A Few Apache Hardening Basics

By Daniel Miessler on December 7th, 2009: Tagged as Information Security

apache

Here are a few things you should consider doing immediately after installing and configuring Apache. Not to be confused with an Apache hardening guide, this is just a list of three (3) minimums.

Permissions

Here’s a script you can run to harden the permissions on your web root. It will make sure ownership is correct (change as needed), and that all your directories are 755 and files are 644.

alias perms=&quot;find /var/www/localhost/ -print0 | xargs -0 chown apache:root; find /var/www/localhost/htdocs/ -type d -print0 | xargs -0 chmod 755; find /var/www/localhost/htdocs/ -type f -print0 | xargs -0 chmod 644;

Directory Listing

Within Ubuntu, you can edit /etc/apache2/sites-available/default and change the Indexes bit to -Indexes.

Directory /var/www/localhost/htdocs/
Options -Indexes

Disable Advertising of Your Apache Version

In later versions of Apache, the ServerTokens option replaces ServerSignature as the means by which you determine how much information Apache gives about itself.

ServerTokens Prod

Then bounce the service:

/etc/init.d/apache2 restart

(thanks to Mike M. for the inspiration to post this.)

View Comments

foo

depending on what's you are trying to do, it might be shorter to do...

chmod -R og-w+X (others or mere group members can't write, but may search all dirs)

...instead of...

find /var/www/localhost/htdocs/ -type d -print0 | xargs -0 chmod 755;
find /var/www/localhost/htdocs/ -type f -print0 | xargs -0 chmod 644;

A Few Apache Hardening Basics

By Daniel Miessler on December 7th, 2009: Tagged as Information Security

Permissions

Directory Listing

Disable Advertising of Your Apache Version

Related Posts

Sample Original Content

Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects

Blog Archives