Apache Web Server Basic Security fixes and Optimisation

secure your server

If you are utilising the apache web server HTTP for your website hosting and you maintain that server, then you must consider the following points,

  • Turn on LOGS and installing mod_log_config. You can check the list of modules by this command : apache2ctl -M
  • Implement Firewall MOD_SECURITY module
https://modsecurity.org/ is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.
https://github.com/Rev3rseSecurity/wordpress-modsecurity-ruleset
  • Implement mod_evasive module
  • Disable Extra  module which are not utilized to improve performance
  • Cross check  Directory Indexing. apache2.conf | httpd.conf | <vhost>.conf | .htaccess
    Options -Indexes
  • Setup following variables in apache2.conf or httpd.conf
    SET HTTP Limits
    • KeepAlive=on
    • KeepAliveTimeout
    • LimitRequestBody
    • LimitRequestFields
    • LimitRequestFieldSize
    • LimitRequestLine
    • LimitXMLRequestBody
    • MaxClients
    • MaxKeepAliveRequests
    • MaxRequestWorkers
    • RequestReadTimeout
    • TimeOut
  • Disable server signature . Add these lines in apache2.conf |  <vhost>.conf | .htaccess
    ServerSignature Off
    ServerTokens Prod
server signature
  • If web-server language is PHP,  By Default PHP version is available in response header, Remove PHP version from header from php.ini
    • expose_php = Off
  • Add these headers  to prevent XSS

X-Frame-Options: SAMEORIGIN 
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8

Learn More about Apache Opitmization

Monitor and optimize Webserver [apache/nginx]

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *