4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

Home
Free eBook
Contact
About
Start Here

10 Tips to Secure Your Apache Web Server on

UNIX / Linux
by Ramesh Natarajan on March 22, 2011

20 Me gusta 70 Tweet 91

If you are a sysadmin, you should secure your Apache web server by following the 10 tips mentioned in this
article.

1. Disable unnecessary modules

If you are planning to install apache from source, you should disable the following modules. If you do
./configure help, youll see all available modules that you can disable/enable.

userdir Mapping of requests to user-specific directories. i.e ~username in URL will get translated to a
directory in the server
autoindex Displays directory listing when no index.html file is present
status Displays server stats
env Clearing/setting of ENV vars
setenvif Placing ENV vars on headers
cgi CGI scripts
actions Action triggering on requests
negotiation Content negotiation
alias Mapping of requests to different filesystem parts
include Server Side Includes
http://www.thegeekstuff.com/2011/03/apache-hardening/ 1/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

filter Smart filtering of request

version Handling version information in config files using IfVersion
as-is as-is filetypes

Disable all of the above modules as shown below when you do ./configure

./configure \
--enable-ssl \
--enable-so \
--disable-userdir \
--disable-autoindex \
--disable-status \
--disable-env \
--disable-setenvif \
--disable-cgi \
--disable-actions \
--disable-negotiation \
--disable-alias \
--disable-include \
--disable-filter \
--disable-version \
--disable-asis

If you enable ssl, and disable mod_setenv, youll get the following error.

Error: Syntax error on line 223 of /usr/local/apache2/conf/extra/httpd-ssl.conf: Invalid command

BrowserMatch, perhaps misspelled or defined by a module not included in the server configuration
Solution: If you use ssl, dont disable setenvif. Or, comment out the BrowserMatch in your httpd-
ssl.conf, if you disable mod_setenvif.

After the installation, when you do httpd -l, youll see all installed modules.

# /usr/local/apache2/bin/httpd -l
Compiled in modules:
core.c
mod_authn_file.c
mod_authn_default.c
mod_authz_host.c
mod_authz_groupfile.c
mod_authz_user.c
mod_authz_default.c
mod_auth_basic.c
mod_log_config.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_dir.c
mod_so.c

In this example, we have the following apache modules installed.

http://www.thegeekstuff.com/2011/03/apache-hardening/ 2/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

Use Google
AdWords
Llegue a potenciales
clientes. Cree su
anuncio en Google hoy.

core.c Apache core module

mod_auth* For various authentication modules
mod_log_config.c Log client request. provides additional log flexibilities.
mod_ssl.c For SSL
prefork.c For MPM (Multi-Processing Module) module
httpd_core.c Apache core module
mod_mime.c For setting document MIME types
mod_dir.c For trailing slash redirect on directory paths. if you specify url/test/, it goes to
url/test/index.html
mod_so.c For loading modules during start or restart

2. Run Apache as separate user and group

By default, apache might run as nobody or daemon. It is good to run apache in its own non-privileged account.
For example: apache.

Create apache group and user.

groupadd apache
useradd -d /usr/local/apache2/htdocs -g apache -s /bin/false apache

Modify the httpd.conf, and set User and Group appropriately.

# vi httpd.conf
User apache
Group apache

After this, if you restart apache, and do ps -ef, youll see that the apache is running as apache (Except the 1st
httpd process, which will always run as root).

# ps -ef | grep -i http | awk '{print $1}'

root
apache
apache
apache
apache
apache

3. Restrict access to root directory (Use Allow and Deny)

Secure the root directory by setting the following in the httpd.conf

http://www.thegeekstuff.com/2011/03/apache-hardening/ 3/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

<Directory />
Options None
Order deny,allow
Deny from all
</Directory>

In the above:

Options None Set this to None, which will not enable any optional extra features.
Order deny,allow This is the order in which the Deny and Allow directivites should be processed.
This processes the deny first and allow next.
Deny from all This denies request from everybody to the root directory. There is no Allow directive for
the root directory. So, nobody can access it.

4. Set appropriate permissions for conf and bin directory

bin and conf directory should be viewed only by authorized users. It is good idea to create a group, and add all
users who are allowed to view/modify the apache configuration files to this group.

Let us call this group: apacheadmin

Create the group.

groupadd apacheadmin

Allow access to bin directory for this group.

chown -R root:apacheadmin /usr/local/apache2/bin
chmod -R 770 /usr/local/apache2/bin

Allow access to conf directory for this group.

chown -R root:apacheadmin /usr/local/apache2/conf
chmod -R 770 /usr/local/apache2/conf

Add appropriate members to this group. In this example, both ramesh and john are part of apacheadmin
# vi /etc/group
apacheadmin:x:1121:ramesh,john

5. Disable Directory Browsing

If you dont do this, users will be able to see all the files (and directories) under your root (or any sub-
directory).

For example, if they go to http://{your-ip}/images/ and if you dont have an index.html under images, theyll
see all the image files (and the sub-directories) listed in the browser (just like a ls -1 output). From here, they
can click on the individual image file to view it, or click on a sub-directory to see its content.

To disable directory browsing, you can either set the value of Options directive to None or -Indexes. A
in front of the option name will remove it from the current list of options enforced for that directory.

Indexes will display a list of available files and sub-directories inside a directory in the browser (only when no
index.html is present inside that folder). So, Indexes should not be allowed.

<Directory />
Options None

http://www.thegeekstuff.com/2011/03/apache-hardening/ 4/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

Order allow,deny
Allow from all
</Directory>

(or)

<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>

6. Dont allow .htaccess

Using .htaccess file inside a specific sub-directory under the htdocs (or anywhere ouside), users can overwrite
the default apache directives. On certain situations, this is not good, and should be avoided. You should disable
this feature.

You should not allow users to use the .htaccess file and override apache directives. To do this, set
AllowOverride None in the root directory.

<Directory />
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>

7. Disable other Options

Following are the available values for Options directive:

Options All All options are enabled (except MultiViews). If you dont specify Options directive, this is
the default value.
Options ExecCGI Execute CGI scripts (uses mod_cgi)
Options FollowSymLinks If you have symbolic links in this directory, it will be followed.
Options Includes Allow server side includes (uses mod_include)
Options IncludesNOEXEC Allow server side includes without the ability to execute a command or
cgi.
Options Indexes Disable directory listing
Options MultiViews - Allow content negotiated multiviews (uses mod_negotiation)
Options SymLinksIfOwnerMatch Similar to FollowSymLinks. But, this will follow only when the
owner is same between the link and the original directory to which it is linked.

Never specify Options All. Always specify one (or more) of the options mentioned above. You can combine
multiple options in one line as shown below.
Options Includes FollowSymLinks

The + and in front of an option value is helpful when you have nested direcotires, and would like to overwrite
an option from the parent Directory directive.

In this example, for /site directory, it has both Includes and Indexes:
<Directory /site>
Options Includes Indexes
AllowOverride None
Order allow,deny
http://www.thegeekstuff.com/2011/03/apache-hardening/ 5/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

Allow from all

</Directory>

For /site/en directory, if you need Only Indexes from /site (And not the Includes), and if you want to
FollowSymLinks only to this directory, do the following.

<Directory /site/en>
Options -Includes +FollowSymLink
AllowOverride None
Order allow,deny
Allow from all
</Directory>

/site will have Includes and Indexes

/site/en will have Indexes and FollowSymLink

8. Remove unwanted DSO modules

If you have loaded any dynamic shared object modules to the apache, theyll be present inside the httpd.conf
under LoadModule directive.

Please note that the statically compiled apache modules will not be listed as LoadModule directive.

Comment out any unwanted LoadModules in the httpd.conf

grep LoadModule /usr/local/apache2/conf/httpd.conf

9. Restrict access to a specific network (or ip-address)

If you want your site to be viewed only by a specific ip-address or network, do the following:

To allow a specific network to access your site, give the network address in the Allow directive.
<Directory /site>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.10.0.0/24
</Directory>

To allow a specific ip-address to access your site, give the ip-address in the Allow directive.
<Directory /site>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.10.1.21
</Directory>

10. Dont display or send Apache version (Set ServerTokens)

By default, the server HTTP response header will contains apache and php version. Something similar to the
following. This is harmful, as we dont want an attacker to know about the specific version number.
Server: Apache/2.2.17 (Unix) PHP/5.3.5

http://www.thegeekstuff.com/2011/03/apache-hardening/ 6/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

To avoid this, set the ServerTokens to Prod in httpd.conf. This will display Server: Apache without any
version information.
# vi httpd.conf
ServerTokens Prod

Following are possible ServerTokens values:

ServerTokens Prod displays Server: Apache

ServerTokens Major displays Server: Apache/2
ServerTokens Minor displays Server: Apache/2.2
ServerTokens Min displays Server: Apache/2.2.17
ServerTokens OS displays Server: Apache/2.2.17 (Unix)
ServerTokens Full displays Server: Apache/2.2.17 (Unix) PHP/5.3.5 (If you dont specify any
ServerTokens value, this is the default)

Apart from all the above 10 tips, make sure to secure your UNIX / Linux operating system. There is no point in
securing your apache, if your OS is not secure. Also, always keep your apache version upto date. The latest
version of the apache contains fixes for all the known security issues. Make sure to review your apache log files
frequently.

Additional reading on apache

How To Install Apache 2 with SSL on Linux (with mod_ssl, openssl)
9 Tips to Use Apachectl and Httpd like a Power User
XAMPP: Easy Apache, MySQL, PHP, Perl Install
How To Install Or Upgrade LAMP Stack Using Yum

20 Tweet 91 Me gusta 70> Add your comment

Linux provides several powerful administrative tools and utilities which will
help you to manage your systems effectively. If you dont know what these tools are and how to use them, you
could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is
to help you understand system administration tools, which will help you to become an effective Linux system
administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

1. 50 Linux Sysadmin Tutorials Awk Introduction 7 Awk Print Examples

2. 50 Most Frequently Used Linux Commands (With Advanced Sed Substitution Examples
Examples) 8 Essential Vim Editor Navigation
3. Top 25 Best Linux Performance Monitoring and Fundamentals
Debugging Tools 25 Most Frequently Used Linux IPTables
http://www.thegeekstuff.com/2011/03/apache-hardening/ 7/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

4. Mommy, I found it! 15 Practical Linux Find Rules Examples

Command Examples Turbocharge PuTTY with 12 Powerful Add-
5. Linux 101 Hacks 2nd Edition eBook Ons

Tags: Apache Hardening, Apache Security

{ 13 comments read them below or add one }

1 feseha March 22, 2011 at 4:33 am

Great stuff as usual!

Keep up the good/geek stuff!
Feseha

2 Francisco Fiesta March 22, 2011 at 5:35 am

Im a newbie with Apache. I can just follow a how-to to get working an Apache php mysql in order
to run Joomla!
But, after this, considering all these security advices, will I need to run any of those non-secure modules
that I shouldnt load? Is that configuration suitable to run Joomla!?

Thanks for the article!

3 j March 22, 2011 at 5:48 am

nice post man. thx

4 chris adam March 22, 2011 at 3:04 pm

If you cannot allow .htaccess then most php based website cms (drupal wordpress), will not work.

Excellent article but not the .htaccess bit.

thanx

5 ajay March 23, 2011 at 6:36 am

World needs gud brains like u.. God bless u. nice stuff

6 Anonymous March 24, 2011 at 7:11 am

Thanks, Chris Adam for you answer, its useful for me.
http://www.thegeekstuff.com/2011/03/apache-hardening/ 8/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

7 Mhabub Mamun March 26, 2011 at 5:40 am

Very good article . Thank You

8 hotpotatoe June 14, 2011 at 11:48 am

Very good article. very useful tips, thanks

9 dilip May 15, 2012 at 3:56 am

Woooooooooooooooooooooooowwwwwww.. really cooool link .

Got very good idea regarding httpd.conf directory..
Thanks a lot

10 Amudha June 27, 2012 at 3:22 am

very useful tips,

Thanks

11 Sacura November 13, 2012 at 8:19 am

I just set up a LAMP server with WordPress and I have AllowOverride None which disables .htaccess
file. Everything works.

12 Bala January 14, 2014 at 3:24 am

Wow! excellent Mate. I really enjoyed going through all of the stuff.
whether it is memory handling or GDB or the Apache admin stuff
awesome. keep up the good work. I really a[ppreciate your efforts.

13 Ali May 11, 2014 at 1:46 pm

Awesome list. A few more suggestions:

1. Disable Server signature on error pages. Set ServerSignature to Off
2. If enabling symbolic links, use SymLinksIfOwnerMatch instead of FollowSymLinks.
3. Turn off Track and Trace methods with TraceEnable Off.
4. Implement some HTTP security headers such as X-Frame-Options, X-XSS-Protection, X-Content-
Type-Options, and Content-Security-Policy.

Good book on this topic: Apache Security by Ivan Ristic

Leave a Comment

Name

E-mail

Website

http://www.thegeekstuff.com/2011/03/apache-hardening/ 9/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

Notify me of followup comments via e-mail

Submit

Previous post: Linux IPTables: Incoming and Outgoing Rule Examples (SSH and HTTP)

Next post: Quick Info about the Upcoming eBook

RSS | Email | Twitter | Facebook | Google+

Search

COURSE
Linux Sysadmin CentOS 6 Course - Master the Tools, Configure it Right, and be Lazy

EBOOKS

Linux 101 Hacks 2nd Edition eBook - Practical Examples to Build a Strong Foundation in
Linux
Bash 101 Hacks eBook - Take Control of Your Bash Command Line and Shell Scripting
Sed and Awk 101 Hacks eBook - Enhance Your UNIX / Linux Life with Sed and Awk
Vim 101 Hacks eBook - Practical Examples for Becoming Fast and Productive in Vim Editor
Nagios Core 3 eBook - Monitor Everything, Be Proactive, and Sleep Well

http://www.thegeekstuff.com/2011/03/apache-hardening/ 10/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

The Geek Stuff

Me gusta

A 8320 personas les gusta The Geek Stuff.

Plug-in social de Facebook

POPULAR POSTS
12 Amazing and Essential Linux Books To Enrich Your Brain and Library
50 UNIX / Linux Sysadmin Tutorials
50 Most Frequently Used UNIX / Linux Commands (With Examples)
How To Be Productive and Get Things Done Using GTD
30 Things To Do When you are Bored and have a Computer
Linux Directory Structure (File System Structure) Explained with Examples
Linux Crontab: 15 Awesome Cron Job Examples
Get a Grip on the Grep! 15 Practical Grep Command Examples
Unix LS Command: 15 Practical Examples
15 Examples To Master Linux Command Line History
Top 10 Open Source Bug Tracking System
Vi and Vim Macro Tutorial: How To Record and Play
Mommy, I found it! -- 15 Practical Linux Find Command Examples
15 Awesome Gmail Tips and Tricks
15 Awesome Google Search Tips and Tricks
RAID 0, RAID 1, RAID 5, RAID 10 Explained with Diagrams
Can You Top This? 15 Practical Linux Top Command Examples
Top 5 Best System Monitoring Tools
Top 5 Best Linux OS Distributions
How To Monitor Remote Linux Host using Nagios 3.0
Awk Introduction Tutorial 7 Awk Print Examples
How to Backup Linux? 15 rsync Command Examples
The Ultimate Wget Download Guide With 15 Awesome Examples
Top 5 Best Linux Text Editors
Packet Analyzer: 15 TCPDUMP Command Examples
The Ultimate Bash Array Tutorial with 15 Examples
3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id
Unix Sed Tutorial: Advanced Sed Substitution Examples
UNIX / Linux: 10 Netstat Command Examples
The Ultimate Guide for Creating Strong Passwords
6 Steps to Secure Your Home Wireless Network
Turbocharge PuTTY with 12 Powerful Add-Ons

CATEGORIES

http://www.thegeekstuff.com/2011/03/apache-hardening/ 11/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

Linux Tutorials
Vim Editor
Sed Scripting
Awk Scripting
Bash Shell Scripting
Nagios Monitoring
OpenSSH
IPTables Firewall
Apache Web Server
MySQL Database
Perl Programming
Google Tutorials
Ubuntu Tutorials
PostgreSQL DB
Hello World Examples
C Programming
C++ Programming
DELL Server Tutorials
Oracle Database
VMware Tutorials
Ramesh Natarajan

Seguir

About The Geek Stuff

My name is Ramesh Natarajan. I will be posting instruction guides, how-to,

troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write
articles that will either teach you or help you resolve a problem. Read more about Ramesh Natarajan and
the blog.

Support Us

Support this blog by purchasing one of my ebooks.

Bash 101 Hacks eBook

Sed and Awk 101 Hacks eBook

Vim 101 Hacks eBook

Nagios Core 3 eBook

http://www.thegeekstuff.com/2011/03/apache-hardening/ 12/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux

Contact Us

Email Me : Use this Contact Form to get in touch me with your comments, questions or suggestions
about this site. You can also simply drop me a line to say hello!.

Follow us on Google+

Follow us on Twitter

Become a fan on Facebook

Copyright 20082014 Ramesh Natarajan. All rights reserved | Terms of Service

http://www.thegeekstuff.com/2011/03/apache-hardening/ 13/13