8 Important Steps for Hardening Apache2 Configuration

8 Critical Steps for Hardening Apache2 Configuration

Securing Apache2 is critical for maintaining the integrity and availability of your web services. Apache2 is one of the most widely used web servers, making it a popular target for cyber threats. By implementing several key security configurations, you can significantly reduce the potential attack surface and better protect your environment. Here are eight essential steps for hardening your Apache2 setup

1. Limit Server Information Disclosure

• Minimizing the server details disclosed in HTTP headers is essential to security. For example, revealing the Apache version can give attackers useful information. To limit this, navigate to /etc/apache2/conf-available/security.conf and set ServerTokens to Prod. Setting it to “Prod” limits the information revealed in HTTP headers:

#
# ServerTokens
# This directive configures what you return as the Server HTTP response 
# Header. The default is 'Full' which sends information about the OS-Type 
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod 
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
#ServerTokens OS
#ServerTokens Full
ServerTokens Prod

2. Disable Server Signature

• The ServerSignature directive in the same security.conf file helps avoid exposing server details on error pages. Setting this to Off prevents Apache from including version or server information in generated pages, reducing potential insights for attackers.

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory 
# listings, mod_status and mod_info output #etc., but not CGI generated 
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off

3. Restrict Timeout Duration

• Reducing the timeout duration helps mitigate denial-of-service attacks, which exploit prolonged connection times. Modify the timeout directive in apache2.conf from the default of 300 seconds to a lower setting like 45 seconds:

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 45

4. Disable Unnecessary Modules

• Apache loads multiple modules by default. Reducing the number of active modules minimizes your server’s attack surface. You can view enabled modules in /etc/apache2/mods-enabled/ and selectively disable those not required. For reference, review the full list of modules here: Apache Module Documentation.

5. Restrict File Permissions on Configuration Files

• Ensure only the root user has access to configuration files and binaries. Set appropriate ownership and permissions with the following commands:

# Restrict read access to root for Apache files.
chown -R root:root /usr/local/apache
chmod -R 600 /usr/local/apache

6. Secure SSL Certificate Keys

• Limit access to your SSL certificate key files. Only root should be able to read the certificate key, specified through the SSLCertificateKeyFile directive:

# Set file permissions to restrict access to the certificate key file.
SSLCertificateKeyFile /path/to/ssl/private.key

7. Mitigate Slowloris Attack with Read Timeouts

• Apache is vulnerable to Slowloris attacks, which can keep connections open and exhaust server resources. Adding a RequestReadTimeout directive in the Apache configuration file can mitigate this risk.

RequestReadTimeout header=10-20,MinRate=500 body=20,MinRate=500

8. Regularly Update Apache2 and Dependent Libraries

• Frequent updates ensure that your Apache server is protected from known vulnerabilities. With over 90 medium-to-critical vulnerabilities identified in older Apache versions (2.4.0 – 2.4.62), using the latest version is vital. Regular updates can be checked on Apache’s official security page.

Visuals about vulnerabilities in Apache2 and related versions: