Securing Apache Web Server: Essential Command-Line Techniques

When it comes to hosting web sites on Linux servers, security is always a top priority. While Apache is a robust and reliable web server, its security out-of-the-box typically needs enhancement to withstand modern threats. In this article, I’ll walk you through essential command-line techniques to secure your Apache installation and reduce potential attack surfaces, drawing on my experience managing Linux-based web hosting environments.

  1. Keep Apache and Dependencies Updated

Running outdated software is a common vulnerability. Update your Apache installation and its dependencies with:

sudo apt update && sudo apt upgrade apache2   # Debian/Ubuntu
sudo yum update httpd                        # CentOS/RedHat

Automate this with unattended-upgrades or a systemd timer (see my article on systemd timers for more details).

  1. Disable Unused Apache Modules

Apache has a modular architecture. Only load what you need:

sudo apache2ctl -M                      # List enabled modules
sudo a2dismod autoindex                 # Example for Debian/Ubuntu

After disabling, reload:

sudo systemctl reload apache2

On RHEL/CentOS, you may need to comment out modules in httpd.conf.

  1. Restrict Directory Permissions

Use minimal permissions and ownership for web directories. For example:

sudo chown -R www-data:www-data /var/www/html
sudo find /var/www/html -type d -exec chmod 750 {} \;
sudo find /var/www/html -type f -exec chmod 640 {} \;
  1. Configure Apache Security Settings

Edit your main config (often /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf) and consider:

# Hide server version details
ServerSignature Off
ServerTokens Prod

# Limit request size to mitigate some DoS attacks
LimitRequestBody 1048576

# Disable directory listing
<Directory /var/www/html>
    Options -Indexes
</Directory>
  1. Enable TLS/SSL

Secure traffic with HTTPS using Let’s Encrypt:

sudo apt install certbot python3-certbot-apache
sudo certbot --apache

Certbot configures SSL automatically, but be sure to set strong ciphers and protocols. Example in ssl.conf:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
  1. Monitor Logs Regularly

Automate log checks with tools like fail2ban, and inspect logs on the command line:

tail -f /var/log/apache2/access.log /var/log/apache2/error.log

Conclusion

By applying these straightforward command-line techniques, you can lock down your Apache web server and help protect your web sites against common vulnerabilities. Stay proactive—monitor updates, prune what’s unnecessary, and automate where possible for a safer, more resilient hosting environment.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *