Sunday, March 27, 2011

10 Tips to Secure Your Apache Web Server on UNIX / Linux

If you are a sysadmin, you should secure your Apache web server by following the 10 tips mentioned in this article.

1. Disable unnecessary modules
If you are planning to install apache from source, you should disable the following modules. If you do ./configure –help, you’ll see all available modules that you can disable/enable.
userdir – Mapping of requests to user-specific directories. i.e ~username in URL will get translated to a directory in the server

autoindex – Displays directory listing when no index.html file is present
status – Displays server stats
env – Clearing/setting of ENV vars
setenvif – Placing ENV vars on headers
cgi – CGI scripts
actions – Action triggering on requests
negotiation – Content negotiation
alias – Mapping of requests to different filesystem parts
include – Server Side Includes
filter – Smart filtering of request
version – Handling version information in config files using IfVersion
as-is – as-is filetypes

Disable all of the above modules as shown below when you do ./configure

./configure \
--enable-ssl \
--enable-so \
--disable-userdir \
--disable-autoindex \
--disable-status \
--disable-env \
--disable-setenvif \
--disable-cgi \
--disable-actions \
--disable-negotiation \
--disable-alias \
--disable-include \
--disable-filter \
--disable-version \
--disable-asis

If you enable ssl, and disable mod_setenv, you’ll get the following error.
Error: Syntax error on line 223 of /usr/local/apache2/conf/extra/httpd-ssl.conf: Invalid command ‘BrowserMatch’, perhaps misspelled or defined by a module not included in the server configuration
Solution: If you use ssl, don’t disable setenvif. Or, comment out the BrowserMatch in your httpd-ssl.conf, if you disable mod_setenvif.
After the installation, when you do httpd -l, you’ll see all installed modules.

Read more: The geek stuff