Locking Down an Apache Web Server

by Dr. Greg Miles - 12/1/99

Recently I had the opportunity to set up an Apache Web Server under Linux 6.2. It was great experience trying to find ways to make it as secure as possible to protect the data inside.

Root and User Passwords - Ok this is the one that everyone should know by now. Make sure you use strong passwords. I recommend at least 8 characters with a mix of upper case, lower case, and special characters. Passwords are a whole lot harder to crack if they are strong.

Telnet and FTP - Two very dangerous methods of communication. If you can go to an SSH (Secure Shell) and remove telnet and ftp from both the firewall and the operating system you will have increased security.

/etc/rc.d/init.d - The init.d file is your startup configuration file. Many of the functions that traditionally are in this file are not needed for webserver operation. Identify the services you need, and move the ones you don't need to another files maybe called init.d.backup. Recommended services for your init.d file include: anacron, arpwatch, bastille-firewall, crond, functions, halt, httpd, identd, inet, ipchains, kdcrotate, keytable, killall, network, portmap, postgresql, random, sendmail, single, sshd, syslog.

Mode - Change the access to your files to the minimum required. Recommend 644

Bastille - Run the Bastille script against your operating system (available at www.securityhorizon.com) to further lock it down. The front-end of the program will ask you a bunch of questions, the backend will run the configuration file against the machine. This link is the answers to the Bastille questions I used for the Web Server.

If you want to limit the access to your webpages, you can set up a .htaccess file and assign usernames and passwords to your files. You can also write scripts to limit access and you can get a certificate to have it be a secure site.

Checkout additional apache security tips at Apache Security