Securing Apache Checklist

The checklist:

• First step: Secure the operating system. On an insecure operating system, you can’t have a secure webserver.
• Run Apache under a distinct user and group (e.g. www-data:www-data). Do not run it as root:root or nobody:nogroup!
  User www-data
  Group www-data
• Only enable those Apache modules (using the AddModule directive) which are absolutely necessary. Disable all others.
  These are the minimum requirements for a basic Apache install:
  • httpd_core – Core Module
  • mod_access – For Allow, Deny and Order directives
  • mod_auth – For HTTP Basic Authentication
  • mod_dir – For using index files like index.html
  • mod_log_config – For logging
  • mod_mime – For character set, content-encoding, content-language, and MIME types of documents

  Especially dangerous modules which should be disabled: mod_autoindex and mod_info.

• Don’t display more information about the webserver, its version and configuration than absolutely necessary:
  ServerSignature Off
  ServerTokens Prod
• First, deny access to everything. Then, explicitly allow access for only those directories you need to.
  <Directory />
  Order deny,allow
  Deny from all
  </Directory>
  <Directory “/var/www/www.example.com”>
  Order allow,deny
  Allow from all
  </Directory>
• If you’re paranoid, don’t run Apache on port 80, but choose another port. Problem: Your users must know the port.
• If possible, run Apache in a chroot.

Not Getting