David Hunter's Avatar

Written By
David Hunter

Published
2nd February 2023
9:21 pm

Harden the Security of Apache on Debian based Systems

Apache is the software used to run a web server, but default installation isn't that secure. Let's harden it!

Remove Apache Version

Open your web browser, go to a site hosted on your server, right click and inspect. Go to the Network tab, you may need to reload the page, then view the response of the page you are accessing, and you should see somewhere that you are using Apache and a version number, and even the Operating System you are using.

Its just a number, right? Wrong! It gives attackers the precise Apache version you are using, which means if they know of a vulnerability in that specific version, they can take advantage of that, and who knows where that might lead. Same goes for the Operating System name, they could use that against you too.

The only person that needs to know this information is you and any other members of your team that do a similar job to you. Outside of that, no one needs to know this, so lets hide it.

Step 1: Open the Apache config file using your favourite text editor (e.g. Nano).

sudo nano /etc/apache2/apache2.conf

Step 2: Go down to the bottom of the file, add a comment so you know this is your modification, then add the following lines.

ServerTokens Prod
ServerSignature Off

ServerTokens: set this to Prod so that the header is production only, therefore only displaying Apache.
ServerSignature: set this to Off so that the version information is hidden.

Step 3: Save the file and restart Apache: sudo systemctl restart apache2

Disable Directory Index Listing

By default, if you browse to a directory that is empty or has no index file, the contents of that directory will be displayed. This could reveal sensitive parts of your site and be more of a vulnerability than a helping hand. Here is how you disable it.

Step 1: Open the Apache config file using your favourite text editor (e.g. Nano).

sudo nano /etc/apache2/apache2.conf

Step 2: Look for the Directory directives and find the one that matches the path for the www directory. It should look like the following.

<Directory /var/www/>
    # ...
</Directory>

Step 3: If an Option exists for Indexes, ensure it is set to -Indexes. The minus negates it to ensure it is disabled. Apache will complain if there are other options without a + or - before them, so either remove the other options or ensure they have a + or - accordingly.

Step 4: Save the file and restart Apache.

sudo systemctl restart apache2

Step 5: Create an empty directory on your site, attempt to visit it and you should now get the default Apache error 403 Forbidden message. Also if you followed the previous section, the Apache version should be hidden from this page too. You can delete that empty directory if you wish now, as it was only for testing.

Etag

This allows remote attackers to gain access to some sensitive information about your server, such as inode number, multipart MIME boundary, and child process through the Etag header.

It is also a required fix for PCI compliance, but regardless a good fix to implement.

Step 1: Open the Apache config file using your favourite text editor (e.g. Nano).

sudo nano /etc/apache2/apache2.conf

Step 2: Scroll down to the bottom to where your custom directives are, and add the following line to the file.

FileETag None

Step 3: Save the file and restart Apache.

sudo systemctl restart apache2

Run Apache form a Non-Privileged Account

By default, Apache may run as a special user account, and this could be used by an attacker to cause problems for your site or even your system. It is highly recommended you ensure it runs as a non-privileged user to help protect against this.

Step 1: Decide on the name of the user that apache will run as. For this tutorial, I will use apache.

Step 2: Add a user and group called apache with the following commands.

sudo groupadd apache
sudo useradd -g apache apache

Remember to swap out apache for the user name you chose if you decided on a different one.

Step 3: Find your Apache installation directory.

sudo which apache2

Step 4: Change ownership of the Apache installation directory to that of the new user and group you just created.

sudo chown -R apache:apache /path/to/apache

Swap apache for your chosen user name, and /path/to/apache to the path returned by the previous command.

Step 5: Modify the Apache Environment Variables file to set the new user and group.

sudo nano /etc/apache2/envvars

export APACHE_RUN_USER=apache
export APACHE_RUN_GROUP=apache

Find the export lines shown above and change the values to the user name and group you created earlier.

Step 6: Save the file and restart Apache.

sudo systemctl restart apache2

Limit HTTP Request Methods

By default, Apache can accept many different request methods, most of which are not needed for the majority of sites, so its best to limit these to the ones you will likely need.

Step 1: Open the Apache config file using your favourite text editor (e.g. Nano).

sudo nano /etc/apache2/apache2.conf

Step 2: Find the root Directory section, and inside that add the following.

<LimitExcept GET POST HEAD>
    Deny from All
</LimitExcept>

Change GET POST HEAD to the request methods you need. In most cases, these three will be fine.

Step 3: Save the file and restart Apache.

sudo systemctl restart apache2

Conclusion

That is about all I have for you for now. I hope it was useful to you. Please check back in the future to remind yourself of these steps and in case I happen to add more.