Web Server Security (Apache or HTTPD) Part 2
On our previous article we discussed about the first four topics of our list. On this article we will discuss about the rest of the topics. So we begin with the below topic here.
Restrict access of directories using allow and deny
Putting some restriction on different directory on requirement we can follow these steps to make it work. For this we have to follow simple the work shown below.
Open the configuration file and edit the directory section. Run the following command shown in below.
#vim /etc/httpd/conf/httpd.conf
Now add the following lines.
<Directory /path of the directory>
Options None
Order deny,allow
Deny from all
</Directory>
Now save and exit the file. After that we have to restart the httpd service.
Install two security modules (mod_security & mod_evasive) to secure apache web server
There are two reasons we need to install two new modules to provide more security to our web server. First module will be installed to work as a firewall, it will independently find out the brute force attacker and it will block it. We have to integrate mod_security with our apache server. We will show that on some other article but for now we will show how to install it. To install this module we need to run the below command.
#yum install mod_security –y
Then we have to restart the apache server.
The reason behind installing the second module is that this module will mitigate two kinds of attacks on our web server. These two attacks are DDOS and brute force. This module will also blacklist on its own, if any attacker tries to attack on a single page or any ip tries to make more than usual concurrent connections. This module name is mod_evasive. To install this module we need to run the below command.
#yum install mod_evasive –y
Again we have to restart the apache server.
How to disable FollowSymLinks
On our previous article we tried to discuss about how we can disable indexing or file listing on apache we server. This is almost the same procedure. Here we just need to add a simple option to disable following symbolic links.
To do this we need to open the configuration file and find out the directory section which usually looks like below.
Previous file and we need to find out the following part from the configuration file.
<Directory /var/www/html/></Directory>
We already disabled the indexing in our configuration file, so we will get the below configuration now.
<Directory /var/www/html/>
Options -Indexes
AllowOverride None
Require all granted
</Directory>
Now in this configuration we just have to add a new parameter. Just add –FollowSymLinks and save and exit from the file. So finally we will get the below configuration from here.
<Directory /var/www/html/>
Options –Indexes -FollowSymLinks
AllowOverride None
Require all granted
</Directory>
After this let’s restart the server.
Disable Server Side Includes (SSI) and Common Gateway Interface (CGI) execution
These two features are enabled by default. But it can be a very common way to attack a server. It is quite possible to include a module with some hidden scripts so that an attacker intrudes the server system. So we should keep a very careful eye on this issue. So we should disable both the options on server system, also we can issue this rule on different directory to secure the raw data. We should disable these features as per client’s requirement.
So we need to include the following options to a specific directory.
<Directory /var/www/html/testdirectory1>
Options -Includes -ExecCGI
AllowOverride None
Require all granted
</Directory>
Now restart the apache server and our apache will be disabled on these two issues.