You are here: Home / Debian GNU/Linux / Servers / Apache 2 / Harden the security of Apache 2 on Debian

Harden the security of Apache 2 on Debian

by Pierre-Yves Landuré last modified Oct 29, 2017 04:03

Apache 2 is a robust HTTP server with numerous functionalities. This howto harden the security of Apache 2 by apply basic rules.

This howto is tested on:

  • Debian 6.0 Squeeze
  • Debian 7.0 Wheezy

Prerequisites

This howto needs :

This howto recommends :

Configuration

Harden Apache 2 HTTP server configuration

Apply some rules hardening server security:

command wget 'https://raw.github.com/biapy/howto.biapy.com/master/apache2/security-hardened.conf' \
--quiet --no-check-certificate --output-document='/etc/apache2/conf.d/security-hardened'

Reload server configuration:

/etc/init.d/apache2 reload

Block attacks with fail2ban

Install fail2ban :

command apt-get install fail2ban

Enable the Apache 2 protection rules:

if [ ! -e '/etc/fail2ban/jail.local' ]; then
command touch '/etc/fail2ban/jail.local'
fi
if [ -z "$(command grep "[apache]" '/etc/fail2ban/jail.local')" ]; then
echo "[apache]
enabled = true

[apache-noscript]
enabled = true

[apache-overflows]
enabled = true
" >> '/etc/fail2ban/jail.local'
fi

Reload the configuration :

/etc/init.d/fail2ban restart

Disable the cgi-bin folder

The cgi-bin folder use has been deprecated by script languages such as PHP. Its presence can be a security issue. Disable it:

command sed -i \
-e 's|^.*ScriptAlias.*/cgi-bin/.*$|#\0|' \
-e '/Directory.*cgi-bin/,/\/Directory/s/^.*/#\0/' \
"/etc/apache2/sites-available/default"{,-ssl}

Reload the configuration :

/etc/init.d/apache2 force-reload

Thanks