Apache Web Server

The web server is another important part of the application as it provides the interface between the application and the user. Apache is one of the mostly widely used web servers but is very insecure in its default configuration. We harden the Apache web server to be more secure with the following options:

  • Disabling directory listing
  • Removing server-status
  • Remove apache version banners
  • Remove etag vulnerability weakness
  • System Settings Protection
  • Set cookie security to stop hackers from stealing cookie information
  • Remove clickjacking
  • Xss protection
  • Decrease timeout if application allows for it to mitigate Slow Loris and DOS attacks
  • Non privileged account usage
  • Disable weak ssl ciphers and ssl v2
  • Disable old http versions
  • Disable unwanted modules
  • Remove ipv6 if not required
  • Enable proper access logging which isn’t set by default
  • Implement ssl for https
  • Implement mod_security web application firewall
  • Implement mod_evasive to protect against DOS and DDOS attacks.

Click here for Linux server hardening