-
Notifications
You must be signed in to change notification settings - Fork 0
Hardening an Apache server's configuration for better security
Edit the httpd.conf file (found in /etc/httpd/conf/) by adding the following line:
TraceEnable off
Server generated pages (internal error documents, FTP directory listings, etc) will display server version and virtual host names by default. Disable this by editing the httpd.conf file by changing the 'ServerSignature' from 'On' to 'Off'
ServerSignature Off
By default, the webserver will include a lot of information about the server (server version, OS, modules used, etc). Changing ServerTokens to 'Prod' will minimize the information to just the type of server used (apache). Change this by modifying httpd.conf like this:
ServerTokens Prod
Configure the vhosts file for each domain's ssl configuration to ensure that SSL uses only secure cyphers. Use the commands below:
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
In the virtual host file, inside the section there is an 'Options' directive. One of the possible (and usually default) settings is 'Indexes'. This will result in users seeing a directory listing when they visit a directory which does not have an Index file (usually index.html or index.php). You may not want people to see this kind of information so remove this option from the line.