Home > Hosting, Servers & Security >

3 Must-Have Security Settings For Apache (And LiteSpeed, Ish) (8)

03-04-2013 03:07 PM #1 caurmen (Administrator)
3 Must-Have Security Settings For Apache (And LiteSpeed, Ish)

Apache and LiteSpeed are both pretty secure out of the box - there's no really dramatic holes you need to worry about at this point.

But there are a few things it's very advisable to do to avoid people being able to:

Easily rip your landers
Detect ways they could hack your server
Trivially launch a Denial Of Service attack on your system.

I've included instructions for LiteSpeed in italics, like this. Most of these settings are already set by default, but if you need to change them, or they've been set strangely on your server, here you go!

Number 1: Make Apache Less Chatty

By default, Apache cheerfully tells anyone who views your landing pages its precise version number. That's bad, because it gives hackers very precise information on how to target an attack on your system - and if a flaw is found in your version of Apache, lets them easily single your server out as one to attack.

Fortunately, it's very easy to deal with.

Add the following two lines into your httpd.conf file (normally found in /etc/apache2):

Code:

ServerSignature Off
ServerTokens Prod

Then restart your server. Your server will now give out the minimum information necessary.

These directives don't work with LiteSpeed at present - but the LiteSpeed defaults are more sensible, and don't give as much information away.

Number 2: Turn Off Unnecessary Navigation Options

By default, Apache will cheerfully let any visitor browse your directories and view every file in any directory without an index. That's not great.

It's easy to turn it off for your domain, though. Open httpd.conf again.

Inside it, look for the line which begins

Code:

Options

From here:

If that line includes "-Indexes", or doesn't contain "Indexes" at all, leave it alone - you're fine.
If you can't find "Options" in httpd.conf, check apache.conf and your virtualhost .conf file too. If none of those have a line beginning "Options" in them, add the line "Options -Indexes" at the bottom of httpd.conf.
If there is an "Options" line that includes "Indexes" - NOT "-Indexes", but just the word without the dash in front of it - remove "Indexes" from that line.

I know these rules are a little confusing: if you're having problems implementing this, ask below and I'll explain more.

Once you've done this, it'll stop people randomly browsing around your directory tree and grabbing all your landers.

LiteSpeed is set up this way by default. If for some reason that default's been changed, though, you can change it back by changing the LiteSpeed "Auto Index" function - see this help doc.

Number 3: Lock Down Easy DOSes.

You can't prevent a determined attacker from launching a Denial Of Service attack on your site, but you can make it a lot harder.

Disabling KeepAlive (see our KeepAlive article) is a good start, but there's one other thing you'll want to do.

In httpd.conf, find the line starting with "LimitRequestBody" . If it's not there, add the following line:

Code:

LimitRequestBody 1048576

If it is there, change the number after LimitRequestBody to 1048576 unless you're sure there's a reason it needs to be larger.

That'll limit the maximum size of files your server can be sent to 1Mb, which should be reasonable unless you need to allow viewers to upload large files for some reason. It'll also mean you can still upload lists of converted subids, images through programs like POFpro, and similar things.

It doesn't give you perfect protection against a denial of service, but it removes one of the easy ways to bring a server down.

In LiteSpeed, the variable to change is "Max Request Body Size". I couldn't find the default setting for this variable - anyone? - so I'd definitely recommend checking this on your LiteSpeed server.

I hope that was all useful! If you have questions, comments, suggestions, if something was unclear or you're not sure it's right, please do comment below!

03-04-2013 09:37 PM #2 caurmen (Administrator)

Incidentally, if you're setting up a new server, this tutorial is useful if not 100% reliable. Ignore what it says about SSH keys and public key authentication - the general consensus is that they're a bad idea - and automatic upgrades may not be a great idea either. However, its advice on installing fail2ban, a firewall, preventing root SSH login etc is all good stuff.

09-17-2013 11:51 AM #3 prof (Member)

Great stuff Caurmen.. Currently trying to set up a server through Digital Ocean and this stuff is gold in developing a workflow for barebones setup before I start on the more complicated stuff.

09-17-2013 05:20 PM #4 BeyondHosting-Tyler (Member)

We recommend CSF over fail2ban. Much more interactive and has a really nice easy to use WHM plugin. Very painless.

09-18-2013 05:01 PM #5 caurmen (Administrator)

@Tyler - thanks! "Painless" is not how I'd describe Fail2Ban setup, so that's a very good tip indeed

10-26-2013 05:45 PM #6 murkmurk (Member)

We recommend CSF over fail2ban. Much more interactive and has a really nice easy to use WHM plugin. Very painless.

I found CSF way easier to use / manage / configure and love managing it via WHM. I have it installed on every single one of my nix servers. Just make sure if you use the auto lockout / ban to make sure your IP is whitelisted.

02-08-2014 03:12 PM #7 hd2010 (Member)

CSF rocks !

03-18-2015 05:23 AM #8 dan_and (Member)

Quick newbie question: Is this only applicable to un-managed servers, or should I also do this on my (managed) VPS from Beyond Hosting?

Also, even more basic: How do I know if my server runs Apache?

Home > Hosting, Servers & Security >