version on how to implement these Apache webserver hardening techniques to improve security published here
Top comments (0)