Airzero Sec

We Do Not Give Up ! Trust US !

How To Secure An Apache Server In Ubuntu?

- Posted in Website Security by

enter image description here

Before we enter into the mentioned topic, first we have to know about some common topics like installation of apache and some basic concepts so let’s start with the installation.

How to install apache on ubuntu?

This section will help you to install an apache web server on the Ubuntu operating system.

Before beginning your work:

  • Running Ubuntu system with privileges shell access
  • Complete initial instructions for server setup
  • Needed a domain name registered and pointed to your server’s public IP address

Step 1 — Installing Apache

Apache is available under the default software repositories on Ubuntu. You can simply install it using the conventional package management tool. Firstly, update the local package to reflect the latest upstream changes. Then install Apache webserver. After the confirmation you are given, apt will install Apache and other required and essential things on your system.

Step 2 — Test Your Web Server

After the installation is finished, the Apache service will automatically start on your system. You can find the Apache status by running the following command:

$ sudo systemctl status apache

After running the command prompt. The status like “Active: active (running)” means Apache service has started right. However, the best way to test a web server, request a page from Apache in a web browser. You will see the Apache landing page while you test in the web browser. It means the Apache web server is running correctly on your system.

OK! Next, we need to know how to secure apache in Ubuntu. Ok follow this article, there will be some tips to strengthen your security in the apache web server.

Tips To Strengthen Your Apache Web Server Security:

  • Make an apache version and os identity from errors
  • Disable directory listing
  • Keep updating Apache regularly
  • Disable unnecessary modules
  • Run apache as a separate user and group
  • Use allow and deny to restrict access to directories

How To Make Apache Version And Os Identity From Errors?

When you download Apache with other package installers like yum, it displays what version is your Apache web server installed on your server with the Operating system name of your server in Errors. It also shows the details about Apache modules installed on your server.

Now you can see that Apache is showing what version it is with Ubuntu installed in your server. This can be a major security problem to your web server as well as your Linux box too. To protect Apache from displaying this information to the world, we need to make some changes in Apache’s main configuration file.

Open the configuration file and search for “ServerSignature“, it’s by default it will be On. So next we need to Off these server signatures and the second line “ServerTokens Prod” tells Apache to return only Apache as a thing in the server response header on every page request, It suppresses the Ubuntu, major, and minor version info.

How to disable directory listing?

By default, Apache lists the content of the document root directory in the absence of an index file. We can turn off directory listing by using the Options directive in the configuration file for a specific directory. For that, we need to make a way in httpd. Conf file...

How To Keep Updating Apache Regularly?

Apache developers are continuously working on security problems and releasing their updated version with a variety of security options. So It is always recommended to use the new version of Apache as your web server.

To check which Apache version you used: You can check your current version with httpd -v command.

How To Disable Unnecessary Modules?

It’s always good to reduce the chances of being a victim of any cyber attack. So it’s recommended to remove all those modules that are not in use often. You can list all the compiled modules of the webserver, using the following command.

# grep LoadModule /etc/httpd/conf/httpd.conf

# have to place corresponding `LoadModule' lines at this location so the

# LoadModule foo_module modules/mod_foo.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so

Above is the list that is removed by default but often not needed: mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex. To disable this module, you can insert a “#” at the beginning of that line and restart the server service.

How To Run Apache As A Separate User And Group?

With an automatic installation, Apache builds its process with user nobody or daemon. For security reasons, it is suggested to run Apache in its own non-privileged account. For example: HTTP-web.

Create Apache User and Group

# groupadd http-web
# useradd -d /var/www/ -g http-web -s /bin/nologin http-web

Now you want to tell Apache to run with this user and to do so, we need to make a way in /etc/httpd/conf/httpd.conf and restart the server service.

Open /etc/httpd/conf/httpd.conf with the editor and search for keywords “User” and “Group” and there you will want to specify the username and group name to use.

User HTTP-web
Group HTTP-web

How to use allow and deny to restrict access to directories?

So we can restrict the access to directories with “Allow” and “Deny” options in httpd.conf file. Here in the below example, we’ll be safeguarding the root directory, for that by setting the following in the httpd.conf file.

<Directory />
Options None
Order deny,allow
Deny from all
</Directory>
  • Options “None” – not allow users to enable any optional features.
  • Order deny, allow – Used to “Deny” and “Allow” directives will be processed. Here it will first “deny” and next “allow”.
  • Deny from all – deny the request from everybody to the root directory, nobody will be able to access the root directory.

The best cyber security consulting company will provide you with the cyber security provided solutions for your system to be a partner of the best cyber security service provider.

If you have any queries about this topic or have to get cybersecurity services and consultations against these serious cyber attacks. Feel free to contact us. AIRZERO SEC will always be your strong firewall. E-mail id: [email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/