Securing Apache2 Server (Ubuntu)
Hello Elites,
Today I am here to share my writings on securing Apache2 servers, so please read this article to get the complete understanding of securing Apache2 servers. At the end, I am very sure that you will implying all the rules to your own servers and machines.
The Apache HTTP Server is a cross-platform, free and open-source web server software that was made available for both Windows and Linux platforms, under the conditions of the Apache License 2.0. Under the direction of the Apache Software Foundation, Apache is created and maintained by a public community of developers.
Apache2 is available for all Linux distributions, but here I am sharing the snapshots for the “Ubuntu 20.04.5 LTS” version.
The Apache Web Server Architectural Diagram:
Apache2 Installation:
The following is the command to install an Apache2 server on an Ubuntu machine.
"sudo apt install apache2"
Here we are taking an example of wordpress
1. Disabling the Server Signature Directive
- Navigate to the below file path with sudo privileges (ubuntu)
"sudo vim /etc/apache2/apache2.conf"
- Add or Edit the following code in apache2.conf path:
"<Directory /var/www/wordpress>
Allowoverride ALL
Options -Indexes
ServerSignature off
</Directory>"
- Now Restart the server for the changes to get reflected;
"sudo /etc/init.d/apache2 restart"
2. Setting up the ServerTokens value to Prod
The data that is returned in the Server response header field is controlled by the ServerTokens directive. To tell Apache to return just Apache in the server response headers, set the ServerTokens directive to Prod.
- Navigate to the file as shown below;
"sudo vim /etc/apache2/apache2.conf"
- Set the ServerTokens directive as Prod, If the entry is not there just add it.
"ServerTokens Prod"
- Restart the Server;
"sudo /etc/init.d/apache2 restart"
3. Disabling the Directory Listing directive
- Edit the configuration file i.e.. /etc/apache2/apache2.conf and add the following lines to it, So that the listing of the directories is disabled.
</Directory /var/www/wordpress>
Options -Indexes
</Directory>
- Restart the Server;
"sudo /etc/init.d/apache2 restart"
4. Disabling the Server Information Directive
You may view details about the Apache setup by visiting the /server-info page (for example, “https://www.example.com/server-info” is the site) if the location/server-info directive in the apache2.conf configuration file is enabled. Sensitive information must be disclosed regarding several server settings. These will be like the server version, system paths, database names, library information, and others. They may be included in this.
- Navigate to the configuration file /etc/apache2/apache2.conf and comment out the entire mod_info module in the apache.conf configuration file.
"LoadModule info_module modules/mod_info.so"
- Restart the Server;
"sudo /etc/init.d/apache2 restart"
5. Restricting the use of Undesirable Services
Securing the Apache2 server needs certain services to be disabled. The service names are CGI Execution and Symbolic Links. The following is the suggestion to disable those services using the Options directive in the Apache2 configuration file.
"<Directory /var/www/wordpress>
Options -ExecCGI -FollowSymLinks -Includes
</Directory>"
- Restart the Server;
"sudo /etc/init.d/apache2 restart"
Thanks for reading the article this far, I hope you guys liked this article on Securing Apache2 Server (Ubuntu), Please do let me know your suggestion on this article, so that I can improve my writings and also do let me know if anything is incorrect, I will try to make a edition on it.
Below is the social link. You can catch me there.