Install Apache and Hardening it on CentOS 7

Hardening Apache

In this tutorial will install Apache on CentOS 7 and will secure and harden the Apache web server after.

yum install httpd
systemctl start httpd
httpd -v

Now test the Apache default page by using the server ip, you should get something similar to below:

Apache default page

Hardening the Web Server

First you have to determine and find the locations of the apache configuration files by running:

httpd -V | grep -i conf

Main configuration file name is httpd.conf and all files under conf.d/ folder are also included and loaded.

#1 By default in earlier versions the web server would show the version and some other information whenever you reach to no found page, to disable this add following lines to Apache configuration.

ServerSignature Off
ServerTokens Prod

#2 Disable trace by adding below directive to Apache configuration

TraceEnable off

Then restart the Apache service and test if the trace was disabled by running:

curl -v -X TRACE http://SERVER-OR-IP

#3 Always have your document root files running with apache or designated user with certain permissions and never have the files with root permission.

#4 Disable directory listing, you don't want anyone to be able to list the files and folder structure like below:

Disable Directory Listing

To fix this add the following configuration to the Apache conf file while changing the path between tags with path which you are having visible to the web, if 'Indexes' is already there just replace it with '-Indexes'.

<Directory "/usr/local/web/apache/htdocs">
# Add below line between the directory tags
Options -Indexes FollowSymLinks
</Directory>

#5 Inside the Apache configuration file there is a LoadModule section just be sure to remove modules that are not used to make Apache lighter and yet reduce the chances of web attacks.

#6 You can always use Allow and Deny to restrict access to all main folder like example below which restricting access to root folder '/'

<Directory />
Options FollowSymLinks
AllowOverride none
Deny from all
</Directory>

#7 If server side CGI scripts are not used it's always a good practice to disable it by adding the following between the <Directory> tags

Options -ExecCGI

#8 Limit your request size as this will help in DDOS attacks and having certain sessions consuming all the bandwidth, this can be done by using the LimitRequestBody directive and set it to certain amount as it's '0' by default, you can ass it between the <Directory> tags which has the web folder, the value can be from 0 to 2GB

<Directory "/var/www/html/dotsway">
LimitRequestBody 265000
</Directory>

#9 Protecting you server from Denial of service attack and securing it 100% is impossible but we still can use some directives which will help to keep it under control.

TimeOut
MaxClients
KeepAlive
LimitRequestFields

For info about above directives you can visit Apache page.

#10 Enable Apache Logging, this is very important so trace all web errors as well as the requests and source IPs.

#11 Create SSL either a self signed or with a third party.

#12 If you are using SSL session you can specify which cryptography you want to use, below example is disabling old SSLV3 and SSLV2 and allowing all rest, you can also force for specific cryptography by adding + instead of -- , this is very useful to disable ones with security breaches or known flaws.

SSLProtocol all -SSLv2 -SSLv3

#13 Deny accessing all senstive folders and files, to use this feature you need to install the mod_rewrite and load it in the Apache configuration like below if it's not already there:

LoadModule rewrite_module modules/mod_rewrite.so

Below example is phobiting user for accessing any file or folder which has 'passwd' in it's name while excluding other folders from that rule, all filtered requests will be send to the specified url dotsway.com/not_found

<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} .*passwd*.
RewriteCond %{QUERY_STRING} !.*Login*.
RewriteRule .* http://www.dotsway.com/not_found [R=301,NC,L]
</IfModule>


Subscribe to
for video tutorials updates