I am setting up an Apache 2 server on Ubuntu.
Ubuntu Version: 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)
Server version: Apache/2.4.41 (Ubuntu)
The web application "currently" does not accept upload nor runs any cgi script, nor does request or provide any authentication from any users, nor does have an sql database.
I would like to know if there is any additional directive to add to any of the following configuration files to improve further the security.
The files in their respective directories are:
# apache2.conf
# security.conf
# 000-default.conf
# example.com-ssl.conf
apache2.conf
# shm and runtimes directory
DefaultRuntimeDir ${APACHE_RUN_DIR}
# PidFile
PidFile ${APACHE_PID_FILE}
# Timeout
Timeout 300
# KeepAlive
KeepAlive On
# MaxKeepAliveRequests
MaxKeepAliveRequests 100
# KeepAliveTimeout
KeepAliveTimeout 5
# Added by me for better caching performance
<FilesMatch "\.(html|css|gif|jpg|jpeg|js|png|svg|webp)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
# Added by me to hide last modified and just use the e-tag
Header unset Last-Modified
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
# HostnameLookups
HostnameLookups Off
# ErrorLog
ErrorLog ${APACHE_LOG_DIR}/error.log
# LogLevel
LogLevel warn
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include list of ports to listen on
Include ports.conf
# Sets the default direct sec
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options -Indexes -FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#AccessFileName .htaccess
# The following lines prevent .htaccess and .htpasswd access
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
# The format directories
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
security.conf
# ServerTokens
ServerTokens Prod
# Server Signature
ServerSignature Off
# Allow TRACE
TraceEnable Off
# Header X content
Header set X-Content-Type-Options: "nosniff"
# Header X frame
Header set X-Frame-Options: "sameorigin"
000-default.conf
<VirtualHost *:80>
# Server Name
ServerName example.com
# Server Alias
ServerAlias www.example.com
# Server Admin
ServerAdmin admin@example.com
# Document root directory
DocumentRoot /var/www/html
# Redirect all http traffic
Redirect permanent / https://example.com
# logs
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# No CGI allowed for the time being.
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
example.com-ssl.conf
<VirtualHost *:443>
# Https 2
Protocols h2 http/1.1
# Sever Name
ServerName example.com
# Server Alias
ServerAlias www.example.com
# Server Admin
ServerAdmin admin@example.com
# Document root directory
DocumentRoot /var/www/html
# SSL
SSLEngine on
SSLCertificateFile /etc/ssl/example.com.crt
SSLCertificateKeyFile /etc/ssl/example.com.key
SSLCertificateChainFile /etc/ssl/example.com.ca-bundle
# Logs
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# No CGI allowed for the time being
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
Here after is also the list of apache 2 module which are currently enabled:
access_compat.load
alias.conf
alias.load
auth_basic.load
authn_core.load
authn_file.load
authz_core.load
authz_host.load
authz_user.load
autoindex.conf
autoindex.load
deflate.conf
deflate.load
dir.conf
dir.load
env.load
filter.load
headers.load
http2.conf
http2.load
mime.conf
mime.load
mpm_event.conf
mpm_event.load
negotiation.conf
negotiation.load
reqtimeout.conf
reqtimeout.load
rewrite.load
setenvif.conf
setenvif.load
socache_shmcb.load
ssl.conf
ssl.load
status.conf
status.load
Is there any way to further improve the directives?
FYI: I still did not tackle the DOS and DDOS attack as well as still did not create a separate user (Other then root), as well as did not enabled the UFW.
