flag Germany flag Great Britain flag France

High-End Linux Consulting and Security

System Administration
Feeds   Linux Videos
  RSS Feed Linux Videos
  Linux Tutorials
  RSS Feed Linux System Administration
  Atom Feed Linux System Administration

Top Downloads   RPM NRPE server
  RPM NRPE plugin
  Dumpsplit
  Testing Snort
  Allrights
  Whoisonline

Contact   Email: Norbert Klein
  Tel: 49 (0)1724728123
  ICQ: 218595557
  Google Maps


Apache hardening

Depending on the individual situation the hardening of an Apache web server can have different scales. Ranging from some simple but effective measures until a full-blown hardening including additional software. A good relation between effort and benefits depends on the thread scenario.

The following list gives an overview about the possible actions for hardening an Apache web server on a Linux system:

1. Lock down the operation system
The web server should have its own partitions and folder structure.
The web server should have its own securely configured user and group.
Set file and directory permissions and owners.
Remove world writable files.
Check for activated suid and sgid bits.
Check for invalid UIDS and GIDS.
...

2. Harden the configuration of the Apache web server and its modules
Download and verify the current source code of all involved products.
Patch the sources if necessary.
Make security relevant changes in the source code.
Build the web server and its modules in respect of maximum security.
Use a secure configuration of all involved products and modules.
Create the necessary CAs und certificates.
Enable notifications for suspicious events, like a restart of the web server.
...

3. Use modules for additional protection
Mainly mod_security as a web application firewall and mod_evasive increase the protection of the Apache web server. But only if they are configured properly and have been adapted individually for the used web applications. For example think of Confixx and PLesk.
But there is much more. Meanwhile you can protect the Apache web server with SELinux. A module called mod_selinux is available for that. This module can be combined with PostgreSQL (SE-PostgreSQL).
Even if an attacker gains root privileges on the web server he is not able to escape from the SELinux context of the web server. The damage remains within the scope of the web server. It is also possible to run several instances of Apache, each one encapsulated in its own SELinux context.
...

4. Additional actions
Create a restrictive firewall with iptables.
Use logwatch for a daily status report about the system.
Run rkhunter to check for rootkits and other modifications of the system.
There is no end, you can run Samhain and Snort as IDS/IPS.
Use SELinux.
...

5. Penetration- and load testing
With nikto, CIS-Score-tool, nmap, OpenVAS.
...