Securing Apache HTTP servers on Linux

In this post, we are going to increase the security of the server by reducing the information shared by the server to the client. By itself it is not an active protection such as a firewall or any kind of instruction prevention system.

Although Apache does offers various modules such as the mod_security and mod_evasive. But we won’t focus on that part in this post. Well, when talking about security, there are tons of other mechanism to be installed and considered anyway.

#1 Disable server banners

When you tell the exact version number of your server software, a hacker could use that information to search for any security breaches of that specific version. Especially when it is an older version.

When it comes down to server security, I guess it’s a good bet to go for the latest and greatest. Especially security patch :). There might exception though.

Open your apache configuration file (e.g. /etc/apache2/apache2.conf) and edit the following 2 lines into it:

ServerSignature Off
ServerTokens Prod

Nginx as reserve proxy

If Apache is used behind a reverse proxy, don’t forget to hide the server banner from your proxy as well. Before you do the modification, each request should look somewhat like this:

The server software, the version and even the operating system are shown. Let’s disable them. For nginx, install the nginx-extra package

sudo apt install nginx-extras

Afterwards open your nginx configuration (e.g. /etc/nginx/nginx.conf), and modify the http section:

http {
  # ... other stuffs
  server_tokens off;
  more_clear_headers Server;

  # ... other stuffs

Afterwards, it shoulds look like this

WordPress generator Tag

For WordPress users or any other CMS, it is recommended to remove the generator tag also. It provides information, that a hacker may also find useful to take control of your server. Especially the version number of the CMS.

Generator tag from WordPress

To remove the generator tag, open the functions.php of your current theme:

  1. Go to your WordPress’s admin section.
  2. Click on the left on Appearance, then click on Editor .
  3. On the right panel, click on Theme Functions (functions.php).
  4. Append the following line at the end of the file and press “Update File”.
/** other stuffs from your theme's functions.php */
remove_action( 'wp_head', 'wp_generator' );

After reloading the page, the code of your page should look like this.

#2 Disable directory listing and stop follow SystemLinks

By default, Apache enables the directory listing, which gives a hacker insight about which files are on your web directory. Well, needless to say, this is something you should avoid.

In addition, the FollowSymLinks option is enable by default. The name is quite self explaining.

Open your Apache configuration file (e.g. /etc/apache2/apache2.conf) and find the <Directory> section of your website, which should look somewhat like this

<Directory /var/www/>
  Options Indexes FollowSymLinks

The official documentation of Apache describe the Indexes option as follow:

If a URL which maps to a directory is requested and there is no DirectoryIndex (e.g.index.html) in that directory, then mod_autoindex will return a formatted listing of the directory.

Well that is exactly what we want to avoid. So we will remove it. And don’t forget to restart your Apache server.

sudo service apache2 restart