How to Secure Your Apache Server

1.Enable automatic updates

Given that the LAMP stack is based on Linux and that the entire open-source community is working to enhance it, it is also deemed secure. All security updates and patches are accessible as an automatic unattended install on an Ubuntu VPS as soon as they are released in the Ubuntu repos, so make sure you configure your system to automatically install them if you are concerned about security.If you don’t enable this option on your server and don’t manually install the latest upgrades and patches, you’re placing your server at risk of being hacked.

Install the unattended-upgrades package to enable automatic unattended upgrades.

sudo apt-get install unattended-upgrades

Edit the /etc/apt/apt.conf.d/50unattended-upgrades file to specify which package categories should be upgraded automatically.

2. Configure firewall

Another very important aspect of overall security is having a properly set firewall. ufw is Ubuntu’s default firewall configuration tool, and it’s turned off by default. You can use the following commands to enable ufw:

sudo ufw enable

Allow essential services like OpenSSH and Apache to be accessed:

sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443

It’s simple to grant access to other services. Simply change the port number in the samples above to the port number of the service you wish to enable access to, and you’re done. Even if the machine is rebooted, the firewall rules will remain active.

3. Disable unused services

If you have active services which you are not using, you can simply disable them. For example, if you have service like Dovecot up and running on your server and you are not using it at all, stop and disable the service using the following commands:

sudo systemctl stop dovecot.service
sudo systemctl disable dovecot.service

4. Install Fail2ban

Fail2ban is a service that scans log files for excessive login failures and blocks the IP address that is displaying malicious behaviour. If you don’t use two-factor or public/private authentication techniques on services like OpenSSH, this service comes in handy. Run the following command to install Fail2ban:

sudo apt-get install fail2ban

Make a copy of the default configuration file so you can make modifications without worrying about system updates overwriting them:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the jail.local file:

sudo nano /etc/fail2ban/jail.local

The [sshd] block should look something like this:

[sshd]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 5
bantime = 600

To make the modifications take effect, save the file and restart Fail2ban:

sudo systemctl restart fail2ban.service

Enable Fail2ban on system boot:

sudo systemctl enable fail2ban.service

5. Hide Apache sensitive information

The default Apache setup exposes a great deal of sensitive data that can be used against the service. It’s critical to keep this information secret, therefore make a configuration file for your new settings:

sudo nano /etc/apache2/conf-available/custom.conf

Copy and paste the following text:

ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header unset ETag
Header always unset X-Powered-By
FileETag None

If it isn’t already enabled, enable the Apache headers module:

sudo a2enmod headers

Enable the following settings:

sudo a2enconf custom.conf

To make the modifications take effect, restart Apache:

sudo systemctl restart apache2.service

6. Install and enable mod_security

Mod security is a web application firewall (WAF) that may be added to Apache as a separate module. It can be used to protect a web server from a variety of threats, including SQL injections, session hijacking, cross-site scripting, and malicious user agents. Run the instructions following to install and enable mod security:

sudo apt-get install libapache2-modsecurity2
sudo a2enmod security2

You should setup the module and enable the OWASP ModSecurity Core Rule Set after it has been installed (CRS).

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Then, open the /etc/modsecurity/modsecurity.conf file and edit/add the following settings:

SecRuleEngine On
SecResponseBodyAccess Off
SecRequestBodyLimit 8388608
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 262144

Save and close the file. Remove the current CRS and download the OWASP CRS by using the following commands:

sudo rm -rf /usr/share/modsecurity-crs
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
cd /usr/share/modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf

Edit the security2.conf file in /etc/apache2/mods-enabled/security2.conf. It should resemble the following:

<IfModule security2_module>
	SecDataDir /var/cache/modsecurity
	IncludeOptional /etc/modsecurity/*.conf
	IncludeOptional "/usr/share/modsecurity-crs/*.conf"
	IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
</IfModule>

Finally, to make the modifications take effect, restart Apache:

sudo systemctl restart apache2.service

7. Install and enable mod_evasive

Mod evasive is an Apache module that can prevent DoS (Denial of Service), DDoS (Distributed Denial of Service), and brute-force assaults on the web server. Run the following command to install mod evasive on your server:

sudo apt-get install libapache2-mod-evasive

Open the default configuration file /etc/apache2/mods-enabled/evasive.conf and edit the settings to look like those below:

<IfModule mod_evasive20.c>
	DOSPageCount        5
	DOSSiteCount        50
	DOSPageInterval     1
	DOSSiteInterval     1
	DOSBlockingPeriod   600
	DOSLogDir           "/var/log/mod_evasive"
</IfModule>

The file should be saved and closed. Make a folder for the log files:

sudo mkdir /var/log/mod_evasive
sudo chown -R www-data: /var/log/mod_evasive

Restart Apache:

sudo systemctl restart apache2.service

Latest posts by Amardeep Dubey (see all)
Tagged : /

Leave a Reply