Apache Howto - Hardening Apache

In my last post I gave you an insight into how I perfect SSL security. In this post I am going to run through how I harden a production apache instance.

Modules

The first thing is to enable the following modules

  • security2

  • rewrite

  • headers

This can be done with the simple command:

a2enmod security2 rewrite headers

Configuration Files

This is the security.cong file from /etc/apache2/conf-available:

ServerTokens Full
ServerSignature On
TraceEnable Off
FileETag None
# Do Header stuff
Header unset Pragma
Header unset ETag
<IfModule mod_ssl.c>
  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLHonorCipherOrder On
  SSLCompression off
</IfModule>
<IfModule security2_module>
 SecServerSignature "AtariST"
 Include /usr/share/modsecurity-crs/*.conf
 Include /usr/share/modsecurity-crs/activated_rules/*.conf
</IfModule>