In my last post I gave you an insight into how I perfect SSL security. In this post I am going to run through how I harden a production apache instance.
Modules
The first thing is to enable the following modules
security2
rewrite
headers
This can be done with the simple command:
a2enmod security2 rewrite headers
Configuration Files
This is the security.cong file from /etc/apache2/conf-available:
ServerTokens Full
ServerSignature On
TraceEnable Off
FileETag None
# Do Header stuff
Header unset Pragma
Header unset ETag
<IfModule mod_ssl.c>
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCompression off
</IfModule>
<IfModule security2_module>
SecServerSignature "AtariST"
Include /usr/share/modsecurity-crs/*.conf
Include /usr/share/modsecurity-crs/activated_rules/*.conf
</IfModule>