Apache Security: Hide Apache Web Server Version number
Apache Web Server Version number with ServerSignature and ServerTokens directives
Open your httpd.conf file using text editor such as vi:
There are two config directives that controls Apache version. The ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients. ServerSignature is set to on by default. The ServerTokens directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.
Append/modify config directive as follows:
ServerSignature Off
ServerTokens Prod
Save and close the file. Restart Apache web server:
/etc/init.d/httpd restart
Auditing cPanle/WHM Apache logs
/usr/local/apache/logs/error_log
All exceptions caught by httpd, along with standard error output from CGI applications are logged here. The first place you should look when httpd crashes, or you incur errors when accessing a website.
/usr/local/apache/logs/suexec_log
This log file contains auditing information reported by suexec each time a CGI application is executed. If you receive an internal server error, with no relevant information being reported to the Apache error_log, check here for potential suexec policy violations.
How to check domain access logs
/usr/local/apache/domlogs/domain.com
The general access log for each domain configured with cPanel.
Apache configuration on Ubuntu
Apache Default Timeout
Timeout: The number of seconds before receives and sends time out.
This sets (in simple terms) the maximum time, in seconds, to wait for a request, action it and the response to the request.
The default is deliberately set high to allow for varied situations. You can reduce this to something more sane, to 30 seconds or even lower. A decrease may also help in reducing the effects of a DOS attack.
KeepAlive: Whether or not to allow persistent connections (more than one request per connection).
You should generally have KeepAlive “On” as it allows for persistent connections to a client so each file, image, etc. that gets requested. Without keepalives, the apache server and web client will need to establish new connections for every element needed to display a web page. Keeping a single connection going that the client can reuse allows your server to manage clients more efficiently.
MaxKeepAliveRequests
MaxKeepAliveRequests: The maximum number of requests to allow during a persistent connection. Set to 0 to allow an unlimited amount. We recommend you leave this number high, for maximum performance.
Since we have our persistent connection, set the maximum number of requests per connection. Keep this high for maximum performance. You might want to experiment with this setting a bit, but if you have a site with lots of images, javascript, etc, try increasing MaxKeepAliveRequests to as much as 500.
Apache Graceful Restart Process
Signal: USR1
The USR1 or graceful signal causes the parent process to advise the children to exit after their current request (or to exit immediately if they’re not serving anything). The parent re-reads its configuration files and re-opens its log files. As each child dies off the parent replaces it with a child from the new generation of the configuration, which begins serving new requests immediately.
This code is designed to always respect the process control directive of the MPMs, so the number of processes and threads available to serve clients will be maintained at the appropriate values throughout the restart process.
Apache Security Tips - Permissions on ServerRoot Directories
In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writeable only by root, but so must the directories, and parents of all directories. For example, if you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:
mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs
It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:
cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd
You can create an htdocs subdirectory which is modifiable by other users — since root never executes any files out of there, and shouldn’t be creating files in there.
