Technical Zone

Use the right user:group

I have seen Apache installed under many groups and/or users. One of the biggest offenders is the root user. This can lead to some serious issues. Or say both Apache and MySQL are run by the same user/group. If there is a hole in one, it can lead to an attack on the other. The best scenario is to make sure Apache is run as the user and group apache. To make this change, open the httpd.conf file and check the lines that read:
User Group
Change these entries to:
User apache Group apache

Turn off unwanted services

There are a few services and/or features that you will want to turn off or not allow. All of these services can be disabled in the httpd.conf file.

• Directory browsing. This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with “-Indexing”.
  
• Server side Includes. This is another feature that is disabled within a directory tag (using Options directive) and is set with “-Includes”.
  
• CGI execution. Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with “-ExecCGI”.
  
• Symbolic links. Set this inside a (surprise, surprise) directory tag with “-FollowSymLinks”.
  
• None. You can turn off all options (in the same way you set the above) using “None” with the Option directive.
  

Disable unused modules

Apache has a ton of modules. To get an idea how many modules your installation is running, issue the command
(as the root user) grep -n LoadModule httpd.conf from within your Apache configuration directory. This command
will show you every module Apache is loading, along with the line number it falls on. To disable the modules you
don’t need, simply comment them out with a single # character at the beginning of the module line.

Restrict access

You want to deny anyone outside your private network from seeing information. To do this, you can restrict access to your internal network by adding
the following inside a directory tag in your httpd.conf file:
Order Deny, Allow
Deny from all
Allow from 192.168.1.0/16
where 192.168.1.0/16 is the configuration matching your internal network. As with all modifications to the
httpd.conf file, make sure you restart Apache so the changes take effect.

Limit request size

Denial of service attacks are always a possibility when you allow large requests on Apache. Apache has a
directive, LimitRequestBody, that is placed within a Directory tag. The size of your limit will depend upon your
Web site’s needs. By default, LimitRequestBody is set to unlimited.

Immunize httpd.conf

One of the best security measures is to hide your httpd.conf file from prying eyes. If people who shouldn’t see your httpd.conf file can’t see it, they can’t change it.

chattr +i /path/to/httpd.conf
where /path/to/httpd.conf is the path to your Apache configuration file. Now it will be very difficult for anyone to make any changes to httpd.conf.

Cheeeerrrrssssssss