![\"\"](\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/09\/response-header-unsecured.png\")
<\/figure>\n\n\n\n- Go to the $Web Server\/conf directory.<\/li>
- Using the vi editor, modify httpd.conf.<\/li>
- Save the httpd.conf file after adding the following directive.<\/li><\/ul>\n\n\n
ServerTokens \"Prod\"<\/span>\nServerSignature \"Off\"<\/span><\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n![\"\"](\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/09\/server-signature.png\")
<\/figure>\n\n\n\n- Apache should be restarted<\/li><\/ul>\n\n\n\n
The version information in the page generated by Apache will be removed by ServerSignature.<\/p>\n\n\n\n
Header will be changed to production only by ServerTokens, i.e., Apache.<\/p>\n\n\n\n
As you can see in the screenshot below, the version and operating system information has vanished.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/09\/response-header-secured.png\")
<\/figure>\n\n\n\nDisable the directory browser’s display.<\/h2>\n\n\n\n
Disable directory listing in a browser to prevent visitors from seeing all of the files and folders under the root or subdirectory.<\/p>\n\n\n\n
Let’s see how it looks with the default settings.<\/p>\n\n\n\n
- Go to the $Web Server\/htdocs directory.<\/li>
- Make a folder with a few files inside it.<\/li><\/ul>\n\n\n
# mkdir test<\/span>\n# cd test<\/span>\n# touch hi<\/span>\n# touch hello<\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\nNow, go to http:\/\/localhost\/test and try to connect to Apache.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/09\/test-directory-unsecured.png\")
As you can see, it shows all of your files and directories, which I am sure you don’t want to expose that.<\/figcaption><\/figure>\n\n\n\n - Go to the $Web Server\/conf directory.<\/li>
- Using vi, open httpd.conf.<\/li>
- Change the Options directive to None or \u2013Indexes after you’ve added the Directory.<\/li><\/ul>\n\n\n
<Directory<\/span> \/opt<\/span>\/lampp<\/span>\/htdocs<\/span>\/test<\/span>><\/span>\nOptions -Indexes\n<\/Directory<\/span>><\/span><\/code><\/span>Code language:<\/span> HTML, XML<\/span> (<\/span>xml<\/span>)<\/span><\/small><\/pre>\n\n\nor<\/strong><\/p>\n\n\n
<Directory<\/span> \/opt<\/span>\/lampp<\/span>\/htdocs<\/span>\/test<\/span>><\/span>\nOptions None\n<\/Directory<\/span>><\/span><\/code><\/span>Code language:<\/span> HTML, XML<\/span> (<\/span>xml<\/span>)<\/span><\/small><\/pre>\n\n\nNote:<\/strong> If your environment contains multiple Directory directives, you should consider implementing the same thing for all of them.<\/p>\n\n\n\n
- Restart Apache<\/li><\/ul>\n\n\n\n
- Now, go to http:\/\/localhost\/test and try to connect to Apache.<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/09\/test-directory-secured.png\")
<\/figure>\n\n\n\nInstead of displaying the test folder listing, it displays a forbidden error.<\/p>\n\n\n\n
Use a non-privileged account to run Apache.<\/h2>\n\n\n\n
Nobody or daemon is the default user account for a default installation. It’s a good idea to provide Apache its own non-privileged user.<\/p>\n\n\n\n
The goal is to protect other services running in case of any security hole.<\/p>\n\n\n\n
- Create an apache user and group.<\/li><\/ul>\n\n\n
# groupadd apache<\/span>\n# useradd \u2013G apache apache<\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n- Change the ownership of the apache installation directory to a newly created non-privileged user.<\/li><\/ul>\n\n\n
# chown \u2013R apache:apache \/opt\/lampp<\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n- Go to the $Web Server\/conf directory.<\/li>
- Using vi, open httpd.conf<\/li>
- Change the User & Group Directive to non-privileged account apache by searching for it.<\/li><\/ul>\n\n\n
User apache \nGroup apache<\/code><\/span><\/pre>\n\n\n- Save the httpd.conf configuration file.<\/li>
- Restart Apache<\/li>
- grep for running http processes and make sure they’re all running with the apache user.<\/li><\/ul>\n\n\n
# ps \u2013ef |grep http<\/span><\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n![\"\"](\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2021\/09\/http-grep.png\")
<\/figure>\n\n\n\n- One process should be running as root, as you can see. This is due to the fact that Apache listens on port 80 and must be run as root.<\/li><\/ul>\n\n\n\n
Permissions on binary and configuration directories should be protected.<\/h2>\n\n\n\n
The binary and configuration permissions are set to 755 by default, which implies that any user on the server may see the settings. You can deny access to the conf and bin folders to another user.<\/p>\n\n\n\n
- Go to the $Web Server\/conf directory.<\/li>
- Bin and conf folder permissions should be changed.<\/li><\/ul>\n\n\n
chmod \u2013R 750 bin conf\n\n\n\n\n\n<\/code><\/span><\/pre>\n\n\n<\/h4>\n\n\n
- One process should be running as root, as you can see. This is due to the fact that Apache listens on port 80 and must be run as root.<\/li><\/ul>\n\n\n\n
- Change the ownership of the apache installation directory to a newly created non-privileged user.<\/li><\/ul>\n\n\n
- Create an apache user and group.<\/li><\/ul>\n\n\n
- Now, go to http:\/\/localhost\/test and try to connect to Apache.<\/li><\/ul>\n\n\n\n
- Restart Apache<\/li><\/ul>\n\n\n\n
- Apache should be restarted<\/li><\/ul>\n\n\n\n