Slide 1
Most trusted JOB oriented professional program
DevOps Certified Professional (DCP)

Take your first step into the world of DevOps with this course, which will help you to learn about the methodologies and tools used to develop, deploy, and operate high-quality software.

Slide 2
DevOps to DevSecOps – Learn the evolution
DevSecOps Certified Professional (DSOCP)

Learn to automate security into a fast-paced DevOps environment using various open-source tools and scripts.

Slide 2
Get certified in the new tech skill to rule the industry
Site Reliability Engineering (SRE) Certified Professional

A method of measuring and achieving reliability through engineering and operations work – developed by Google to manage services.

Slide 2
Master the art of DevOps
Master in DevOps Engineering (MDE)

Get enrolled for the most advanced and only course in the WORLD which can make you an expert and proficient Architect in DevOps, DevSecOps and Site Reliability Engineering (SRE) principles together.

Slide 2
Gain expertise and certified yourself
Azure DevOps Solutions Expert

Learn about the DevOps services available on Azure and how you can use them to make your workflow more efficient.

Slide 3
Learn and get certified
AWS Certified DevOps Professional

Learn about the DevOps services offered by AWS and how you can use them to make your workflow more efficient.

previous arrow
next arrow

Best practices to secure your Apache Web Server

Server Version Banner should be removed.

I’d say this is one of the first things to think about, because you don’t want to reveal your web server version. By exposing the version, you are assisting the hacker in expediting the reconnaissance process.

The Apache Version and OS Type will be exposed by default, as illustrated below.

  • Go to the $Web Server/conf directory.
  • Using the vi editor, modify httpd.conf.
  • Save the httpd.conf file after adding the following directive.
ServerTokens "Prod"
ServerSignature "Off"
  • Apache should be restarted

The version information in the page generated by Apache will be removed by ServerSignature.

Header will be changed to production only by ServerTokens, i.e., Apache.

As you can see in the screenshot below, the version and operating system information has vanished.

Disable the directory browser’s display.

Disable directory listing in a browser to prevent visitors from seeing all of the files and folders under the root or subdirectory.

Let’s see how it looks with the default settings.

  • Go to the $Web Server/htdocs directory.
  • Make a folder with a few files inside it.
# mkdir test
# cd test
# touch hi
# touch hello

Now, go to http://localhost/test and try to connect to Apache.

As you can see, it shows all of your files and directories, which I am sure you don’t want to expose that.
  • Go to the $Web Server/conf directory.
  • Using vi, open httpd.conf.
  • Change the Options directive to None or –Indexes after you’ve added the Directory.
<Directory /opt/lampp/htdocs/test>
Options -Indexes
</Directory>

or

<Directory /opt/lampp/htdocs/test>
Options None
</Directory>

Note: If your environment contains multiple Directory directives, you should consider implementing the same thing for all of them.

  • Restart Apache
  • Now, go to http://localhost/test and try to connect to Apache.

Instead of displaying the test folder listing, it displays a forbidden error.

Use a non-privileged account to run Apache.

Nobody or daemon is the default user account for a default installation. It’s a good idea to provide Apache its own non-privileged user.

The goal is to protect other services running in case of any security hole.

  • Create an apache user and group.
# groupadd apache
# useradd –G apache apache
  • Change the ownership of the apache installation directory to a newly created non-privileged user.
# chown –R apache:apache /opt/lampp
  • Go to the $Web Server/conf directory.
  • Using vi, open httpd.conf
  • Change the User & Group Directive to non-privileged account apache by searching for it.
User apache 
Group apache
  • Save the httpd.conf configuration file.
  • Restart Apache
  • grep for running http processes and make sure they’re all running with the apache user.
# ps –ef |grep http
  • One process should be running as root, as you can see. This is due to the fact that Apache listens on port 80 and must be run as root.

Permissions on binary and configuration directories should be protected.

The binary and configuration permissions are set to 755 by default, which implies that any user on the server may see the settings. You can deny access to the conf and bin folders to another user.

  • Go to the $Web Server/conf directory.
  • Bin and conf folder permissions should be changed.
chmod –R 750 bin conf





Rajesh Kumar