Securing Apache, PHP web server


As a best practice, make sure to harden your linux operating system, before proceeding further.

1. Update your apache server regularly.

The latest version of the apache contains fixes for all the known security issues. So it is recommended to update your apache web server regularly.
You can update your version with the following command.

It is also recommended to keep your Kernel and OS updated to the latest stable releases, if you are not running any specific application which works only on specific OS or Kernel.

To check Apache version:

To test your configuration file settings and syntax:

To check php version:

2. Confirm that Apache is run by its own non-privileged account.

By default, apache might run as nobody or daemon. It is good to run apache in its own non-privileged account. For example: apache.

Apache is run as “apache” (Except the 1st httpd process, which will always run as root).

or else, you may need to execute this steps.

Modify the /etc/httpd/conf/httpd.conf, and set user and group appropriately.

All files and directory under /var/www/html should be owned by apache:

Make sure file permissions under /var/www/html/ are set to 0744:

3. Restrict access to root directory.

Secure the root directory by following parameters in /etc/httpd/conf/httpd.conf

4. Disable Directory Listing

If index.html is not created under DocumentRoot directory, website visitors will see all files, directories and sub-directories in his browser(like ls –l output).

To disable directory listing, you can either set the value of Option directive to “None” or “-Indexes”.

5. Don’t allow .htaccess

Using .htaccess file inside a specific sub-directory under the htdocs, users can overwrite the default apache directives.
On certain situations, this is not good, and should be avoided. You should disable this feature.

You should not allow users to use the .htaccess file and override apache directives. To do this, set “AllowOverride None” in the root directory.

6. Disable other Options

In this example, for /var/www/html directory, it has both Includes and Indexes:

For /var/www/html/en directory, if you need Only Indexes from /example (And not the Includes), and if you want to FollowSymLinks only to this directory, do the following.

Following are the available values for Options directive:

7. Disable unnecessary modules

Apache is modular web server. Installing additional modules can extend the functionality of the httpd process. An example of this is the mod_ssl to make the Apache server work with TLS encryption.

To list statically compiled modules:

core.c – Apache core module
prefork.c – For MPM (Multi-Processing Module) module
httpd_core.c – Apache core module
mod_so.c – For loading modules during start or restart

Other modules:
mod_auth* – For various authentication modules
mod_ssl.c – For SSL
mod_dir.c – For trailing slash redirect on directory paths. if you specify url/test/, it goes to url/test/index.html

8. Disable unwanted DSO Modules

Please note that the statically compiled apache modules will not be listed as “LoadModule” directive.

By default, some of the most common dynamic shared object modules are installed to the /etc/httpd/modules directory.
To list all the compiled modules of web server:

It is recommended to disable all those modules that are not in use currently, by commenting line starting with "LoadModule" directive inside the /etc/httpd/conf/httpd.conf file.

9. Restrict access to a specific network

10. To suppress Apache Version and OS of your server displayed in error message.

By default, the server HTTP response header will contains apache and php version:

Server: Apache/2.2.15 (CentOS)
To avoid this, set the "ServerTokens Prod" and "Signature off" in /etc/httpd/conf/httpd.conf. This will display “Server: Apache” without any version information.

Following are possible ServerTokens values:

ServerTokens Prod displays “Server: Apache”
ServerTokens Major displays “Server: Apache/2″
ServerTokens Minor displays “Server: Apache/2.2″
ServerTokens Min displays “Server: Apache/2.2.17″
ServerTokens OS displays “Server: Apache/2.2.17 (Unix)”
ServerTokens Full displays “Server: Apache/2.2.17 (Unix) PHP/5.3.5″ (If you don’t specify any ServerTokens value, this is the default)

Example: Check setting from command line:

11. Enable Apache Logging

Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging, because it provides more information, such as the commands entered by users that have interacted with your Web server.

To do so you need to include the mod_log_config module.

You can also use them for a particular website if you are doing virtual hosting and for that you need to specify it in the virtual host section.

12. Secure Apache with SSL Certificates

If you are running website that requires users to sign in for credit card transaction, then protecting site with ssl is must or else all your transactions are exposed to be captured by hackers, burglars.

For serious business purpose, you should consider buying ssl from authorized certificate issuer.
For testing purpose generate self signed certificate and assign to your website.
Apache mod_ssl module needs to installed first to support SSL certificate.

Steps to create self signed certificate:

13. Disable unwanted php modules

For performance and security use only required modules.
To disable sqlite3 module by moving configuration file:

14. Immunize Apache, PHP Configuration Files

Use the chattr command to immunize configuration files:

15. Disable following functions from php.ini

Set following parameters in php.ini to make it more secure.

16. Restrict file uploads

To disable file uploads change the file_uploads directive in php.ini:

If you do allow file uploads you should change the default temporary directory used for file uploads.
Also restrict max file size to upload.

You may also like...

%d bloggers like this: