{"id":120,"date":"2024-05-09T23:14:01","date_gmt":"2024-05-09T16:14:01","guid":{"rendered":"http:\/\/nitirat.ddns.net\/wordpress\/?p=120"},"modified":"2024-06-19T23:29:03","modified_gmt":"2024-06-19T16:29:03","slug":"apache-web-server-security-and-hardening-tips","status":"publish","type":"post","link":"http:\/\/nitirat.ddns.net\/wordpress\/?p=120","title":{"rendered":"Apache Web Server Security and Hardening Tips"},"content":{"rendered":"\n

1. How to Hide Apache Version and OS Information<\/strong><\/p>\n\n\n\n

By default, the Apache web server displays its version in case you browse the wrong URL of a website. Below is an example of an error page indicating that the page cannot be found on the site. The last line indicates the Apache version, the host OS, the IP address, and the port it is listening on.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
$ sudo nano \/etc\/apache2\/apache2.conf<\/code><\/pre>\n\n\n\n
Add the following lines at the end of the file.<\/p>\n\n\n\n
ServerTokens Prod\nServerSignature Off<\/code><\/pre>\n\n\n\n
Save the changes and restart the Apache web server.<\/p>\n\n\n\n
$ sudo systemctl restart apache2   [On Debian, Ubuntu and Mint]<\/code><\/pre>\n\n\n\n
Now reload the site and, this time around, the web server information will not be displayed.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
2. Disable Directory Listing in Apache<\/h2>\n\n\n\n
By default, Apache<\/strong> allows directory listing, and visitors might see whatever files or directories you might have on your Document Root<\/strong> directory.<\/p>\n\n\n\n
To demonstrate this, we will create a directory called test<\/strong>.<\/p>\n\n\n\n
$ sudo mkdir -p \/var\/www\/html\/test<\/pre>\n\n\n\n
Next, we will navigate into the directory and create a few files.<\/p>\n\n\n\n
$ cd \/var\/www\/html\/test\n$ sudo touch app.py main.py<\/pre>\n\n\n\n
Now, if we access the URL, http:\/\/localhost\/test<\/code> we will be able to view the directory listing.<\/p>\n\n\n\n
\"Disable
Disable Apache Directory Listing<\/figcaption><\/figure>\n\n\n\n
To disable directory listing, head over to Apache\u2019s main configuration file and search for the \u2018Directory<\/strong>\u2018 attribute. Set the \u2018Options<\/strong>\u2018 parameter to '-Indexes'<\/code> as shown.<\/p>\n\n\n\n
<Directory \/opt\/apache\/htdocs>\nOptions -Indexes\n<\/Directory><\/pre>\n\n\n\n
Reload Apache<\/strong>, and this time around, when you visit the URL, the directories will no longer be displayed.<\/p>\n\n\n\n
\"Disable
Disable Directory Listing in Apache<\/figcaption><\/figure>\n\n\n\n
3. Regularly Update Apache<\/h2>\n\n\n\n
It\u2019s always recommended to keep all your applications up to date, as the latest applications come with bug fixes and security patches that address underlying vulnerabilities present in older software versions.<\/p>\n\n\n\n
As such, regularly upgrading your applications to their latest versions is recommended.<\/p>\n\n\n\n
$ sudo apt update && sudo apt upgrade [On Debian, Ubuntu and Mint<\/strong>]\n$ sudo dnf upgrade                    [On RHEL\/CentOS\/Fedora<\/strong> and Rocky\/AlmaLinux<\/strong>]<\/pre>\n\n\n\n
\"Update
Update System Packages<\/figcaption><\/figure>\n\n\n\n
4. Use HTTPS Encryption on Apache<\/h2>\n\n\n\n
Apache<\/strong>, by default, uses HTTP protocol which is a weak and insecure protocol that is prone to eavesdropping. To improve your site\u2019s security and, more so, improve your Google SEO rankings, consider encrypting your site using an SSL certificate.<\/p>\n\n\n\n
By so doing, it switches the default HTTP protocol to HTTPS<\/strong>, thereby making it harder for anyone to intercept and decipher communication being sent back and forth from the server.<\/p>\n\n\n\n
Check out how to secure the Apache web server using Let\u2019s Encrypt SSL<\/strong> on Linux.<\/p>\n\n\n\n