Keep the system and Apache updated for security patches; 2. Disable unused modules (such as status, autoindex) to reduce the attack surface; 3. Hide Apache version and operating system information to prevent information leakage; 4. Force HTTPS and configure strong TLS encryption; 5. Disable directory listing and restrict file access; 6. Set correct file owners and permissions (such as www-data, 644/755); 7. Enable mod_security and mod_evasive to defend against web attacks and DDoS; 8. Enable logging and monitor regularly to detect abnormal behaviors—through these steps, you can significantly improve Apache security and build an effective protection foundation.
Securing Apache on a Linux server is essential to protect your web applications from common threats like unauthorized access, data leaks, and DDoS attacks. Here's a practical, step-by-step guide to harden your Apache installation:
? 1. Keep Apache and the System Updated
Always ensure your system and Apache are up to date:
sudo apt update && sudo apt upgrade # Debian/Ubuntu sudo yum update # CentOS/RHEL (older) sudo dnf update # CentOS/RHEL (newer)
Updates often include critical security patches—don't skip them.
? 2. Disable Unused Modules
Apache loads many modules by default—some you may never use. Each adds potential attack surface.
Check enabled modules:
apache2ctl -M # Debian/Ubuntu httpd -M # RHEL/CentOS
Disable unecessary ones (eg, status , autoindex , userdir ):
sudo a2dismod status autoindex userdir sudo systemctl restart apache2
Why? Modules like
mod_userdirallows users to host personal sites (http://yoursite/~username)—a common misconfiguration risk.
?? 3. Hide Apache Version and OS Info
By default, Apache leaks version and OS info in HTTP headers and error pages—useful for attackers.
Edit your Apache config ( /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf ):
ServerTokens Prod ServerSignature Off
-
Prod→ Only shows "Apache" in headers -
Off→ Removes server info from error pages
Then restart Apache:
sudo systemctl restart apache2
? 4. Use HTTPS with Strong TLS Settings
Never run Apache over HTTP in production.
- Get a free certificate from Let's Encrypt
- Force HTTPS with a redirect:
<VirtualHost *:80> ServerName yourdomain.com Redirect permanent / https://yourdomain.com/ </VirtualHost>
In your SSL virtual host, use strong ciphers:
SSLEngine on SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off
Tip: Test your SSL setup at SSL Labs
? 5. Restrict File and Directory Access
Use .htaccess or <Directory> blocks wisely.
Example (in your site config):
<Directory /var/www/html>
Options -Indexes # Prevent directory listing
AllowOverride None # Disable .htaccess unless needed
Require all granted
</Directory> If you must allow .htaccess , ensure it's limited to specific directories and doesn't override critical security settings.
? 6. Set Proper File Permissions
Web files should be owned by a non-root user (eg, www-data ), and directories should not be writable by the web server unless necessary.
sudo chown -R www-data:www-data /var/www/html
sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 644 {} \;Avoid 777 permissions—ever.
? 7. Enable and Configure mod_security mod_evasive
- mod_security : A web application firewall (WAF) for Apache
- mod_evasive : Helps mitigate DoS/DDoS attacks
Install:
sudo apt install libapache2-mod-security2 mod-evasive sudo a2enmod security2 evasive
Configure basic rules in /etc/modsecurity/modsecurity.conf and set thresholds in /etc/apache2/mods-enabled/evasive.conf .
Start with conservative settings to avoid blocking legitimate traffic.
? 8. Log and Monitor Access
Enable logging and review logs regularly:
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combinedMonitor with tools like:
-
journalctl -u apache2(systemd) -
logwatchorfail2banfor automated alerts
? Bonus: Run Apache in a Chroot or Container (Optional but Strong)
For high-security environments, isolate Apache using:
-
systemdservice withRootDirectory= - Docker/Podman containers
- SELinux/AppArmor policies
This limits what Apache can access if compromised.
Final Tip : Test your setup with tools like:
-
nmap --script http-security-headers yourdomain.com -
nikto -h yourdomain.com
Hardening Apache isn't a one-time task—it's ongoing. But these steps give you a solid baseline that blocks 90% of common attacks.
Basically, it's about reducing exposure, staying updated, and enforcing least privilege. Not glamorous—but effective.
The above is the detailed content of How to Secure Apache on a Linux Server. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Install LXC (Linux Containers) in RHEL, Rocky & AlmaLinux
Jul 05, 2025 am 09:25 AM
LXD is described as the next-generation container and virtual machine manager that offers an immersive for Linux systems running inside containers or as virtual machines. It provides images for an inordinate number of Linux distributions with support
How to troubleshoot DNS issues on a Linux machine?
Jul 07, 2025 am 12:35 AM
When encountering DNS problems, first check the /etc/resolv.conf file to see if the correct nameserver is configured; secondly, you can manually add public DNS such as 8.8.8.8 for testing; then use nslookup and dig commands to verify whether DNS resolution is normal. If these tools are not installed, you can first install the dnsutils or bind-utils package; then check the systemd-resolved service status and configuration file /etc/systemd/resolved.conf, and set DNS and FallbackDNS as needed and restart the service; finally check the network interface status and firewall rules, confirm that port 53 is not
How would you debug a server that is slow or has high memory usage?
Jul 06, 2025 am 12:02 AM
If you find that the server is running slowly or the memory usage is too high, you should check the cause before operating. First, you need to check the system resource usage, use top, htop, free-h, iostat, ss-antp and other commands to check CPU, memory, disk I/O and network connections; secondly, analyze specific process problems, and track the behavior of high-occupancy processes through tools such as ps, jstack, strace; then check logs and monitoring data, view OOM records, exception requests, slow queries and other clues; finally, targeted processing is carried out based on common reasons such as memory leaks, connection pool exhaustion, cache failure storms, and timing task conflicts, optimize code logic, set up a timeout retry mechanism, add current limit fuses, and regularly pressure measurement and evaluation resources.
Install Guacamole for Remote Linux/Windows Access in Ubuntu
Jul 08, 2025 am 09:58 AM
As a system administrator, you may find yourself (today or in the future) working in an environment where Windows and Linux coexist. It is no secret that some big companies prefer (or have to) run some of their production services in Windows boxes an
How to Burn CD/DVD in Linux Using Brasero
Jul 05, 2025 am 09:26 AM
Frankly speaking, I cannot recall the last time I used a PC with a CD/DVD drive. This is thanks to the ever-evolving tech industry which has seen optical disks replaced by USB drives and other smaller and compact storage media that offer more storage
How to find my private and public IP address in Linux?
Jul 09, 2025 am 12:37 AM
In Linux systems, 1. Use ipa or hostname-I command to view private IP; 2. Use curlifconfig.me or curlipinfo.io/ip to obtain public IP; 3. The desktop version can view private IP through system settings, and the browser can access specific websites to view public IP; 4. Common commands can be set as aliases for quick call. These methods are simple and practical, suitable for IP viewing needs in different scenarios.
How to Install NodeJS 14 / 16 & NPM on Rocky Linux 8
Jul 13, 2025 am 09:09 AM
Built on Chrome’s V8 engine, Node.JS is an open-source, event-driven JavaScript runtime environment crafted for building scalable applications and backend APIs. NodeJS is known for being lightweight and efficient due to its non-blocking I/O model and
How to Setup MySQL Replication in RHEL, Rocky and AlmaLinux
Jul 05, 2025 am 09:27 AM
Data replication is the process of copying your data across multiple servers to improve data availability and enhance the reliability and performance of an application. In MySQL replication, data is copied from a database from the master server to ot
