10 ways to secure your Apache installation
File permissions play an important part in website security, particularly if you are running your own web server. A few simple steps when setting up a website can save you a lot of trouble in the future and can be vitally important if you want to keep your company data secure. Therefore I have devised in no particular order a list of the top 10 things you should do to secure your Apache server from hackers.
1. File permissions
Changing your file permissions are one of the most important things which you can do to secure your website. This is especially true if you have PHP files containing password information, you do not want any unwanted hackers reading or writing to these types of files.
File permissions can be modified using the chmod command in Linux, this command uses octal file permissions to set read, write or execute to user, group or world. User refers to the user that owns the file, group refers to the group that the file belongs to and world is anyone else. If you are unfamiliar with octal permissions they are calculated by splitting the numbers into lots of 3 and then calculating the total number of bits.
Each bit has its own particular value
Read = 4
Write = 2
Execute = 1
So if you split the octal permission 745 into 3 sections, user, group and world, you have the following permissions.
User = 7 (4+2+1 or RWX)
Group = 4 (4 or R)
World = 5 (4+1 or RX)
You can then modify a file by using the command
chmod 745 file.txt
Ownership is a very important aspect of Apache security. You should never run any files in Apache as the root user, if a hacker is able to read or write server files through a certain file or script they will potentially gain full access to the whole server.
File ownership is also important if you are running multiple websites for multiple users. Each user on the server should own their individual files as to separate file permissions so that others on the server cannot read, write or execute your files.
By default most versions of Linux that come with apache also come with the apache user. You can take ownership of all of the files inside your apache directory by using the following command
chown –R apache /var/www/html
3. .htaccess and .htpasswd
.htaccess files can be useful particularly if you have multiple websites or directories which need their own set of configurations. By placing a .htaccess file in a directory with allowoverride on allows the .htaccess file to set its own configurations for all the files in that directory. The full stop infront of the .htaccess and .htpasswd file denotes that it is hidden from directory listings.
.htpasswd files allow you to password protect certain files from access using a hashed password.
There are several sites out there which have easy to use .htaccess and .htpasswd generators, but you can also use the htpasswd tool provided by Apache to create a password hash.
In my experience, it’s always a good idea to disable Apache indexes. Leaving indexes on allows hackers to browse through all your site files which can be used to gain information and passwords.
For example, it’s not uncommon to find .sql backups hidden away on many websites, if a hacker is able to browse to the directory containing that .sql file and read the contents, it could contain anything from passwords to user information.
In the Apache configuration you can remove indexes by simply removing the word “Indexes” from the following line in <Directory>.
Exploits, vulnerabilities and bugs are found quite often in any software, but generally they can take time to be discovered. For this reason it’s a good idea to always keep up to date with the latest stable version, this includes Apache, PHP, MySQL and any other software Apache might use.
Logs can keep track of malicious activity and errors. It’s a good idea to check your logs weekly for any activity that’s out of the usual. The Apache logs are located in /var/logs/httpd, by default you have an access log and error log, however if you are running multiple virtual hosts you can setup custom error logs to monitor individual site activity.
CustomLog logs/dummy-host.example.com-access_log common
7. Disable .htaccess overriding
Disabling .htaccess overriding can be useful if you prefer not to use .htaccess files for particular directories. For example if for some reason a hacker is able to gain write access to one of your files or directories, they can potentially create a new .htaccess file and override the Apache configurations, removing some of the security you have implemented.
You can disable overriding by adding the following line in <Directory>
8. Disable CGI
CGI scripts can be useful if you are running applications on your server, but if your server does not need to run or use any CGI scripts, then it’s a good idea to turn this feature off so that if a hacker uploads a malicious file they can’t execute it.
9. Don’t display version information
When a hacker is looking for vulnerabilities or exploits in your server, one of the first thing they will typically look for is version and OS information. Allowing hackers to view your version information allows them to indentify and look for version specific exploits, so by removing that information from being displayed you’re making it harder for them to exploit your server.
You can remove the version and OS information from being displayed by modifying the following lines
10. Be scrupulous
The number one reason why websites get hacked in the first place is because people are either inexperience in developing secure websites or just downright lazy when it comes to security. When writing your code whether it be in PHP, ASP, or JSP, make sure that you are scrupulous in testing before opening your site to the public.
Hackers will target POST and GET forms, manipulate your cookies and try anything else they can think of to gain access. So make sure you validate all the information that users have access to and you will be greatly limiting the chances of getting hacked.