As the most used web server software to date, Apache is a big target for cyber criminals. It’s even more important to protect your web server’s security than maintain application security. Although someone who exploits an application or module you have installed on your server could steal information, someone who manages to break into Apache itself could make sweeping modifications to your server. We’ll take a look at some measures you can take to ensure that your Apache installation remains guarded.
First, only enable functionality that your server requires. If you use only PHP scripts that interact with SQL databases, for example, then don’t install or enable ASP.NET or any other technology you won’t be using. These additional openings only serve as more potential vulnerabilities.
You should also configure your Apache installation to have limited access to your operating system files. In the event that your Apache installation is broken into, this can prevent even worse damage from the hacker modifying your operating system. This process is called “chrooting,” and doing so can make your server immune from many current and future exploits.
There are lots of Apache server modules, and many administrators install various ones for testing and other purposes. To keep your server secure, make sure you only leave modules installed that you actually use. If you’re using third-party modules, make sure that you regularly check on exploit reports. Because Apache may not cover these, you must be extra vigilant.
The next spot to check is the Apache configuration itself. As you know, the Apache configuration file has many directives, a large portion of which the vast majority of server owners will never use. Before making any directive modifications, you should ensure that nothing on your server relies on them. After doing that, you should check the following:
- Handlers you are not using
- ‘ScriptAlias’ and ‘Alias’
- Directory Indexes
Disabling server-side includes is also a good idea. These are not necessary for most users, and they can put a large strain on servers. They even allow users to run CGI scripts on your server, which is obviously something most administrators do not want to happen.
Finally, make sure you regularly check your log files. Many intrusions are silent, but it is very hard for an attacker to completely erase evidence of their entry.