As one of the most popular web servers, Apache powers over 30% of all websites including some of the largest sites on the internet. The ubiquitous software runs some of our most sensitive applications and workloads. This central role also makes Apache a prime target for attackers – one that faces over 6,000 attacks per site per month according to statistics.
Compromise of an Apache server can have serious consequences including data theft, service outages, compliance violations and more. Given these risks, properly hardening and securing Apache should be a top priority for any organization.
In this comprehensive guide, we will go beyond basic security recommendations and cover hands-on, advanced techniques to lock down Apache based on industry best practices:
Apache Web Server Security – By The Numbers
- 30%+ of all websites run on Apache
- Average Apache site deals with 6,000+ attacks per month
- 73% of CMS hacks target weaknesses in Apache configs
- Top attack vectors include SQLi, RCE, XSS and DDoS
Foreword: Why Apache Security Matters
As a central gateway facing the public internet, web servers are tempting targets. Attackers can leverage compromised servers to steal data, launch secondary attacks or simply deface sites for notoriety.
According to statistics from privacy advocate Surfshark:
- 90% of successful data breaches started with an attack on web apps
- Lost records due to breaches cost $150 per record on average
- Downtime from a web server outage costs $250,000 per hour on average
Suffice to say, the business implications of an insecure Apache instance are far reaching. Beyond immediate impacts, seemingly minor Apache compromises also erode consumer trust over the long run.
With hackers constantly evolving their tactics, the work of securing Apache is never quite finished. This guide aims to get you well on your way by covering configuration best practices, tools like mod_security and logging/monitoring options.
Hardening Apache Configuration
Many key security settings are controlled via Apache‘s configuration files. Tightening these configs is a quick "win" that can resolve common oversights.
Disable Version Banners
Edit httpd.conf:
ServerTokens Prod
ServerSignature OffThis removes identifying information like Apache version and OS details from HTTP response headers and error pages. Attacker use such fingerprints to identify vulnerabilities and target exploits.
Without banner removal, requests would return headers like:
Server: Apache/2.4.6 (CentOS Linux)Strict File Permissions
Apache stores configs and serves web content from disk. Locking this down prevents escalation:
chmod 750 /etc/httpd/conf
chmod 640 /etc/httpd/conf/*.conf
chmod 750 /var/www/htmlDefault file permissions are often too lax. The above sets sane owners, prevents group/world reads of config and makes web root writable only by Apache user.
Disable Unneeded Modules
Unloaded modules reduce attack surface area:
httpd.conf
# LoadModule status_module modules/mod_status.so
# LoadModule info_module modules/mod_info.so
# LoadModule dav_module modules/mod_dav.somod_status and mod_info leak sensitive server stats. WebDAV is an unneeded remote file access protocol.
Limit Allowed HTTP Methods
httpd.conf
<LimitExcept GET POST>
Require all denied
</LimitExcept>This disables unneeded methods like CONNECT, TRACE, PUT, DELETE.
Attackers abuse such methods for recon, cache poisoning, uploads and deleting files. Disallowing cuts off these paths.
Mastering SSL Encryption Ciphers
Transport layer encryption protects application data as it travels over the wire between Apache and clients.
Choosing secure ciphers is crucial for encryption strength yet many still run outdated defaults vulnerable to attacks like BEAST, POODLE.
Use only modern suites:
httpd-ssl.conf
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!SHA1This configuration utilizes perfect forward secrecy through ECDHE key exchanges while rejecting obsolete & insecure ciphers. PFS ensures past encrypted data cannot be decrypted even if long-term server private keys are compromised in the future.
Always review Mozilla Security Recommendations for best practice production cipher configurations. As attacks evolve, you may need to adjust to disable vulnerable suites. Stay vigilant!
Containing with Security Sandboxes
Container platforms like Docker sandbox and isolate Apache, limiting damage from compromises. If an attacker breaks out of Apache, they are still contained within the container boundary.
Running Apache in Docker:
docker run -d \
-p 80:80 \
--name apache
-v /site:/usr/local/apache2/htdocs/ \
httpd:2.4The run invocation specifies the container‘s scope of access:
- Expose port 80
- Bind mount host‘s /site for the web root
- Tag as "apache"
No network access or sensitive system files made available within container.
Intrusion Detection with ModSecurity
The ModSecurity module analyzes HTTP traffic in real time, blocking attacks. It acts as an embedded intrusion detection and prevention system stopping threats like SQLi before they reach web apps.
Installation
Ubuntu/Debian
sudo apt install libapache2-mod-security2
sudo modsecurity-enableRHEL/CentOS
sudo yum install mod_securityConfiguration
Base rules help detect OWASP Top 10 threats like XSS and inspect anomalies in request size, user agents etc.
Include them as follows:
Include /etc/modsecurity/owasp-modsecurity-crs/*.confAdditional logic can be added through ModSecurity‘s rich rule syntax to protect application specific paths:
SecRule REQUEST_URI "@contains admin" \
"id:7001,drop,msg:‘Admin access denied‘"This blocks the /admin path, stopping attackers from easily finding and brute-forcing logins.
Server Access Control with iptables
The iptables firewall filters inbound traffic, restricting access to only necessary ports. This limits exposure from internet scans and network pivots.
Allow only required HTTP/HTTPS:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -P INPUT DROPBy default DROP all other incoming packets lacking explicit allows.
Save persistent rules that reboot with server:
iptables-save > /etc/iptables.rulesSet Restrictive Defaults with FORWARD Chain
iptables -P FORWARD DROPBlocks lateral attacker movement using Apache as a jump host when breached. Companion servers cannot route malicious packets through compromised host.
Proactive Security Monitoring
Preventative controls like firewalls and IDS form the first line of defense. Equally important is actively monitoring Apache to catch threats that slip through cracks:
Access Logs
/var/log/httpd/access_logInspect frequently for abnormal activity – unexpected user agents, requests for non-public files, traffic spikes. Feed logs into analytics tools like GoAccess or an ELK stack to visualize trends.
Error Logs
/var/log/httpd/error_logErrors often indicate someone probing weaknesses or using insecure methods. Tune Apache log levels for increased visibility.
ModSecurity Audit Logs
Blocks and relevant context around each intrusion attempt.
Integrate and Correlate
Centralize the above data sources into security monitoring solutions like Splunk. Cross reference events across servers and apps to uncover stealthy attacks across distributed business environments.
Stay Vigilant
Monitor logs, keep configurations current and hardened. Cyber threats continue evolving so security requires constant reassessment.
Conclusion
This guide provides in-depth practical measures to drastically harden Apache security configurations against the latest attack techniques. Still have additional tips to share? Let me know in the comments!
Sources:
