Question

How to hardening apache2 on Debian 8

Answer 1

Hardening Apache2 on Debian 8 https://securityblog.gr/3585/hardening-apache2-on-debian-8/ Debian Hardening Apache2 on Debian 8 09/08/2016 | by maldevel Disable Apache Web Server Signature sudo nano /etc/apache2/apache2.conf Add the following two lines at the end of Apache config file: ServerSignature Off ServerTokens Prod Hide PHP Version sudo nano /etc/php5/apache2/php.ini Make sure that expose_php option is off. expose_php = Off Disable Directory Browsing Globally sudo a2dismod autoindex Securing root directory sudo nano /etc/apache2/conf-available/security.conf Uncomment these lines: < Directory />    AllowOverride None    Order Deny,Allow    Deny from all </ Directory > Append these lines: < Directory /var/www/html > Options None AllowOverride All Order Allow,Deny Allow from All </ Directory > Use only TLS, Disable SSLv2, SSLv3 sudo nano /etc/apache2/mods-available/ssl.conf Change line SSLProtocol… to SSLProtocol -all +TLSv1 Disable Weak Ciphers sudo nano /etc/apache2/mods-available/ssl.conf Change line SSLCipherSuite… to  SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4 Limit HTTP Request Methods sudo nano /etc/apache2/mods-available/userdir.conf Edit line to allow only GET, POST and HEAD Set cookie with HttpOnly and Secure flag sudo a2enmod headers sudo service apache2 restart sudo nano /etc/apache2/conf-available/security.conf Add the following directive: Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Clickjacking Attack Protection sudo nano /etc/apache2/conf-available/security.conf Add the following directive: Header always append X-Frame-Options SAMEORIGIN XSS Protection sudo nano /etc/apache2/conf-available/security.conf Add the following directive: Header set X-XSS-Protection "1; mode=block" Enforce secure connections to the server (HSTS) sudo nano /etc/apache2/conf-available/security.conf Add the following directive: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" MIME sniffing Protection sudo nano /etc/apache2/conf-available/security.conf Add the following directive: Header set X-Content-Type-Options: "nosniff" Prevent Cross-site scripting and injections sudo nano /etc/apache2/conf-available/security.conf Add the following directive: Header set Content-Security-Policy "default-src 'self';" Decrease Timeout value sudo nano /etc/apache2/apache2.conf Lower the timeout value to 60sec: Timeout 60 Restart Apache Web Server sudo service apache2 restart Run Apache from non-privileged account By default Apache2 on Debian is running under non-privileged account (www-data). To verify it run: ps –ef | grep apache2 Share this: