Securing Apache - Debian/Ubuntu

Step 2c - Configuring Apache Modules and Sites

Configuring Apache Modules and Sites

We need to minimize the information we are sharing with everyone. Also, we need to look over what modules are running and interacting with what applications. The bulk of the work is really in this procedure. It does not just involve turning on or off modules; but instead heavy tweaking the modules behavior and function can really harden a system beyond a hackers reach from the Internet.

How to enable or disable Apache modules

Enabling modules:
a2enmod (module name)
Disabling modules:
a2dismod (module name)

Disable unnecessary Apache modules

To list all of the Apache modules running:
apachectl -M
Disable ANY Modules not needed for your configuration or turn them all off and re-enable them by following the below steps

Enabling needed Apache modules

a2enmod ssl headers rewrite expires proxy proxy_fcgi proxy_http http2 cache cache_socache socache_shmcb php5

Enabling the newly created sites under Apache

a2ensite /etc/apache2/sites-available/EXAMPLE_com_ssl.conf
a2ensite /etc/apache2/sites-available/EXAMPLE_com.conf

Disabling the default sites under Apache

Do not forget to handle the IP defaulting to a web page if you disable the defaults. Do not use the Apache2 default page!

a2dissite /etc/apache2/sites-enabled/000-default.conf
a2dissite /etc/apache2/sites-enabled/default-ssl.conf

Change the Timeout & KeepAlive

nano /etc/apache2/apache2.conf
Locate, find and change the lines that are in blue:

Timeout 30
KeepAliveTimeout 5

<Directory />    <--- Protect our system files - If you did not add this in the prior Step2b, you can add it globally here
      Require all denied
      AllowOverride None
      Options None

</Directory>

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Remove Apache Version, Operating System, Port, and Hostname from being advertised

We could put all of Security Header settings in this file, but I highly do not recommend it on a Server that hosts numerous sites!

nano /etc/apache2/conf-enabled/security.conf
Locate, find and change the lines that are in blue:

ServerTokens Prod
ServerSignature Off
TraceEnable Off

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Remove the PHP version from being advertised (Just incase you have it installed

nano /etc/php5/apache2/php.ini
Locate, find and change the lines that are in blue:

expose_php = Off

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Tweak our performance a bit with mpm_event

Each process under event can contain multiple threads and each is capable of more than one task. This results in Apache having the lowest requirements when used with mpm_event.

We are using a configuration that requires us to address the higher load requirements.

nano /etc/apache2/mods-enabled/mpm_event.conf
Locate, find and change the lines that are in blue.

Config for a dedicated Web application server. If this a Web server, email, DNS, and so forth, cut everything in half and MaxMemFree minimum of 4096 - Which is 4 megs and alter as necessary.

<IfModule mpm_event_module>
      #StartServers 5
      #MinSpareServers 5
      #MaxSpareServers 10
      #MaxRequestWorkers 150
      #MaxConnectionsPerChild 0
      MaxMemFree 0
      StartServers 5
      MinSpareServers 15
      MaxSpareServers 30
      ServerLimit 32
      MaxClients 256
      MaxRequestWorkers 50
      MaxConnectionsPerChild 1000
</IfModule>

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Restart Apache

systemctl restart apache2