Harden the security of Apache 2 on Debian

This howto is tested on:

• Debian 6.0 Squeeze
• Debian 7.0 Wheezy

Prerequisites

This howto needs :

• A Apache 2 HTTP as described by Install and setup Apache 2 on Debian.

This howto recommends :

• the DFind blocking rules described by Block the vulnerability scanner DFind.

Configuration

Harden Apache 2 HTTP server configuration

Apply some rules hardening server security:

command wget 'https://raw.github.com/biapy/howto.biapy.com/master/apache2/security-hardened.conf' \
    --quiet --no-check-certificate --output-document='/etc/apache2/conf.d/security-hardened'

Reload server configuration:

/etc/init.d/apache2 reload

Block attacks with fail2ban

Install fail2ban :

command apt-get install fail2ban

Enable the Apache 2 protection rules:

if [ ! -e '/etc/fail2ban/jail.local' ]; then
  command touch '/etc/fail2ban/jail.local'
fi
if [ -z "$(command grep "[apache]" '/etc/fail2ban/jail.local')" ]; then
  echo "[apache]
enabled = true

[apache-noscript]
enabled = true

[apache-overflows]
enabled = true
" >> '/etc/fail2ban/jail.local'
fi

Reload the configuration :

/etc/init.d/fail2ban restart

Disable the cgi-bin folder

The cgi-bin folder use has been deprecated by script languages such as PHP. Its presence can be a security issue. Disable it:

command sed -i \
    -e 's|^.*ScriptAlias.*/cgi-bin/.*$|#\0|' \
    -e '/Directory.*cgi-bin/,/\/Directory/s/^.*/#\0/' \
  "/etc/apache2/sites-available/default"{,-ssl}

Reload the configuration :

/etc/init.d/apache2 force-reload

Thanks

• Thanks to Alsacréations (fr) for Installation d'Apache et PHP (fr).
• Merci à Smashing Magazine (en) pour SVN Server Admin Issue: Fix It ! (en)
• Merci à la Ferme du Web (fr) pour .htaccess - Quelques astuces bien pratiques à connaître (fr).

• Merci à Be-Root.com (fr) pour Protéger Apache de slowloris (fr).

• Merci à System-Linux.eu (fr) pour Attaque Slowloris (DoS) l'essayer et l'empécher (fr) et Compilation, Installation et Configuration de ModSecurity (fr).