Apache 2 - Security

Revision as of 18:05, 10 June 2014 by WikiFreak (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Here you'll find information about how to make your server more discreet and secure. By changing the UID you can also set your server to be less risky in case of being hack.

Be discreet!

PHP info

Check the current server status using a simple PHP info file.

vim /var/www/myServer/phpinfo.php

Put the following:

// Show all information, defaults to INFO_ALL

Adjust rights and ownership:

chown -R www-data:www-data /var/www/myServer
chmod -R 755 /var/www/myServer

Adjust verbose level

Do not give details about your configuration to outsiders.

vim /etc/apache2/conf-available/security.conf

Set the following settings

#### Ask your server to be more discret!
# ServerTokens
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
ServerTokens Prod

ServerSignature Off
TraceEnable Off

Restart Apache2

service apache2 restart

Re-run PHP info, you should have less information.

PHP5 security

PHP Security Info

If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org/projects/phpsecinfo/index.html


cd /tmp
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip
mv phpsecinfo-Version phpsecinfo
mv phpsecinfo/ /var/www
cd /var/www
chown -R www-data:www-data phpsecinfo

Virtual host configuration

Edit your V.Host configuration

vim /etc/apache2/sites-available/myServer

!! For security reason: DO NOT use 'phpsecinfo' as alias. It's too easy to guess.

<VirtualHost _default_:443>
         # PHPSecInfo
         Alias   /phpsec   /var/www/phpsecinfo
         <Location /phpsec >
                 Require all granted
                 ProxyPass !
                 order deny,allow
                 # allow from
                 allow from all

Reload your configuration

/etc/init.d/apache2 reload

Run the test

To asset your current installation you can run the test: https://myServer/phpsec

Improve security

PHP5 sessions and temp files

Create specific directory to store the sessions and temp files:

mkdir -p /etc/php5/temp
mkdir -p /etc/php5/session
chown -R www-data:root /etc/php5/temp
chown -R www-data:root /etc/php5/session
chmod -R 770 /etc/php5/session
chmod -R 770 /etc/php5/temp

Edit the configuration file

vim /etc/php5/apache2/php.ini


  • line 801 → upload_tmp_dir = /etc/php5/temp
  • line 1357 → session.save_path = "/etc/php5/session"

PHP5 tweak

Edit the configuration file

vim /etc/php5/apache2/php.ini


  • line 376 → expose_php = Off
  • line 406 → memory_limit = 8M
  • line 480 → display_errors=Off
  • line 675 → post_max_size=256K
  • line 805 → upload_max_filesize=256K
  • line 814 → allow_url_fopen=Off
 DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)

Restart your server to load the changes:

service apache2 restart

Re-run the test, then:

  • Ignore the open_basedir and upload_tmp_dir alerts, if any.
  • You can enable some specific options with a .htaccess file

Change Apache 2 UID

IMPORTANT: Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...

This security trick is not crucial, it's just a "nice to have".

Change the Apache UID

vim /etc/group

Change www-data UID


Change the Apache GID

vim /etc/passwd

Change the group settings


Apply modifications

chown -R www-data:www-data /var/www/*
chown -R www-data:root /etc/php5/*

To take on the modifications you have to reboot your server - and not just the service. You must reboot the server with "reboot" command.

Avoid DOS attacks

Source: Linux mag’ – Hors serie Apache2

You can protect your server from Denial Of Service (DOS) attacks through mod_evasive


apt-get install libapache2-mod-evasive

Prepare log directory

mkdir /var/log/apache2/mod_evasive
chown -R www-data:www-data  /var/log/apache2/mod_evasive

Enable module

a2enmod evasive


Update / create the configuration file

vim /etc/apache2/mods-available/evasive.conf


# Mod evasive configuration
# Based upon Linux Mag 
<IfModule mod_evasive20.c>
   # Size of the hash table. 
   # The greater, the more memory is required but the faster it is! The value must be a prime number
   DOSHashTableSize 3097 

   # Limit user to 5 pages per 2 seconds
   DOSPageCount 5
   DOSPageInterval 2 

   # No more than 100 HTTP request per second (HTML, CSS, images, …) 
   DOSSiteCount 100
   DOSSiteInterval 1

   # Block client for 300 seconds
   DOSBlockingPeriod 300 

   # Send email alert
   #DOSEmailNotify "admin@myDomain" 

   # Log directory
   DOSLogDir "/var/log/apache2/mod_evasive" 

   # Command to execute on ban
   #DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"

   # Ignore following IP and networks
   #DOSWhitelist 66.249.65.*
<IfModule mod_evasive20.c>

Apply changes

service apache2 restart

Change Apache2 ports number

You can change the Apache2 server ports. Except if you're a security paranoid person: you should NOT change the default ports.

vim /etc/apache2/ports.conf


Listen 80
Listen 443

Don't forget to adjust your IPTABLES script as well.