In this post, we are going to increase the security of the server by reducing the information shared by the server to the client. By itself it is not an active protection such as a firewall or any kind of instruction prevention system.
Although Apache does offers various modules such as the mod_security and mod_evasive. But we won’t focus on that part in this post. Well, when talking about security, there are tons of other mechanism to be installed and considered anyway.
#1 Disable server banners
When you tell the exact version number of your server software, a hacker could use that information to search for any security breaches of that specific version. Especially when it is an older version.
When it comes down to server security, I guess it’s a good bet to go for the latest and greatest. Especially security patch :). There might exception though.
Open your apache configuration file (e.g. /etc/apache2/apache2.conf) and edit the following 2 lines into it:
Nginx as reserve proxy
If Apache is used behind a reverse proxy, don’t forget to hide the server banner from your proxy as well. Before you do the modification, each request should look somewhat like this:
The server software, the version and even the operating system are shown. Let’s disable them. For nginx, install the nginx-extra package
Afterwards open your nginx configuration (e.g. /etc/nginx/nginx.conf), and modify the http section:
Afterwards, it shoulds look like this
WordPress generator Tag
For WordPress users or any other CMS, it is recommended to remove the generator tag also. It provides information, that a hacker may also find useful to take control of your server. Especially the version number of the CMS.
To remove the generator tag, open the functions.php of your current theme:
- Go to your WordPress’s admin section.
- Click on the left on Appearance, then click on Editor .
- On the right panel, click on Theme Functions (functions.php).
- Append the following line at the end of the file and press “Update File”.
After reloading the page, the code of your page should look like this.
#2 Disable directory listing and stop follow SystemLinks
By default, Apache enables the directory listing, which gives a hacker insight about which files are on your web directory. Well, needless to say, this is something you should avoid.
In addition, the FollowSymLinks option is enable by default. The name is quite self explaining.
Open your Apache configuration file (e.g. /etc/apache2/apache2.conf) and find the <Directory> section of your website, which should look somewhat like this
The official documentation of Apache describe the Indexes option as follow:
Well that is exactly what we want to avoid. So we will remove it. And don’t forget to restart your Apache server.