The Apache web server is an extremely stable and secure piece of software. With Apache powering close to 70 percent of the web sites on the Internet today, it has been well tested. It has become clear over the last decade that no software is 100% secure. Fortunately, there are several simple steps you can take to make your Apache installation more secure.
The single biggest cause of security breaches is software that was out of date. As bugs and exploits are found in the Apache web server, patches are released to correct them. The single biggest step you can take to securing your Apache server is to install the patches or upgrade to the latest release of Apache.
Security By Obscurity
The default Apache installation options cause the server to add a signature that shows what version of Apache you are running, what operating system it is running on and even what modules you are using in your Apache configuration. Providing this information makes it easier to exploit your system since hackers will have a great deal of information about the types and versions of your software and can easily search for vulnerabilities. While security by obscurity is not enough by itself, it is a good way to improve the security of your server. To disable Apache’s signature and reduce the information included in the HTTP header, add the following options to your default httpd.conf file:
ServerSignature Off ServerTokens Prod
Run Under the Right User and Group
Often, the default installation of Apache has the web server to run under the user nobody and the group nobody. While this is definitely better than some older configurations that ran the server as root, it can still be problematic. This is because on some systems the nobody user and group are used by several systems. If one of these other systems is comprised, the attackers would also have access to your Apache server and files. Likewise, if Apache were comprised, the attackers could do added damage to other subsystems. Using a separate user and group for Apache is recommended. You can set these in httpd.conf using the following:
User apache Group apache
Control Directory and File Access
Apache has access controls that can be used to tighten your security. In particular, you want to block access to access to any files outside of your web root. This prevents users from downloading system files or reading configuration files for your web application if your server were to be mis-configured. Accomplishing this takes two steps. The first is to add the following to your default httpd.conf file:
<Directory /> Order Deny,Allow Deny from All Options None </Directory>
This configuration effectively block access to all files on your file system. The next step is to selectively enable access to the files in your web root directory. If you are running multiple virtual hosts, you will need to include this in each virtual host configuration. For this example, lets say that your web root is /home/user/web. To enable access to the files in the web root, add this to your configuration:
<Directory /home/user/web> Order Allow,Deny Allow from All </Directory>
Similarly, you may need to selectively block access to certain files. A common technique is to block access to .htaccess. However, there are also often other files for which you want to block access. You might want to block access to all files with a .inc extensions (PHP includes) since they may contain sensitive information (such as database details) or if you use the Subversion source control system, you may need to block the .svn files generated when doing a code checkout. To block a specific file such as .htaccess, add this to your httpd.conf:
<Files ~"^/.htacces"> Order Deny,Allow Deny from All </Files>
To hide all files that end in .svn, you can use the following:
<Files ~"/.svn$"> Order Deny,Allow Deny from All </Files>
Turn Off Unneeded Modules
Often, when it comes to security, less is more. This especially applies when it comes to Apache modules. You should disable any modules that you do not need and are not specifically using. There is always a risk that the default configuration for an unused module will allow something that you did not intend. The easiest solution is to disable the module. If you are using DSO modules, simply remove or comment out the LoadModule line in httpd.conf for any modules that you are not using. If your modules are compiled into your web server, you will need to recompile to remove them. To find out what modules are compiled into your Apache web server, use the following command:
Beware of .htaccess
We have already mentioned the importance of protecting your .htaccess file from being downloaded. However, .htaccess can also create other security problems. Depending on what options are enabled in Apache, .htaccess can override a number of Apache’s configuration settings. This can sometimes lead to well-meaning users setting things in .htaccess that lower the overall security of your Apache server. You can use the Options directive to disable overrides in .htaccess. You need to set this within a directory block. For example if your web root was /home/user/web, you would use the following in your Apache configuration:
<Directory /home/user/web> AllowOverride None </Directory>
There are, of course,times when overrides are needed. For example, in order to support various pretty permalinks, WordPress needs to use .htaccess. If you do allow overrides through .htaccess, make sure you protect it as described above.
Control Permissions on Configuration Files
Turning off overrides and protecting .htaccess won’t do a lot of good if your configuration files aren’t locked down. Even if you know that your users are all trustworthy, you never want to make it easy for an attacker who gains access to change your configuration to make your system less secure. When Apache starts up, it is typically started as root and then switches to its own user and group. As a result, you should make all of the Apache configuration files readable by root only. This prevents users from snooping in your configuration files.
Don’t Allow Writing in Executable Directories
If you have a directory that hosts executable code such as CGI programs, it should not be writable by anyone but root. The reason of this is that if an attacker manages to write a file into this directory, they could upload a malicious program and then get your Apache server to run the program simply by browsing to the file’s URL. Make all directories that host executable code writable by root only. If you have a CGI or other executable that needs to write to a file, place these files in a separate directory outside of Apache.
Symbolic links can expose files and directories on your file system that you did not intend to expose. Apache supports FollowSymLinks as a setting for Options. When this option is set, Apache will allow a user to follow a symbolic link to a file that is outside of the web root. You can stop this behavior by using:
within a Directory block. Or if you are enabling other options you can use:
Consider Using ModSecurity
ModSecurity is an open source Apache module that acts as a web application firewall. It can operate in an embedded mode where it runs within Apache just like any other module. It also supports a reverse proxy mode in which ModSecurity can hide the details of your network and configuration from the outside world. ModSecurity provides a number of security features for web applications including intrusion detection and traffic logging. It can be configured to block known malicious attacks (negative security mode) or to only allow certain valid requests (positive security mode). What is really unique about ModSecurity is that it allows you to create rules that do things such as blocking the downloading of credit card numbers of social security numbers. ModSecurity is a must have for any serious e-commerce company today. It is developed and supported by Breach Security, who offers commercial support and products based on ModSecurity. You can learn more about it at http://www.modsecurity.org.
We have looked at 10 methods for improving the security of your Apache web server. There are, of course, many other ways to harden your Apache web servers. Feel free to comment and share your favorite tips for improving the security of your Apache server.