Basic Apache Security Recipes

There are some (very basic) tunables that should be modified to improve the overall security of your default apache installation.

I only specify parameters I recommend to change.

Server Config

Don't expose too much information and fix some issues:

httpd-default.conf
# [...]
 
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod
 
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory 
# listings, mod_status and mod_info output etc., but not CGI generated 
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature Off
 
# Security Fix (PCI)
# Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
TraceEnable Off
 
# Security Fix (PCI)
# Apache Web Server ETag Header Information Disclosure Weakness
FileETag MTime Size

Adjust the ciphers allowed, disable weak ciphers and protocols:

httpd-ssl.conf
#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
 
# Source: https://wiki.mozilla.org/Security/Server_Side_TLS | Intermediate | Version 3.3
# Retrieved: 2014-10-24
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
 
SSLHonorCipherOrder On
 
SSLProtocol all -SSLv2 -SSLv3
 
SSLCompression Off

Secure Your .git Directories and Make Them Inaccessible Via Apache

If you happen to have .git directories anywhere in your docroot, you can secure them like so:

# add the following to your VirtualHost Section(s) and don't forget your SSL-VirtualHosts!

RedirectMatch 404 /\.git

This will throw an 404 - Not Found Error, even if such a directory exists anywhere within your docroot.
As a benefit, it will even work for your .gitignore files

PHP

If PHP is used, make sure you have the following in your php.ini (default is on):

php.ini
expose_php = Off
apache/security.txt · Last modified: 2015-11 by tb
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready