Skip to content

Hardening an Apache server's configuration for better security

Christopher Hopkins edited this page Oct 24, 2013 · 1 revision

Disable Trace

Edit the httpd.conf file (found in /etc/httpd/conf/) by adding the following line:

 TraceEnable off

Disable Server Signature

Server generated pages (internal error documents, FTP directory listings, etc) will display server version and virtual host names by default. Disable this by editing the httpd.conf file by changing the 'ServerSignature' from 'On' to 'Off'

ServerSignature Off

Set the ServerTokens to Production mode

By default, the webserver will include a lot of information about the server (server version, OS, modules used, etc). Changing ServerTokens to 'Prod' will minimize the information to just the type of server used (apache). Change this by modifying httpd.conf like this:

ServerTokens Prod

Configure SSL Securely

Configure the vhosts file for each domain's ssl configuration to ensure that SSL uses only secure cyphers. Use the commands below:

    SSLProtocol ALL -SSLv2
    SSLHonorCipherOrder On
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

Disable Indexes

In the virtual host file, inside the section there is an 'Options' directive. One of the possible (and usually default) settings is 'Indexes'. This will result in users seeing a directory listing when they visit a directory which does not have an Index file (usually index.html or index.php). You may not want people to see this kind of information so remove this option from the line.

Clone this wiki locally