How to Harden Your Apache Web Server on an Ubuntu 18.04 Dedicated Server or VPS

Introduction

Apache is one of the most popular web servers, hence usually susceptible to hacking attacks. With default configuration which exposes sensitive information about the server, shortens the reconnaissance time for a hacker. Most of the attacks are done through PHP Injection attacks, Cross Site Scripting, Stealing Cookie Information, Denial of Service (DoS), Distributed DOS (DDoS), HTTP brute force attacks>, to mention but a few. In this article, we illustrate how to configure your Apache web server on Ubuntu 18.04 to be secure and have robust protection against the malicious attacks.

Pre-requisites

  • You must have basic knowledge of Apache>
  • You must have installed the latest Apache web server (at the time of publishing is 2.4.29) on Ubuntu 18.04 VPS
  • You must have installed WordPress Demo Website in /var/www/html
  • You must know how to use the inspector element in a web browser for testing
  • You must have made a copy of the following configuration files
/etc/apache2/apache2.conf
/etc/apache2/conf-enabled/security.conf

1.  Hide Apache Version and Operating System

By-default the apache version and OS are shown in the response headers as shown below. This is a major security loophole exposing such details to the world and be used by hackers.

From the figure, it shows the web server is running on Apache Version 2.4.29 and on Ubuntu OS. To hide those details, add the two lines in apache config file /etc/apache2/conf-enabled/security.conf

ServerSignature Off 
ServerTokens Prod

Then reload Apache:

$ sudo systemctl reload apache2

Refresh the browser and you’ll notice the version and OS details removed as shown below:

2. Disable Directory Listing and FollowSymLinks

By default, the directory listing for all files under web root directory is enabled if there is no index file as shown below. This allows hackers to view and analyze the files in your web server directory and maximize on the slightest available vulnerability to launch an attack.

In addition, by-default apache is configured to follow symbolic links which is not advisable.

To disable these, edit the config file /etc/apache2/apache2.conf by putting “-” before each tag directive in the line Options Indexes FollowSymLinks to become Options -Indexes -FollowSymLinks as shown below:

<Directory /var/www/>
    	Options -Indexes -FollowSymLinks
    	AllowOverride None
    	Require all granted
</Directory>

Then reload apache service

Refresh the browser and you’ll notice that the files can no longer be viewed and instead generates 403 forbidden error message as shown below:

3. Secure Apache using mod_security and mod_evasive Modules

Mod_security

Acts as a firewall for web servers and applications, providing protection against brute force attacks. Install it and then restart Apache.

$ sudo apt install libapache2-mod-security2 -y
$ sudo systemctl restart apache2

Mod_evasive

Detects and provides protection against DDOS and HTTP brute force attacks. It detects attacks whenever: so many requests are directed to a page several times per second; temporarily blacklisted IP still tries to make a new request; child process attempts making more than 50 concurrent requests. Install and restart Apache.

$ sudo apt install libapache2-mod-evasive -y
$ sudo systemctl restart apache2

4. Limit Request Size

By default, the HTTP request in Apache is unlimited hence web server is susceptible to DoS attacks by keeping it open for a high number of request. For example, there is a site that allows users to upload files, then it’s important to set a limit for upload size. This can be done by setting the LimitRequestBody for that particular upload directory as follows:

<Directory "/var/www/html/wp_content/uploads">
 
LimitRequestBody 10485760
 
</Directory>

The upload size has been limited to a max of 10 megabytes.  The maximum allowable limit is usually 2GB.

Then restart/reload apache service.

5. Disable TRACE HTTP Request

By default, Trace HTTP Request is enabled allowing for Cross Site Tracing. This enables a hacker to easily steal cookie information. Disabling Trace HTTP Request makes the mod_proxy and core server return “405 - Method Not Allowed” error message to clients. Trace request is disabled by adding the line TraceEnable off in the config file /etc/apache2/apache2.conf.

Save the file and reload the apache service.

sudo systemctl restart apache2

Conclusion

The enlisted 5 steps are the most basic security protection features to implement in your Apache web server. To add more security features, you can perform the following steps:

  • Disable Server Side Includes (SSI) and CGI Execution which usually allow for remote execution of arbitrary codes
  • Ensure Apache is updated with the latest version as it has patches which reduce attack vulnerability
  • Prevent Clickjack attacks which trick users into clicking malicious sites
  • Secure the Apache Web Server with SSL Certificates to encrypt all communication via the internet

Check out these top 3 Dedicated server hosting services:

Was this article helpful?