How to Harden the Apache web server on a CentOS 7 VPS or Dedicated Server

How to Harden the Apache web server on a CentOS 7 VPS or Dedicated Server

1.
Hide Apache Version and Operating System

By-default the apache version and OS are shown in the response headers as shown below. This is a major security vulnerability.

To hide those details, add the two lines in apache config file /etc/httpd/conf/httpd.conf

ServerSignature Off # Removes version info
ServerTokens Prod #Changes header to production, removing OS detail

Then reload Apache:

$ sudo systemctl reload httpd

Refresh the browser and you’ll notice the version and OS details removed as shown below:

2.
Disable Directory Listing and FollowSymLinks

By default, the directory listing for all files under web root directory is enabled if there is no index file as shown below. This allows hackers to view and analyze the files in your web server directory and maximize on the slightest available vulnerability to launch an attack.

In addition, by-default apache is configured to follow symbolic links which is not advisable.

To disable these, edit the config file by putting ““ before each tag directive in the line Options Indexes FollowSymLinks to become Options -Indexes -FollowSymLinks as shown below:

# Further relax access to the default document root:
<Directory "/var/www/html">
  #
  # Possible values for the Options directive are "None", "All",
  # or any combination of:
  #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
  #
  # Note that "MultiViews" must be named *explicitly* --- "Options All"
  # doesn't give it to you.
  #
  # The Options directive is both complicated and important.  Please see
  # http://httpd.apache.org/docs/2.4/mod/core.html#options
  # for more information.
  #
  Options -Indexes -FollowSymLinks
  #
  # AllowOverride controls what directives may be placed in .htaccess files.
  # It can be "All", "None", or any combination of the keywords:
  #   Options FileInfo AuthConfig Limit
  #
  AllowOverride None
  #
  # Controls who can get stuff from this server.
  #
  Require all granted
</Directory>

Then reload apache service

Refresh the browser and you’ll notice that the files can no longer be viewed and instead generates 403 forbidden error message as shown below:

3.
Secure Apache using mod_security and mod_evasive modules

Mod_security: Acts as a firewall for web servers and applications, providing protection against brute force attacks. It just needs to be installed, then restart apache service and starts to work out the magic.

$ sudo yum install mod_security -y
$ sudo systemctl restart httpd

Mod_evasive: Detects and provides protection against DDOS and HTTP brute force attacks. It detects attacks whenever: so many requests are directed to a page several times per second; temporarily blacklisted IP still tries to make new request; child process attempts making more than 50 concurrent requests. Like mod_security, it just needs to be installed, then restart apache service and starts to work out the magic.

$ sudo yum install mod_evasive -y
$ sudo systemctl restart httpd

4.
Limit Request Size

By-default the HTTP request in Apache is unlimited hence web server is susceptible to DoS attacks by keeping it open for high number of request. For example, there is a site that allows users to upload files, then it’s important to set limit for upload size. This can be done by setting the LimitRequestBody for that particular upload directory as follows:

<Directory "/var/www/html/wp_content/uploads">
LimitRequestBody 10485760
</Directory>

The upload size has been limited to max of 10megabytes.  The maximum allowable limit is usually 2GB.

Then restart/reload apache service.

5.
Disable TRACE HTTP Request

By default, Trace HTTP Request is enabled allowing for Cross Site Tracing. This enables a hacker to easily steal cookie information. Disabling Trace HTTP Request makes the mod_proxy and core server return “405 – Method Not Allowed” error message to clients. Trace request is disabled by adding the line below in the config file.

TraceEnable off

Save the file and reload apache service.

Special Note: Consult with Hostadvice’s Best Linux Hosting Services page  to find the top Linux hosting services.

Check out the top 3 Dedicated server hosting services:

Hostinger
CA$4.07 /mo
Starting price
Visit Hostinger
Rating based on expert review
  • User Friendly
    4.7
  • Support
    4.7
  • Features
    4.8
  • Reliability
    4.8
  • Pricing
    4.7
IONOS
CA$1.36 /mo
Starting price
Visit IONOS
Rating based on expert review
  • User Friendly
    4.5
  • Support
    4.0
  • Features
    4.5
  • Reliability
    4.5
  • Pricing
    4.3
Ultahost
CA$3.40 /mo
Starting price
Visit Ultahost
Rating based on expert review
  • User Friendly
    4.3
  • Support
    4.8
  • Features
    4.5
  • Reliability
    4.0
  • Pricing
    4.8

How to Install Apache Cassandra on an Ubuntu 18.04 VPS or Dedicated Server

This tutorial will help you install and configure Apache Cassandra (an opensourc
less than a minute
Max Ostryzhko
Max Ostryzhko
Senior Web Developer, HostAdvice CTO

How to Configure Nginx and Apache on the same Ubuntu VPS or Dedicated Server

Nginx and Apache are great and powerful web servers. However, they both have dra
less than a minute
Idan Cohen
Idan Cohen
Marketing Expert

How to Enable Apache Mod_Rewrite on an Ubuntu 18.04 VPS or Dedicated Server

In this tutorial, we will cover the basics of enabling mod_rewrite on an Ubuntu
less than a minute
Max Ostryzhko
Max Ostryzhko
Senior Web Developer, HostAdvice CTO

How to Host Multiple Websites on an Ubuntu 18.04 VPS or Dedicated Server

This article will show you how to host two or more websites on a single Virtual
less than a minute
Idan Cohen
Idan Cohen
Marketing Expert
HostAdvice.com provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top