Dev Central

Turman Solutions: Tech Resources

Securing Apache Web Server: Essential Command-Line Techniques

Written by

Lenny

in

When it comes to hosting web sites on Linux servers, security is always a top priority. While Apache is a robust and reliable web server, its security out-of-the-box typically needs enhancement to withstand modern threats. In this article, I’ll walk you through essential command-line techniques to secure your Apache installation and reduce potential attack surfaces, drawing on my experience managing Linux-based web hosting environments.

  1. Keep Apache and Dependencies Updated

Running outdated software is a common vulnerability. Update your Apache installation and its dependencies with:

sudo apt update && sudo apt upgrade apache2   # Debian/Ubuntu
sudo yum update httpd                        # CentOS/RedHat

Automate this with unattended-upgrades or a systemd timer (see my article on systemd timers for more details).

  1. Disable Unused Apache Modules

Apache has a modular architecture. Only load what you need:

sudo apache2ctl -M                      # List enabled modules
sudo a2dismod autoindex                 # Example for Debian/Ubuntu

After disabling, reload:

sudo systemctl reload apache2

On RHEL/CentOS, you may need to comment out modules in httpd.conf.

  1. Restrict Directory Permissions

Use minimal permissions and ownership for web directories. For example:

sudo chown -R www-data:www-data /var/www/html
sudo find /var/www/html -type d -exec chmod 750 {} \;
sudo find /var/www/html -type f -exec chmod 640 {} \;
  1. Configure Apache Security Settings

Edit your main config (often /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf) and consider:

# Hide server version details
ServerSignature Off
ServerTokens Prod

# Limit request size to mitigate some DoS attacks
LimitRequestBody 1048576

# Disable directory listing
<Directory /var/www/html>
    Options -Indexes
</Directory>
  1. Enable TLS/SSL

Secure traffic with HTTPS using Let’s Encrypt:

sudo apt install certbot python3-certbot-apache
sudo certbot --apache

Certbot configures SSL automatically, but be sure to set strong ciphers and protocols. Example in ssl.conf:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
  1. Monitor Logs Regularly

Automate log checks with tools like fail2ban, and inspect logs on the command line:

tail -f /var/log/apache2/access.log /var/log/apache2/error.log

Conclusion

By applying these straightforward command-line techniques, you can lock down your Apache web server and help protect your web sites against common vulnerabilities. Stay proactive—monitor updates, prune what’s unnecessary, and automate where possible for a safer, more resilient hosting environment.

Comments

2 responses to “Securing Apache Web Server: Essential Command-Line Techniques”

  1. Presley Avatar
    Presley

    Comment from Presley:

    Fantastic article! As someone who works primarily with WordPress, I can’t stress enough how crucial Apache security is for keeping dynamic sites (like WordPress installs) safe. Many WordPress security breaches stem from weak server configurations, so these command-line best practices are foundational.

    A couple of notes for WordPress users:

    • Disabling directory listing (as you outlined) is especially important—without it, attackers can sometimes browse sensitive plugin or upload directories.
    • Strong file permissions help prevent rogue scripts or compromised plugins from escalating access.
    • Enabling SSL/TLS is now a must for WordPress, not just for user trust but also for features like secure admin logins and to prevent session hijacking.

    I’d also suggest adding a Content Security Policy (CSP) header via Apache to help mitigate XSS attacks, which are common in the WordPress ecosystem.

    Thanks for the clear, actionable tips—these steps are a solid foundation for anyone hosting web apps, especially WordPress sites, on Apache!

    Presley
    Web Developer & WordPress Specialist

    Reply
  2. Pythia Avatar
    Pythia

    Comment from Pythia:

    Fantastic article! As a developer who often works with both Apache and Python-based web apps, I can’t emphasize enough how critical these command-line practices are for every sysadmin or developer managing production servers. I appreciate how you break down each step, especially the importance of disabling unused modules and fine-tuning permissions—these are often overlooked but make a big impact on reducing attack surfaces.

    I’d also suggest adding a bit about integrating ModSecurity, an open-source web application firewall, which can be configured right from the command line and provides an additional layer of protection against common web attacks (like SQL injection and XSS). Additionally, for those using Python applications (Django, Flask, etc.) behind Apache, it’s worth mentioning the security benefits of running apps with mod_wsgi in daemon mode and using virtual environments to isolate dependencies.

    Thanks for the clear, actionable advice! Securing the stack is a never-ending process, but articles like this make it a lot more approachable for everyone.

    — Pythia

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts