10 ways to secure your Apache installation
File permissions play an important part in website security, particularly if you are running your own web server. A few simple steps when setting up a website can save you a lot of trouble in the future and can be vitally important if you want to keep your company data secure. Therefore I have devised in no particular order a list of the top 10 things you should do to secure your Apache server from hackers.
1. File permissions
Changing your file permissions are one of the most important things which you can do to secure your website. This is especially true if you have PHP files containing password information, you do not want any unwanted hackers reading or writing to these types of files.
File permissions can be modified using the chmod command in Linux, this command uses octal file permissions to set read, write or execute to user, group or world. User refers to the user that owns the file, group refers to the group that the file belongs to and world is anyone else. If you are unfamiliar with octal permissions they are calculated by splitting the numbers into lots of 3 and then calculating the total number of bits.
Each bit has its own particular value
Read = 4
Write = 2
Execute = 1
So if you split the octal permission 745 into 3 sections, user, group and world, you have the following permissions.
User = 7 (4+2+1 or RWX)
Group = 4 (4 or R)
World = 5 (4+1 or RX)
You can then modify a file by using the command
chmod 745 file.txt
Ownership is a very important aspect of Apache security. You should never run any files in Apache as the root user, if a hacker is able to read or write server files through a certain file or script they will potentially gain full access to the whole server.
File ownership is also important if you are running multiple websites for multiple users. Each user on the server should own their individual files as to separate file permissions so that others on the server cannot read, write or execute your files.
By default most versions of Linux that come with apache also come with the apache user. You can take ownership of all of the files inside your apache directory by using the following command
chown –R apache /var/www/html
3. .htaccess and .htpasswd
.htaccess files can be useful particularly if you have multiple websites or directories which need their own set of configurations. By placing a .htaccess file in a directory with allowoverride on allows the .htaccess file to set its own configurations for all the files in that directory. The full stop infront of the .htaccess and .htpasswd file denotes that it is hidden from directory listings.
.htpasswd files allow you to password protect certain files from access using a hashed password.
There are several sites out there which have easy to use .htaccess and .htpasswd generators, but you can also use the htpasswd tool provided by Apache to create a password hash.
In my experience, it’s always a good idea to disable Apache indexes. Leaving indexes on allows hackers to browse through all your site files which can be used to gain information and passwords.
For example, it’s not uncommon to find .sql backups hidden away on many websites, if a hacker is able to browse to the directory containing that .sql file and read the contents, it could contain anything from passwords to user information.
In the Apache configuration you can remove indexes by simply removing the word “Indexes” from the following line in <Directory>.
Exploits, vulnerabilities and bugs are found quite often in any software, but generally they can take time to be discovered. For this reason it’s a good idea to always keep up to date with the latest stable version, this includes Apache, PHP, MySQL and any other software Apache might use.
Logs can keep track of malicious activity and errors. It’s a good idea to check your logs weekly for any activity that’s out of the usual. The Apache logs are located in /var/logs/httpd, by default you have an access log and error log, however if you are running multiple virtual hosts you can setup custom error logs to monitor individual site activity.
CustomLog logs/dummy-host.example.com-access_log common
7. Disable .htaccess overriding
Disabling .htaccess overriding can be useful if you prefer not to use .htaccess files for particular directories. For example if for some reason a hacker is able to gain write access to one of your files or directories, they can potentially create a new .htaccess file and override the Apache configurations, removing some of the security you have implemented.
You can disable overriding by adding the following line in <Directory>
8. Disable CGI
CGI scripts can be useful if you are running applications on your server, but if your server does not need to run or use any CGI scripts, then it’s a good idea to turn this feature off so that if a hacker uploads a malicious file they can’t execute it.
9. Don’t display version information
When a hacker is looking for vulnerabilities or exploits in your server, one of the first thing they will typically look for is version and OS information. Allowing hackers to view your version information allows them to indentify and look for version specific exploits, so by removing that information from being displayed you’re making it harder for them to exploit your server.
You can remove the version and OS information from being displayed by modifying the following lines
10. Be scrupulous
The number one reason why websites get hacked in the first place is because people are either inexperience in developing secure websites or just downright lazy when it comes to security. When writing your code whether it be in PHP, ASP, or JSP, make sure that you are scrupulous in testing before opening your site to the public.
Hackers will target POST and GET forms, manipulate your cookies and try anything else they can think of to gain access. So make sure you validate all the information that users have access to and you will be greatly limiting the chances of getting hacked.
Like us on Facebook
This week Top Posts
- Top Things To Do After Installing Ubuntu 13.10 'Saucy Salamander' : Ubuntu 13.10 Saucy Salamander will be released on coming October 17th with many new salient featur...0 comments |
- How To Show Username On Panel In Ubuntu 13.04/13.10 : By default usernames are not displayed on panel in Ubuntu 13.04 and 13.10, In this simple tutorial w...0 comments |
- cowsay And fortune Combined Together : Hi linux geeks! In this article I will teach you a nice trick you can perform in the terminal with ...0 comments |
- How To Upgrade From Ubuntu 13.04 Raring To Ubuntu 13.10 Saucy Salamander : Ubuntu 13.10 Saucy will be released on October 17th. Hope it will come with lot of improvements and ...0 comments |
- Install lamp with 1 command in Ubuntu 12.10, 13.04 Raring Ringtail & LinuxMint13 : Updated: 10/09/2012 :LAMP (Linux, Apache, MySQL and PHP) is an open source Web development platform ...0 comments |
- How To Install Netflix In Ubuntu : Hi unixmen readers! How are you? In this article we will teach you how to install the desktop vers...0 comments |
- How To Install Netflix In Ubuntu
- cowsay And fortune Combined Together
- How To Show Username On Panel In Ubuntu 13.04/13.10
- Setup DNS Server On openSUSE 13.1
- TeamViewer 9 Final Has Been Released!
- Twelve Vulnerabilities Have Been Fixed In Ubuntu 12.04, Time To Update
- OpenLDAP Installation and Configuration in Ubuntu 12.10/13.04/13.10 And Debian 6/7
- Configure Your Browser To Use Tor On Ubuntu/Debian/Linux Mint
- Setup A Full Featured ITIL Management System Using Integria IMS On CentOS 6
- Install LibreOffice 4.1.3 in Elementary OS ‘Luna’
This work by unixmen.com is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Copyright © 2008-2013 Unixmen.com .