Securing Apache web server:
- Apache modules: Turn off modules you are not going to use. With past ssl exploits, those using this philosophy did not get burned.
- Red Hat EL 5/CentOS 5 Apache 2.2: The configuration file /etc/httpd/conf.d/ssl.conf enables SSL by default. This file is picked up from the line Include conf.d/*.conf in the file /etc/httpd/conf/httpd.conf Rename the file /etc/httpd/conf.d/ssl.conf to ssl.conf_OFF to turn off SSL.
- Ubuntu 8.04: a2dismod ssl
This will disable the loading of SSL. The Ubuntu distribution has a fairly frugal use of modules by default.
The default configuration has SSL turned off. - Apache 1.3.x config file /etc/httpd/conf/httpd.conf
-
#<IfDefine HAVE_SSL> #LoadModule ssl_module modules/libssl.so #</IfDefine> ... ... #<IfDefine HAVE_SSL> #AddModule mod_ssl.c #</IfDefine> ... ... <IfDefine HAVE_SSL> Listen 80 #Listen 443 </IfDefine> ... ... #<IfModule mod_ssl.c> #... #... ... #<VirtualHost _default_:443> #... #... ...
Comment out the use of the ssl module by placing a “#” in the first column.
-
- One can also block the https port 443 using firewall rules:
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 443 -j DROP iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 443 -j DROP
- Apache version exposure: (Version 1.3+) Don’t allow hackers to learn which version of the web server software you are running by inducing an error and thus an automated server response. Attacks are often version specific. Spammers also trigger errors to find email addresses.
-
... ServerAdmin webmaster at debiandoctor dot com ServerSignature Off ...
The response may be meaningless anyway if you are using the web server as a proxy to another.
-
- Block hackers and countries which will never use your website. Use the Apache directive Deny from to block access.
-
<Directory /home/projectx/public_html> ... ... ... Order allow,deny # Block form bots Deny from 88.XX.0.0/16 193.XX.XX.0/24 194.XX.XX.0/23 allow from all </Directory>
-
?
