When it comes to hosting web sites on Linux servers, security is always a top priority. While Apache is a robust and reliable web server, its security out-of-the-box typically needs enhancement to withstand modern threats. In this article, I’ll walk you through essential command-line techniques to secure your Apache installation and reduce potential attack surfaces, drawing on my experience managing Linux-based web hosting environments.
- Keep Apache and Dependencies Updated
Running outdated software is a common vulnerability. Update your Apache installation and its dependencies with:
sudo apt update && sudo apt upgrade apache2 # Debian/Ubuntu
sudo yum update httpd # CentOS/RedHat
Automate this with unattended-upgrades or a systemd timer (see my article on systemd timers for more details).
- Disable Unused Apache Modules
Apache has a modular architecture. Only load what you need:
sudo apache2ctl -M # List enabled modules
sudo a2dismod autoindex # Example for Debian/Ubuntu
After disabling, reload:
sudo systemctl reload apache2
On RHEL/CentOS, you may need to comment out modules in httpd.conf.
- Restrict Directory Permissions
Use minimal permissions and ownership for web directories. For example:
sudo chown -R www-data:www-data /var/www/html
sudo find /var/www/html -type d -exec chmod 750 {} \;
sudo find /var/www/html -type f -exec chmod 640 {} \;
- Configure Apache Security Settings
Edit your main config (often /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf) and consider:
# Hide server version details
ServerSignature Off
ServerTokens Prod
# Limit request size to mitigate some DoS attacks
LimitRequestBody 1048576
# Disable directory listing
<Directory /var/www/html>
Options -Indexes
</Directory>
- Enable TLS/SSL
Secure traffic with HTTPS using Let’s Encrypt:
sudo apt install certbot python3-certbot-apache
sudo certbot --apache
Certbot configures SSL automatically, but be sure to set strong ciphers and protocols. Example in ssl.conf:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
- Monitor Logs Regularly
Automate log checks with tools like fail2ban, and inspect logs on the command line:
tail -f /var/log/apache2/access.log /var/log/apache2/error.log
Conclusion
By applying these straightforward command-line techniques, you can lock down your Apache web server and help protect your web sites against common vulnerabilities. Stay proactive—monitor updates, prune what’s unnecessary, and automate where possible for a safer, more resilient hosting environment.
Leave a Reply