In my last post I gave you an insight into how I perfect SSL security. In this post I am going to run through how I harden a production apache instance.

Modules

The first thing is to enable the following modules

• security2

• rewrite

• headers

This can be done with the simple command:

a2enmod security2 rewrite headers

Configuration Files

This is the security.cong file from /etc/apache2/conf-available:

ServerTokens Full

ServerSignature On

TraceEnable Off

FileETag None

# Do Header stuff

Header unset Pragma

Header unset ETag

<IfModule mod_ssl.c>

  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

  SSLHonorCipherOrder On

  SSLCompression off

</IfModule>

<IfModule security2_module>

 SecServerSignature "AtariST"

 Include /usr/share/modsecurity-crs/*.conf

 Include /usr/share/modsecurity-crs/activated_rules/*.conf

</IfModule>