Hardening Apache on CentOS

Hide Apache Version and Operating System

By-default the apache version and OS are shown in the response headers. This is a major security vulnerability.

To hide those details, add the two lines in apache config file /etc/apache2/conf-enabled/security.conf

ServerSignature Off # Removes version info
ServerTokens Prod #Changes header to production, removing OS detail

Then reload Apache:

sudo systemctl reload apache2

Refresh the browser and you’ll notice the version and OS details removed.

Disable Directory Listing and FollowSymLinks

By default, the directory listing for all files under web root directory is enabled if there is no index file as shown below. This allows hackers to view and analyze the files in your web server directory and maximize on the slightest available vulnerability to launch an attack.
In addition, by-default apache is configured to follow symbolic links which is not advisable.
To disable these, edit the config file by putting “–“ before each tag directive in the line Options Indexes FollowSymLinks to become Options -Indexes -FollowSymLinks as shown below:

# Further relax access to the default document root:
<Directory "/var/www/html">
  #
  # Possible values for the Options directive are "None", "All",
  # or any combination of:
  #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
  #
  # Note that "MultiViews" must be named *explicitly* --- "Options All"
  # doesn't give it to you.
  #
  # The Options directive is both complicated and important.  Please see
  # http://httpd.apache.org/docs/2.4/mod/core.html#options
  # for more information.
  #
  Options -Indexes -FollowSymLinks
  #
  # AllowOverride controls what directives may be placed in .htaccess files.
  # It can be "All", "None", or any combination of the keywords:
  #   Options FileInfo AuthConfig Limit
  #
  AllowOverride None
  #
  # Controls who can get stuff from this server.
  #
  Require all granted
</Directory>

Then reload apache service

Refresh the browser and you’ll notice that the files can no longer be viewed and instead generates 403 forbidden error message.

Secure Apache using mod_security and mod_evasive modules

Mod_security: Acts as a firewall for web servers and applications, providing protection against brute force attacks. It just needs to be installed, then restart apache service and starts to work out the magic.

sudo yum install mod_security -y
sudo systemctl restart httpd

Mod_evasive: Detects and provides protection against DDOS and HTTP brute force attacks. It detects attacks whenever: so many requests are directed to a page several times per second; temporarily blacklisted IP still tries to make new request; child process attempts making more than 50 concurrent requests. Like mod_security, it just needs to be installed, then restart apache service and starts to work out the magic.

sudo yum install mod_evasive -y
sudo systemctl restart httpd

Limit Request Size

By-default the HTTP request in Apache is unlimited hence web server is susceptible to DoS attacks by keeping it open for high number of request. For example, there is a site that allows users to upload files, then it’s important to set limit for upload size. This can be done by setting the LimitRequestBody for that particular upload directory as follows:

<Directory "/var/www/html/wp_content/uploads">
LimitRequestBody 10485760
</Directory>

The upload size has been limited to max of 10megabytes. The maximum allowable limit is usually 2GB.
Then restart/reload apache service.

Disable TRACE HTTP Request

By default, Trace HTTP Request is enabled allowing for Cross Site Tracing. This enables a hacker to easily steal cookie information. Disabling Trace HTTP Request makes the mod_proxy and core server return “405 – Method Not Allowed” error message to clients. Trace request is disabled by adding the line below in the config file.

TraceEnable off

Save the file and reload apache service.