Government Security
Network Security Resources

Jump to content


Secure Apache Web Server

- - - - - auditing dictionary tutorial web app web application
  • Please log in to reply
No replies to this topic

#1 wizard32



  • Members
  • 1 posts

Posted 01 September 2012 - 04:21 PM

Secure Apache Web Server
In this tutorial we will see the principles on how to secure our Apache Web Server. The Apache HTTP Server has a good record for security but there are some basic things we can do to make Apache a more secure Web server.

About Apache HTTP Server.
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server.

The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project.

(Note: For the Purpose of this tutorial we will use BackBox (Based on Ubuntu) as OS and Apache2. There are no guarantees or absolutes for Apache security things, so proceed at your own risk.)

First let's locate in which directory Apache running by typing the following command:

ps -ef | grep apache

root	  1443	 1  0 16:57 ?		00:00:00 /usr/sbin/apache2 -k start
root	  2741  2118  0 18:21 pts/0	00:00:00 grep apache
www-data  5569  1443  0 17:06 ?		00:00:00 /usr/sbin/apache2 -k start

As we can see typing the above command Apache appears to be running in the following directory


(Note: Directory may differ from yours. Depends on the installation process if you change the destination folder during that and from the OS that is used.)

Next let's take some important information about Apache like version and which file we will modify (httpd.conf, apache2.conf, etc). We can use a lot of ways to get a couple of information about the web server. So, on terminal we type one of the following ways:

curl -I  

/usr/sbin/apache2 -V


apache -V

or we can use nikto / nmap tools

nikto -h  

nmap -T4 -A -v

(Note: With or without directory we take the same information. If we use -v instead of -V we get only the Server Version/built information. Change the directory with yours if differs)

Server version: Apache/2.2.16 (Debian)
Server built:   Apr  1 2012 06:40:08
Servers Module Magic Number: 20051115:24
Server loaded:  APR 1.4.2, APR-Util 1.3.9
Compiled using: APR 1.4.2, APR-Util 1.3.9
Architecture:   32-bit
Server MPM:	 Prefork
  threaded:	 no
	forked:	 yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"

As we can see current version of Apache is 2.2.17, if not install/update the latest one. Also the line -D HTTPD_ROOT="/etc/apache2" specifies the location of the httpd.conf file and on line -D SERVER_CONFIG_FILE="apache2.conf" we can verify in which file we 'll make the changes.

(Note: If the file on line -D SERVER_CONFIG_FILE= differs; you will make the changes to this one)

(Note: The httpd.conf file may be empty if your try to open it)

Set the right User:Group

First we open the apache2.conf file and we make sure that the lines


are set to

User apache
Group apache

Hiding and modifying Apache server information
Next an important think is to disable a couple of information like (Apache Version, OS configurations, Php configurations) that appears on broken pages

To hide this information we must add the following options.

# ServerSignature Off means that Apache will not display the server version  
# on error pages, or in other pages that generates.
ServerSignature Off

# ServerTokens Prod tells apache to only return Apache in the Server header,  
# returned on every page request.  
ServerTokens Prod

(Note: If you are using Debian or Ubuntu as OS you must do the above changes to the file /etc/apache2/conf.d/security otherwise or in apache2.conf or in httpd.comf file, it depends which OS are you using)

Hide PHP Version
Next we will modify the php.ini file. On terminal type:

nano /etc/php5/apache2/php.ini

and find and change the expose_php to off

expose_php = Off

Protecting System Settings and Server Files
Stop users from setting up .htaccess files which can override security features you've configured adding the following lines to the server configuration:

<Directory />  
	AllowOverride None  

Next will disable access to the entire file system except for the directories that are explicitly allowed later.

<Directory />  
	Order Deny,Allow  
	Deny from all  

Next will allow access to the specific directories prohibiting default access to the filesystem locations.

<Directory "/webdirectory">  
Order Deny,Allow  
Allow from all  

<Directory "/var/www/*">
Order Allow,Deny
Allow from all

(Note: <Directory /*/public_html> will not match /home/user/public_html, but <Directory /home/*/public_html> will match.)

Restricting Access by IP

Order Deny,Allow
Deny from all  
Allow from

Turn off .htaccess
You can do that by adding the following line inside a Directory blog.

AllowOverride None

Timeout Value
By default the Timeout directive is set to 300 seconds.

Timeout 45

Parameter Option
Inside the blog <Directory>..</Directory> we can add some parameters to avoid dictionary browsing, disable server to follow symbolic links, etc. On this part we'll analyze the parameter "Option".

/* All options are enabled except MultiViews, IncludesNOEXEC, and
SymLinksIfOwnerMatch */
/* Execution of CGI scripts is permitted -- and impossible if this is not set.
The server follows symbolic links (i.e., file links made with the Unix  
ln -s utility). */
/* Web server followw so called symbolic links */
/* Server-side includes are permitted */
/* Server-side includes are permitted, but #exec and #include of CGI scripts  
are disabled. */
/* Allows the suite of indexing commands to be used, and a formatted listing  
is reurned */
/* Content-negotiated MultiViews are supported. This includes AddLanguage  
and image negotiation */
/* Symbolic links are followed and lead to files or directories owned by  
the same user */

The parameter can be preceded by "+" or "-", which mean add (+) or remove (-). The following command, for example, adds Indexes but removes ExecCGI:

Options +Indexes -ExecCGI

If no options are set, and there is no <Limit> directive, the effect is as if All had been set, which means, of course, that MultiViews is not set. If any options are set, All is turned off. If for example we have a file into a directory(/our/direvtory/htdoc) without an index.html file and we add the following options into the Dictionary tag.

Options ExecCGI

and try to access it again, we will see the following rather baffling message:

FORBIDDEN You don't have permission to access / on this server

The reason is that when Options is not mentioned, it is, by default, set to All. By switching ExecCGI on, you switch all the others off, including Indexes. To fix that is to edit our lines to
Options +ExecCGI

ModSecurity supplies an array of request filtering and other security features to the Apache HTTP Server. ModSecurity is a web application layer firewall.

We can do the following with ModSecurity:
  • Simple filtering
  • Regular Expression based filtering
  • URL Encoding Validation
  • Unicode Encoding Validation
  • Auditing
  • Null byte attack prevention
  • Upload memory limits
  • Server identity masking
  • Built in Chroot support
The are a lot of ways and things we can do to secure a web server. This tutorial describes the basic things we can do to make Apache web server more secure. The best way is to try every parameter in a localhost web server to figure out what the option does before proceed to the main web server.

Designed and Created by Liatsis Fotis

Also tagged with one or more of these keywords: auditing, dictionary, tutorial, web app, web application