1. Hide Apache Version and OS identity errors
+ ServerSignature Off
+ ServerTokens Prod
2. Disable Directory Listing
<Directory /var/www/html>
Options -Indexes
</Directory>
3. Disable Unnecessary Modules
4. Run Apache as separate User and Group
5. Use Allow and Deny to Restrict access to Directories
<Directory />
Options None
Order deny,allow
Deny from all
</Directory>
6. Use mod_security and mod_evasive Modules to Secure Apache
7. Disable Apache’s following of Symbolic Links
Options -FollowSymLinks
Note: To enable rewrite rules inside “.htaccess” file “AllowOverride All” should be present in the main configuration globally.
8. Turn off Server Side Includes and CGI Execution
<Directory "/var/www/html/web1">
Options -Includes -ExecCGI
</Directory>
Here are some other values with can be turned On or off with Options directive.
Options All – To enable All options at once. This is the default value, If you don’t want specify any values explicitly in Apache conf file or .htaccess.
Options IncludesNOEXEC – This option allows server side includes without the execute permission to a command or cgi files.
Options MultiViews – Allows content negotiated multiviews with mod_negotiation module.
Options SymLinksIfOwnerMatch – It’s similar to FollowSymLinks. But, this will follow only when the owner is the same between the link and the original directory to which it is linked.
9. Limit Request Size
<Directory "/var/www/myweb1/user_uploads">
LimitRequestBody 512000
</Directory>
10. Protect DDOS attacks and Hardening
+ TimeOut : This directive allows you to set the amount of time the server will wait for certain events to complete before it fails. Its default value is 300 secs. It’s good to keep this value low on those sites which are subject to DDOS attacks. This value totally depends on kind of request you are getting on your website. Note: It could pose problems with come CGI scripts.
+ MaxClients : This directive allows you to set the limit on connections that will be served simultaneously. Every new connection will be queued up after this limit. It is available with Prefork and Worker both MPM. The default value of it is 256.
+KeepAliveTimeout : Its the amount of time the server will wait for a subsequent request before closing the connection. Default value is 5 secs.
+ LimitRequestFields : It helps us to set a limit on the number of HTTP request’s header fields that will be accepted from the clients. Its default value is 100. It is recommended to lower this value if DDos attacks are occurring as a result of so many http request headers.
+ LimitRequestFieldSize : It helps us to set a size limit on the HTTP Request header.
11. Enable Apache Logging
enable mod_log_config
12. Securing Apache with SSL Certificates
