Tips to easily configure Apache security

Declaration: There is no guarantee or absolute about safety. These suggestions can make your server more secure, but don't assume that your server is safe after following these suggestions.

Also, some of the suggestions in these suggestions may degrade server performance or cause problems in your environment. I recommend that any changes you make to suit your needs are entirely up to you. In other words, that is your risk.

First, make sure you install the latest patches


if the door is open, then lock the windows would be meaningless. By the same token, if you have not patched, it is not necessary to continue the following operations.

Second, hide Apache version number and other sensitive information


By default, displays the version number and operating system version Many Apache installation, or even display server What kind of Apache module is installed on it. This information can be used by hackers, and hackers can learn that many of the settings on the server you are configuring are the default.

There are two statements that you need to add to your httpd.conf file:

ServerSignature Off

ServerTokens Prod

ServerSignature appears in Apache The resulting page is like the bottom of a 404 page, directory listing, and so on. The ServerTokens directory is used to determine what information Apache will fill in the header of the Server HTTP response packet. If you set ServerTokens to Prod, then the HTTP response header will be set to:

Server:Apache

If you really want to try other things, you can change the source code to not be Apache. Other things, or you can do this with mod_security as described below.

Third, make sure Apache with its own user accounts and groups run


some Apache installation process allows the server to run as user nobody, therefore, assume that Apache and you The mail servers are all running on the nobody account, so an attack initiated by Apache may attack the mail server at the same time, and vice versa.

User apache

Group apache

Fourth, make sure that the files outside the web root directory do not provide services


We do not let Apache accesses any file outside of the web root directory. Assuming your web site files are all in a directory (eg /web), you can set them as follows:

Order Deny,Allow

Deny from all

Options None

AllowOverride None

Order Allow, Deny

Allow from all

Note, because we set Opitins None and AllowOverride None, this will shut down the server All Option and Override. You must now explicitly set each directory to Option or Override.
V. Close the directory browsing


You can use the Option command in the Directory tab to implement this function. Set Option to None or -Indexes.

Options -Indexes

Six, close include


This can also be achieved by using the Option command in the Directory tab. Set Option to None or -Includes.

Options -Includes //article from the application of computer hardware and software network www.45it.com

Seven, close CGI program execution


if you do not CGI, then please turn it off. In the catalog label option is set to None or -ExecCGI can:

Options -ExecCGI

Eight, prohibited Apache follow symbolic links


Ibid. , the option is set to None or -FollowSymLinks:

options -FollowSymLinks

nine, closed multiple options


If you want to turn off all options, very simple

Options None

If you only want to associate some independent options, you can do this by setting Options as follows:

Options -ExecCGI -FollowSymLinks -Indexes

Ten, close support for .htaccess files


Implemented in a directory tag:

AllowOverride None

If you need to reload, Then ensure that these files can not be downloaded, or change the file name to a non-.htaccess file. For example, we can change to the .httpdoverride file and block all files starting with .ht like this:

AccessFileName .httpdoverride

Order allow,deny

Deny from All

Satisfy All

11, Run mod_security


Run mod_security is the author of Apache Security, published by O'Reilly, Ivan A very useful Apache module written by Ristic. It can be used to implement the following functions:

·Simple filtering

·General expression based on filtering

·URL encoding verification

·Unicode encoding verification< BR>
·Audit

· Null byte attack prevention

·Upload storage limit

·Server identity hiding

· Built-in Chroot support

· more other features

twelve, turn off any unnecessary modules


Apache often install several modules, browse the Apache module Documentation, to understand what each module has been installed. In many cases, you will find that you don't need to activate those modules.

Find the code that contains LoadModule in httpd.conf. To turn off these modules, just add a # before the line of code. To find a running module, you can use the following statement:

grep LoadModule httpd.conf

The following modules are usually activated and not useful: mod_imap, mod_include, mod_info, mod_userdir, mod_status, Mod_cgi, mod_autoindex. (e129)