Master Apache Security: Complete Guide to Prevent Common Web Attacks

Apache Security Configuration: A Complete Guide to Prevent Common Web Attacks

Introduction : As an operations engineer, have you ever been woken up by security alerts at night or worried that the web servers you manage could be compromised? This article shares practical Apache security configuration experience to help you build an unbreakable defense.

Why Apache Security Matters

In my ten‑year operations career, I have seen many security incidents caused by improper Apache configuration:

• An e‑commerce site suffered XSS attacks, leaking user data and costing over $5 million.

• A government website was compromised by SQL injection, exposing sensitive information.

• A corporate server was taken down by a DDoS attack, causing three days of outage.

Data doesn't lie : According to the OWASP 2023 report, web‑application attacks account for 43% of all network attacks, and Apache, as the most widely used web server, is a prime target for hackers.

Core Security Configuration Strategies

1. Hide Server Information – Keep Attackers Guessing

# Hide Apache version information
ServerTokens Prod
ServerSignature Off

# Hide operating‑system information
Header always unset "Server"
Header always set Server "Unknown"

Practical Effect : After applying these settings, attackers can no longer discover version details to match known vulnerabilities.

2. Prevent Directory Traversal Attacks

# Disable directory listing
<Directory "/var/www/html">
    Options -Indexes
    AllowOverride None
    Require all granted
</Directory>

# Block access to sensitive files
<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak)$">
    Require all denied
</FilesMatch>

3. Configure Strong Security Headers

# XSS protection
Header always set X-XSS-Protection "1; mode=block"

# Click‑jacking protection
Header always set X-Frame-Options "SAMEORIGIN"

# MIME‑type sniffing protection
Header always set X-Content-Type-Options "nosniff"

# Enforce HTTPS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# Content‑Security‑Policy
Header always set Content-Security-Policy "default-src 'self'"

4. Limit Request Size to Mitigate DoS Attacks

# Limit request body size to 10 MB
LimitRequestBody 10485760

# Limit request header size
LimitRequestFields 40
LimitRequestFieldSize 4094
LimitRequestLine 4094

# Timeout settings
Timeout 60
KeepAliveTimeout 15

5. IP Access Control and Rate Limiting

# Load ModSecurity module
LoadModule security2_module modules/mod_security2.so

# Basic ModSecurity rules
<IfModule mod_security2.c>
    SecRuleEngine On
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
        "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
</IfModule>

# IP rate limiting (requires mod_evasive)
<IfModule mod_evasive24.c>
    DOSHashTableSize 2048
    DOSPageCount 2
    DOSPageInterval 1
    DOSSiteCount 50
    DOSSiteInterval 1
    DOSBlockingPeriod 60
</IfModule>

Advanced Security Techniques

1. Log Monitoring and Alerts

# Detailed security log format
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" security
CustomLog "/var/log/apache2/security.log" security

# Error log level
LogLevel warn
ErrorLog "/var/log/apache2/error.log"

2. SSL/TLS Hardening

# Force HTTPS
<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    SSLCertificateFile /path/to/certificate.crt
    SSLCertificateKeyFile /path/to/private.key
    # Strong SSL protocols
    SSLProtocol -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:!aNULL:!MD5:!DSS
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
</VirtualHost>

Security Configuration Effect Verification

Quick Security Check Commands

# Verify Apache version is hidden
curl -I http://yourdomain.com

# Verify security headers
curl -I https://yourdomain.com

# Scan for common vulnerabilities
nmap -sV --script http-* yourdomain.com

# Use professional scanner
nikto -h http://yourdomain.com

Performance vs Security Balance

Configuration Impact Comparison :

• Response time increase is negligible (<5 ms).

• Security protection improves by over 90%.

• Attack interception rate rises from 20% to 95%.

Practical Pitfalls and Lessons Learned

Common Misconfigurations

Over‑restrictive CSP :

# ❌ Wrong: overly strict CSP
Content-Security-Policy "default-src 'none'"

# ✅ Correct: progressive configuration
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'"

Forgot to Update Security Rules :

• Regularly update ModSecurity rule sets.

• Follow Apache security advisories.

• Automate security scans.

Emergency Response Plan

# Emergency IP block script
#!/bin/bash
if [ $# -eq 1 ]; then
    iptables -A INPUT -s $1 -j DROP
    echo "IP $1 has been blocked"
else
    echo "Usage: $0 <IP address>"
fi

Action Checklist

• Check current Apache version and upgrade if needed.

• Apply all basic security configurations described above.

• Set up log monitoring and alerting.

• Perform regular security scans.

• Establish an emergency response workflow.