Apache Web Server is one of the most popular open source Web server software in the world. It has the advantages of cross-platform, high security and powerful functions. With the increase of network attacks, the security aspect of Apache Web server becomes more and more important. What are the security protection tips of Apache Web Server?

Ensure that the software on the Apache Web server is updated in a timely manner, and that the latest version of Apache and its components is maintained, as the latest version contains security patches and improvements to fix known security vulnerabilities.

Apache supports multiple modules, but not every module is needed, so disabling non-essential modules can greatly reduce the potential attack surface:

sudo a2dismod module_name

Make sure that permissions are set correctly for Apache configuration files and web site content. In general, the configuration file should be writable only to the root user.

sudo chown root:root /etc/apache2/apache2.confsudo chmod 644 /etc/apache2/apache2.conf

If the website uses HTTPS, make sure to use the latest TLS version and strong cipher suite.

SSLProtocol all-SSLv3-TLSv1-TLSv1.1

SSLCipherSuite HIGH:! aNULL:! eNULL:! EXPORT:! DES:! RC4:! MD5:! PSK:! aECDH:! EDH-DSS-DES-CBC3-SHA:! EDH-RSA-DES-CBC3-SHA:! KRB5-DES-CBC3-SHA

In addition to using TLS/SSL certificates for website encryption, consider implementing HSTS network security over HTTPS. HTTP Strict Transport security is a policy mechanism to protect websites from man-in-the-middle attacks and cookie hijacking. This happens when an attacker downgrades the HTTPS protocol to an insecure HTTP protocol. HSTS enables a Web server to strictly state that a Web browser can only interact with it over HTTPS, not over the HTTP protocol.

To enable HSTS, make sure your website is running HTTPS and has a valid TLS/SSL certificate.

Start by enabling the Apache headers module:

$ sudo a2enmod headers

Reload Apache to apply the changes:

$ sudo systemctl restart apache2

Virtual server configuration file in access domain

$ sudo vim /etc/apache2/sites-available/mydomain.conf

Next, add this line inside the <VirtualHost *:443> block:

Header always set Strict-Transport-Security "max-age=31536000;  includeSubDomains"

Such as

<VirtualHost *:443>

#.....

#....

Header always set Strict-Transport-Security "max-age=31536000;  includeSubDomains"

</VirtualHost>

The max-age parameter instructs the Web browser to only use HTTPS to access your website for the next year (31,536,000 = 1 year). Finally restart Apache for the HSTS policy to take effect:

$ sudo systemctl restart apache2

Limiting the size of requests and entity bodies that clients can send prevents denial of service attacks.

LimitRequestBody 10240

Disabling the directory list can hide file and directory structures, reducing the risk of information leakage.

Options -Indexes

Use a tool like iptables or Firewalld to configure the firewall to allow only the necessary ports (like 80 and 443).

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPTsudo iptables -A INPUT -p tcp --dport 443 -j ACCEPTsudo iptables -A  INPUT -p tcp -j DROP

Fail2Ban can monitor log files and automatically block an attacker's IP after detecting multiple failed login attempts.

sudo fail2ban-client status

Regularly back up your profile and website data in case of a security incident, allowing for quick recovery. Periodically check Apache access and error logs to detect abnormal behaviors.

sudo tail -f /var/log/apache2/access.logsudo tail -f /var/log/apache2/error.log

By implementing the above security and hardening measures, you can significantly improve the security of your Apache Web server. Keep in mind that cybersecurity is an ongoing process, and policies need to be regularly evaluated and updated to address new threats. Be vigilant and adopt best practices to ensure that your Web server is secure and reliable.