Hardening Apache2 on Debian 8

Datetime:2016-08-23 01:50:53          Topic: Apache HTTP Server  Debian           Share

Disable Apache Web Server Signature

sudo nano /etc/apache2/apache2.conf

Add the following two lines at the end of Apache config file:

ServerSignature Off
ServerTokens Prod

Hide PHP Version

sudo nano /etc/php5/apache2/php.ini

Make sure that expose_php option is off.

expose_php = Off

Disable Directory Browsing Globally

sudo a2dismod autoindex

Securing root directory

sudo nano /etc/apache2/conf-available/security.conf

Uncomment these lines:

AllowOverride None
   Order Deny,Allow
   Deny from all

Append these lines:

Options None
AllowOverride All
Order Allow,Deny
Allow from All

Use only TLS, Disable SSLv2, SSLv3

sudo nano /etc/apache2/mods-available/ssl.conf

Change line SSLProtocol… to

SSLProtocol -all +TLSv1

Disable Weak Ciphers

sudo nano /etc/apache2/mods-available/ssl.conf

Change line SSLCipherSuite… to

SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4

Limit HTTP Request Methods

sudo nano /etc/apache2/mods-available/userdir.conf

Edit line to allow only GET, POST and HEAD

Set cookie with HttpOnly and Secure flag

sudo a2enmod headers
sudo service apache2 restart
sudo nano /etc/apache2/conf-available/security.conf

Add the following directive:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Clickjacking Attack Protection

sudo nano /etc/apache2/conf-available/security.conf

Add the following directive:

Header always append X-Frame-Options SAMEORIGIN

XSS Protection

sudo nano /etc/apache2/conf-available/security.conf

Add the following directive:

Header set X-XSS-Protection "1; mode=block"

Enforce secure connections to the server (HSTS)

sudo nano /etc/apache2/conf-available/security.conf

Add the following directive:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

MIME sniffing Protection

sudo nano /etc/apache2/conf-available/security.conf

Add the following directive:

Header set X-Content-Type-Options: "nosniff"

Prevent Cross-site scripting and injections

sudo nano /etc/apache2/conf-available/security.conf

Add the following directive:

Header set Content-Security-Policy "default-src 'self';"

Decrease Timeout value

sudo nano /etc/apache2/apache2.conf

Lower the timeout value to 60sec:

Timeout 60

Restart Apache Web Server

sudo service apache2 restart

Run Apache from non-privileged account

By default Apache2 on Debian is running under non-privileged account (www-data). To verify it run:

ps –ef | grep apache2




About List