In this recipe, we will learn some steps for securing web server installation.
You will need access to a root account or an account with sudo
privileges.
You may need to have a web server stack installed and running.
Follow these steps to secure the web server:
$ a2query -m
$ sudo a2dismod status
/etc/apache2/conf-available/security.conf
and set the following values:ServerSignature Off ServerTokens Prod
security.conf
.$ sudo a2dismod status
/etc/nginx/nginx.conf
and uncomment the following line:# server_tokens off;
<Directory /var/www/example.com> Options -Indexes </Directory>
Options -Indexes
in /etc/apache2/apache2.conf
.<Directory /var/www/ > Order deny,allow # order of Deny and Allow Deny from all # Deny web root for all </Directory>
.htaccess
. This also helps improve performance:<Directory /> AllowOverride None # disable use of .htaccess </Directory>
<Directory /> Options -FollowSymLinks </Directory>
mod_security
and mod_evasive
for added security. mod_security
acts as a firewall by monitoring traffic in real time, whereas mod_evasive
provides protection against Denial of Service attacks by monitoring request data and requester IP.mod_security
as a plugin module as follows:$ sudo apt-get install libapache2-modsecurity $ sudo a2enmod mod-security
mod_security
and then compile Nginx with mod_security
enabled.<Directory /> Options -ExecCGI -Includes </Directory>
TimeOut KeepAliveTimeout RequestReadTimeout LimitRequestBody LimitRequestFields LimitRequestFieldSize LimitRequestLine MaxRequestWorkers
client_body_buffer_size client_header_buffer_size client_max_body_size large_client_header_buffers
<VirtualHost *:80> ErrorLog /var/log/httpd/example.com/error_log CustomLog /var/log/httpd/example.com/access_log combined </VirtualHost>
In this recipe, I have listed the various options available to make your web server more secure. It is not necessary to set all these settings. Disabling some of these settings, especially FollowSymlinks
and AllowOverride
, may not suit your requirements or your environment. You can always choose the settings that apply to your setup.
Various settings listed here are available in their respective configuration files, mostly under /etc/apache2
for the Apache web server and /etc/nginx
for the Nginx server.
Also, do not forget to reload or restart your server after setting these options.
You should also set your Ubuntu environment to be more secure. You can find more details on securing Ubuntu in Chapter 2, Networking.
mod_evasive
at https://www.linode.com/docs/websites/apache-tips-and-tricks/modevasive-on-apachemod_security
at https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu