Important Settings for User Security on Apache Hosting

Apache is the single most common server software used to operate hosting sites. With well over half of the total web server market share, many independent and large scale web hosts rely upon Apache to offer dedicated, virtual and shared hosting. No matter which configuration you utilize, Apache provides a wide variety of security settings which users can rely upon for optimal results from their hosting package. As an open source platform, however, the code core and documentation for Apache are more visible, opening up hosting platforms to potential security vulnerabilities.

While proprietary platforms may have more secure code bases, the open source Apache community has implemented a variety of features and safeguards based upon the latest trends in computer security.  The active Apache community is dedicated to making the platform more secure while extending its capabilities.

A complete guide to Apache security would require a large book (in fact, there are several good ones on the market – see http://www.apachesecurity.net for example). This guide aims to help provide an overview of some of the most important Apache security settings. The exact security settings for your Apache build will depend upon the applications you are running, your datacenter environment as well as the types of user authentication on your Apache server. Investing as much time in security and data integrity as you do in direct development can deliver impressive dividends in terms of long run results from your server.

Key Tips for Securing Your Apache Server

1. Keep Your Apache Build Updated

As an open source project, Apache is constantly updated with new patches, upgrades and optional tools – server administrators should always be aware of the latest updates and patch their installation to the latest stable version to safeguard against security threats.

Since development resources for upgrades may not be instantly available in real time, it’s important that you don’t broadcast the particular version of Apache which your server relies upon. This often arises when users connect to a 404 page (if you haven’t implemented a custom error page) or when users access an unprotected directory page. You can do this by updating the httpd.conf file with the following lines:

ServerSignature Off

ServerTokens Prod

In fact, you may want to secure your server against directory browsing by updating the configuration file with:

Options -Indexes

2. Implement and Configure Mod_Security

As one of the most advanced Apache modules, mod_security allows system administrators to filter queries into the server, limits external attacks, hides the security from open port probes and provides a more detailed security log. The open source firewall has now advanced to version 2.5 to allow for better real-time attack prevention through automated alerts.

Traditionally, Apache administrators had to review server logs to identify suspicious users, IPs or requests – mod_security can automate these tasks to make server security much easier. With customization according to server settings, users are able to patch against Apache security risks and implement their own set of security rules.  A combination of automated detection and flexible settings makes mod_security essential for modern server security.