How to Harden Your Apache Web Server on an Ubuntu 18.04 Dedicated Server or VPS

How to Harden Your Apache Web Server on an Ubuntu 18.04 Dedicated Server or VPS

Introduction

Apache is one of the most popular web servers, hence usually susceptible to hacking attacks. With default configuration which exposes sensitive information about the server, shortens the reconnaissance time for a hacker. Most of the attacks are done through PHP Injection attacks, Cross Site Scripting, Stealing Cookie Information, Denial of Service (DoS), Distributed DOS (DDoS), HTTP brute force attacks>, to mention but a few. In this article, we illustrate how to configure your Apache web server on Ubuntu 18.04 to be secure and have robust protection against the malicious attacks.

Pre-requisites

  • You must have basic knowledge of Apache>
  • You must have installed the latest Apache web server (at the time of publishing is 2.4.29) on Ubuntu 18.04 VPS
  • You must have installed WordPress Demo Website in /var/www/html
  • You must know how to use the inspector element in a web browser for testing
  • You must have made a copy of the following configuration files
/etc/apache2/apache2.conf
/etc/apache2/conf-enabled/security.conf

1.  Hide Apache Version and Operating System

By-default the apache version and OS are shown in the response headers as shown below. This is a major security loophole exposing such details to the world and be used by hackers.

From the figure, it shows the web server is running on Apache Version 2.4.29 and on Ubuntu OS. To hide those details, add the two lines in apache config file /etc/apache2/conf-enabled/security.conf

ServerSignature Off 
ServerTokens Prod

Then reload Apache:

$ sudo systemctl reload apache2

Refresh the browser and you’ll notice the version and OS details removed as shown below:

2. Disable Directory Listing and FollowSymLinks

By default, the directory listing for all files under web root directory is enabled if there is no index file as shown below. This allows hackers to view and analyze the files in your web server directory and maximize on the slightest available vulnerability to launch an attack.

In addition, by-default apache is configured to follow symbolic links which is not advisable.

To disable these, edit the config file /etc/apache2/apache2.conf by putting “-” before each tag directive in the line Options Indexes FollowSymLinks to become Options -Indexes -FollowSymLinks as shown below:

<Directory /var/www/>
    Options -Indexes -FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

Then reload apache service

Refresh the browser and you’ll notice that the files can no longer be viewed and instead generates 403 forbidden error message as shown below:

3. Secure Apache using mod_security and mod_evasive Modules

Mod_security

Acts as a firewall for web servers and applications, providing protection against brute force attacks. Install it and then restart Apache.

$ sudo apt install libapache2-mod-security2 -y
$ sudo systemctl restart apache2

Mod_evasive

Detects and provides protection against DDOS and HTTP brute force attacks. It detects attacks whenever: so many requests are directed to a page several times per second; temporarily blacklisted IP still tries to make a new request; child process attempts making more than 50 concurrent requests. Install and restart Apache.

$ sudo apt install libapache2-mod-evasive -y
$ sudo systemctl restart apache2

4. Limit Request Size

By default, the HTTP request in Apache is unlimited hence web server is susceptible to DoS attacks by keeping it open for a high number of request. For example, there is a site that allows users to upload files, then it’s important to set a limit for upload size. This can be done by setting the LimitRequestBody for that particular upload directory as follows:

<Directory "/var/www/html/wp_content/uploads">
 
LimitRequestBody 10485760
 
</Directory>

The upload size has been limited to a max of 10 megabytes.  The maximum allowable limit is usually 2GB.

Then restart/reload apache service.

5. Disable TRACE HTTP Request

By default, Trace HTTP Request is enabled allowing for Cross Site Tracing. This enables a hacker to easily steal cookie information. Disabling Trace HTTP Request makes the mod_proxy and core server return “405 - Method Not Allowed” error message to clients. Trace request is disabled by adding the line TraceEnable off in the config file /etc/apache2/apache2.conf.

Save the file and reload the apache service.

sudo systemctl restart apache2

Conclusion

The enlisted 5 steps are the most basic security protection features to implement in your Apache web server. To add more security features, you can perform the following steps:

  • Disable Server Side Includes (SSI) and CGI Execution which usually allow for remote execution of arbitrary codes
  • Ensure Apache is updated with the latest version as it has patches which reduce attack vulnerability
  • Prevent Clickjack attacks which trick users into clicking malicious sites
  • Secure the Apache Web Server with SSL Certificates to encrypt all communication via the internet

Check out these top 3 Dedicated server hosting services:

Hostinger
AU$4.50 /mo
Starting price
Visit Hostinger
Rating based on expert review
  • User Friendly
    4.7
  • Support
    4.7
  • Features
    4.8
  • Reliability
    4.8
  • Pricing
    4.7
IONOS
AU$1.50 /mo
Starting price
Visit IONOS
Rating based on expert review
  • User Friendly
    4.5
  • Support
    4.0
  • Features
    4.5
  • Reliability
    4.5
  • Pricing
    4.3
Ultahost
AU$4.36 /mo
Starting price
Visit Ultahost
Rating based on expert review
  • User Friendly
    4.3
  • Support
    4.8
  • Features
    4.5
  • Reliability
    4.0
  • Pricing
    4.8
  • Do you need the best VPS? Read about our different offers.

How to harden Nginx Web Server on an Ubuntu 18.04 VPS or Dedicated Server

Nginx is one of the most popular web servers which is vulnerable to hacking atta
3 min read
Max Ostryzhko
Max Ostryzhko
Senior Web Developer, HostAdvice CTO

How to Set Up WordPress Multisite on Ubuntu 18.04 with Apache Web Server

In this tutorial, we explain how to set up WordPress multisite on an Ubuntu 18.0
3 min read
Idan Cohen
Idan Cohen
Marketing Expert

How to Enable Two-Factor Authentication on an Ubuntu 18.04 VPS or Dedicated Server

This guide will show you how you enable two-factor authentication to improve the
4 min read
Max Ostryzhko
Max Ostryzhko
Senior Web Developer, HostAdvice CTO

How to Change Common PHP Settings on an Ubuntu 18.04 VPS or Dedicated Server

This article shows you how to change PHP settings on your Linux Ubuntu 18.04 vir
3 min read
Idan Cohen
Idan Cohen
Marketing Expert
HostAdvice.com provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top