My previous article focused on basic security tips and tricks to secure Apache web server in Ubuntu.
Here I am going to show you some advance security tips and tricks for securing an Apache web server.
Secure Apache From Clickjacking Attack
Clickjacking is a well-known web server vulnerability. It is known as a “UI redress attack.” It is a malicious technique used by an attacker to collect an infected user’s clicks. Clickjacking is made up from two words – Click and Hijacking. Click means “mouse clicks” and Hijacking means “force a user to click.” Clickjacking means forcing a user to click on a Web page on which the hacker wants him to click to perform the desired malicious activity.
To secure your Apache web server from a Clickjacking attack, you need to use “X-FRAME-OPTIONS” to prevent it.
You can do this by editing the “apache2.conf” file.
sudo nano /etc/apache2/apache2.conf
Add the following line inside Directory /var/www/html/:
Header always append X-Frame-Options SAMEORIGIN
Save the file and restart Apache.
sudo /etc/init.d/apache2 restart
Now, try to open a web browser to access your web server. Check HTTP response headers in firebug; you should see X-Frame-Options as shown in the below image.
Disable Etag
Etags, also known as “Entity Tags,” are a vulnerability in Apache. They allow remote users to obtain sensitive information like inode number, child process IDs and multipart MIME boundary using the Etag header. It is recommended to disable Etag.
You can do this by editing the “apache2.conf” file.
sudo nano /etc/apache2/apache2.conf
Add the following line inside Directory /var/www/html/:
FileETag None
Save the file and restart Apache.
Now, try to open a web browser to access your web server. Check HTTP response headers in firebug; you should not see Etag at all.
Disable Old Protocol
Old HTTP protocol (HTTP 1.0) has a security vulnerability related to session hijacking and Clickjacking attacks. It is recommended to disable old protocol.
You can disable it using the “mod_rewrite” rule by only allowing HTTP 1.1 protocol.
For this, edit the “apache2.conf” file.
sudo nano /etc/apache2/apache2.conf
Add the following line inside Directory /var/www/html/:
RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1\.1$ RewriteRule .* - [F]
Save the file and restart Apache.
HTTP Request Methods
In Ubuntu, HTTP 1.1 protocol supports many request methods like “OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT” which may not be required. It is recommended to enable only HEAD, POST and GET request methods.
To fix this, edit the Apache configuration file.
sudo nano /etc/apache2/apache2.conf
Add the following line inside Directory /var/www/html/:
deny from all
Save the file and restart Apache.
Secure Apache from an XSS Attack
XSS (also known as Cross-site Scripting) is one of the most common application-layer vulnerabilities. It allows an attacker to execute code on the target web server from a user’s web browser. Attackers can attack on XSS vulnerable web server by using a browser side scripting (JavaScript), so it is recommended to enable XSS protection on Apache.
You can do this by editing the Apache configuration file.
sudo nano /etc/apache2/apache2.conf
Add the following line inside Directory /var/www/html/:
Header set X-XSS-Protection "1; mode=block"
Save the file and restart Apache.
Now, try to open a web browser to access your web server. Check HTTP response headers in firebug; you should see X-XSS-Protection Options as shown in the below image.
Protect Cookies with HTTPOnly Flag
The HTTPOnly Cookie is also known as a secure cookie used for transmitting http or https over the Internet. It is recommended to use “HttpOnly” and “Secure flag” in a cookie. This will protect your Apache web server from most common attacks like CSS, cookies attacks, and cookies injections.
To fix this, edit the Apache configuration file.
sudo nano /etc/apache2/apache2.conf
Add the following line inside Directory /var/www/html/:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Save the file and restart Apache.
Conclusion
I hope that you have enough knowledge now to secure your Apache web server from various kinds of attacks. If you have any questions feel free to comment below.
Subscribe to our newsletter!
Our latest tutorials delivered straight to your inbox
Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe
Hitesh Jethva
Over 5 years of experience as IT system administrator for IT company in India. My skills include a deep knowledge of Rehat/Centos, Ubuntu nginx and Apache, Mysql, Subversion, Linux, Ubuntu, web hosting, web server, squied proxy, NFS, FTP, DNS, Samba, ldap, Openvpn, Haproxy, Amazon web services, WHMCS, Openstack Cloud, Postfix Mail Server, Security etc.
Comments (3)