Harden the security of Apache 2 on Debian
by
Pierre-Yves Landuré
—
last modified
Oct 29, 2017 04:03
Apache 2 is a robust HTTP server with numerous functionalities. This howto harden the security of Apache 2 by apply basic rules.
This howto is tested on:
- Debian 6.0 Squeeze
- Debian 7.0 Wheezy
Prerequisites
This howto needs :
- A Apache 2 HTTP as described by Install and setup Apache 2 on Debian.
This howto recommends :
- the DFind blocking rules described by Block the vulnerability scanner DFind.
Configuration
Harden Apache 2 HTTP server configuration
Apply some rules hardening server security:
command wget 'https://raw.github.com/biapy/howto.biapy.com/master/apache2/security-hardened.conf' \
--quiet --no-check-certificate --output-document='/etc/apache2/conf.d/security-hardened'
Reload server configuration:
/etc/init.d/apache2 reload
Block attacks with fail2ban
Install fail2ban :
command apt-get install fail2ban
Enable the Apache 2 protection rules:
if [ ! -e '/etc/fail2ban/jail.local' ]; then
command touch '/etc/fail2ban/jail.local'
fi
if [ -z "$(command grep "[apache]" '/etc/fail2ban/jail.local')" ]; then
echo "[apache]
enabled = true
[apache-noscript]
enabled = true
[apache-overflows]
enabled = true
" >> '/etc/fail2ban/jail.local'
fi
Reload the configuration :
/etc/init.d/fail2ban restart
Disable the cgi-bin folder
The cgi-bin folder use has been deprecated by script languages such as PHP. Its presence can be a security issue. Disable it:
command sed -i \
-e 's|^.*ScriptAlias.*/cgi-bin/.*$|#\0|' \
-e '/Directory.*cgi-bin/,/\/Directory/s/^.*/#\0/' \
"/etc/apache2/sites-available/default"{,-ssl}
Reload the configuration :
/etc/init.d/apache2 force-reload
Thanks
- Thanks to Alsacréations (fr) for Installation d'Apache et PHP (fr).
- Merci à Smashing Magazine (en) pour SVN Server Admin Issue: Fix It ! (en)
- Merci à la Ferme du Web (fr) pour .htaccess - Quelques astuces bien pratiques à connaître (fr).
- Merci à Be-Root.com (fr) pour Protéger Apache de slowloris (fr).