Configuring Apache Modules and Sites

Part of having a secure website is minimizing the information that we share with everytone. Also, we need to look over what modules are running and interacting with what applications. A lot of work shall be done in this procedure and not just turning modules on and off. We will be tweaking the modules behavior and function along with core functionality that can really harden a system beyond a hackers reach. We will be updating this page to include additional configurations to strengthen the sites security. Also, we need to look over what modules are running and interacting with what applications. The bulk of the work is really in this procedure. It does not just involve turning on or off modules; but instead heavy tweaking the modules behavior and function can really harden a system beyond a hackers reach from the Internet.

How to enable or disable Apache modules

Comment/uncomment out the lines for each module listed in /etc/httpd/conf.modules.d/

Disable unnecessary Apache modules

To list all of the Apache modules running:

 Copyhttpd -M

Disable ANY Modules not needed for your configuration or turn them all off and then we can re-enable/install the needed modules

Enabling needed Apache modules

The commands below will install the necessary Modules for now. BTW mod_headers are installed and is enabled by default

 Copyyum install mod_ssl

 Copyyum install mod_session

Enabling the newly created sites under Apache

The newly created sited should be enabled automatically if they were configured correctly and no command is necessary.

Disabling the default sites under Apache

Do not forget to handle the IP defaulting to a web page if you disable the defaults. Do not use the Apache2 default page!

Comment out the content of the below mentioned files and if you want you can even rename them after doing so.

 Copynano /etc/httpd/conf.d/welcome.conf

Change the Timeout & KeepAlive

 Copynano /etc/httpd/conf/httpd.conf

Add the following lines that are highlighed in blue to your httpd.conf file:     <--- Change the lines in blue below
Timeout 30
KeepAliveTimeout 5

<Directory />    <--- Protect our system files - If you did not add this in the prior Step2b, you can add it globally here
      Require all denied
      AllowOverride None
      Options None
</Directory>

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Remove Apache Version, Operating System, Port, and Hostname from being advertised

We could put all of Security Header settings in this file, but I highly do not recommend it on a Server that hosts numerous sites!

 Copynano /etc/httpd/conf/httpd.conf

Locate and change:     <--- Change the lines in blue below
ServerTokens Prod
ServerSignature Off
TraceEnable Off

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Remove the PHP version from being advertised (Just incase you have it installed)

 Copynano /etc/php.ini

Locate, find and change:    <--- Change the line in blue below
expose_php = Off

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Tweak our performance a bit with mpm_event

Each process under event can contain multiple threads and each is capable of more than one task. This results in Apache having the lowest requirements when used with mpm_event.

We are using a configuration that requires us to address the higher load requirements.

 Copynano /etc/httpd/conf.modules.d/00-mpm.conf

Comment LoadModule line for mpm_prefork_module, mpm_worker_module & Un-comment LoadModule line for mpm_event_module in in the 00-mpm.conf file.

Add the following settings in the httpd.conf file:    <--- Add the lines in blue below

If this a Web server, email, DNS, and so forth, cut everything in half and MaxMemFree minimum of 4096 - Which is 4 megs and alter as necessary.

<IfModule mpm_event_module>
      MaxMemFree 0
      StartServers 5
      ServerLimit 32
      MaxClients 256
      MaxRequestWorkers 50
      MaxConnectionsPerChild 1000
</IfModule>

Restart Apache

 Copysystemctl restart httpd