Category Archives: Apache Security

Top 7 Tips to Secure Your Apache Web Server

Leave a reply

In this post on Apache security, I will show you the 10 most important things you need to do to secure your server.

1. Edit your httpd.conf and remove any unused modules

This is very important as each additional module, such as for example mod_php will increase the security risk to your site. If there’s a security vulnerability in PHP, and you aren’t running with mod_php enabled, you won’t be exposed. If you only require mod_rewrite then the only uncommented module line in your httpd.conf should be

LoadModule rewrite_module modules/mod_rewrite.so

(Bonus points if you spotted that the above line is only for Apache 2.x config files)

2. Stay up-to-date on security vulnerabilities for modules you have installed

This means subscribing to mailing lists and check blogs and web sites regularly for news on security vulnerabilities to modules you have installed.

3. Keep informed about the latest version of Apache httpd

Although Apache has an excellent security track record, you should still check for new versions regularly at http://httpd.apache.org/

4. Turn off the server signature

There’s no need to tell anyone what web server and product version you’re running. To turn off server signatures both on error pages and in the HTML response header, add the following to httpd.conf:


ServerSignature Off
ServerTokens ProductOnly

5. Don’t allow directory index browsing

If a user types http://www.yoursite.com/images/ in their browser bar, and there is no index page for the images directory, the might be able to see all the files in that, or any other directory without an index page. To make sure this doesn’t happen, disable directory indexing by putting the following in your httpd.conf:

Options -Indexes

6. Run mod_security

This module, written by Apache guru Ivan Ristic, allows you to do such things as filter out SQL injection attempts from URI strings, detect shell code in POST or GET queries, and much, much more.

Get it at http://www.modsecurity.org/

7. Run apache in a chroot jail

This advanced configuration allows you to “jail” Apache to a specific root directory. The process won’t be able to access anything beyond the chroot’ed directory. For a tutorial, see this Linux.com article.