Apache is an open-source and free web server software
Restart the service
Stop the service
RHEL 7.x or newer
Having this feature on can lead to Cross Site Tracing attack (XST). (See, https://owasp.org/www-community/attacks/Cross_Site_Tracing )
TraceEnable on allows for Cross Site Tracing Issue and potentially giving the option to a hacker to steal your cookie information.
Set the TraceEnable directive to “off” in the main configuration file and then restart Apache. (the directory may vary depending on apache installation, see user guide for more information)
Restart apache service and try to run again curl command
Never run as root, You can set a default user with minimal rights and accesses to exclusively run apache it can be set as follows
www-data is used by default by most administrators we can leave it as it is or modify the values at will.
By default apache displays the version of the web service install as an error, can also show the information about Apache modules installed in your server.
Turn Off “ServerSignature”
Change the “serverTokens” value to hide OS-Type and modules disclosure. This also disables Banner
Having this feature on it displays in the response that the OS is Debian
Now the OS info is not disclosed
if the files are sensitive for example. Config file /etc/apache2/apache2.conf
File access control
As of now, we can access 127.0.0.1/vk9security/
Note: I can still access other resources that are not index.php, like, index.html
Network access control
You can control which networks access which resources, in this case we are only allowing loopback 127.0.0.1.
Use TLS 1.2, disable SSL v2 & v3
1. Copy the module ssl.conf from mods-available to mods-enabled
Better to use a2enmod to activate the module
2. Modify the ssl.conf file and negate some protocols
To enable a module
sudo a2enmod <module_name>
You can choose what ciphers are allowed
List of Ciphers
Always use the latest software version.
This works almost like “ls” linux & dir “windows”
We still have access to the file
If not in use turn off SSI and CGI
Server Side Includes: SSI are inserted into HTML code that allows us insert dynamic content in our web sites.
CGI: The Common Gateway Interface (CGI) is a set of rules for running scripts and programs on a Web server. Most Web servers include a cgi-bin directory in the root folder of each website on the server. Any scripts placed in this directory must follow the rules of the Common Gateway Interface.
By default, Apache has no limit on the total size of the HTTP request (it’s possible that you could be a victim of Denial of service attacks)
You can set the value in bytes from 0 (unlimited) to 2147483647 (2GB) that are allowed in a request body.
If you upload files, and, you want to limit the upload size for a particular directory. (in Bytes)
it’s true that you cannot completely protect your web site from DDos attacks. Here are some directives which can help you to have a control on it.
Apache allows you to logging independently of your OS logging. It is wise to enable Apache logging, because it provides more information, such as the commands entered by users that have interacted with your Web server.
To do so you need to include the mod_log_config module. There are three main logging-related directives available with Apache.
It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary, and child process through Etag header.
ETag (entity tag) response header provides a mechanism to cache unchanged resources. Its value is an identifier which represents a specific version of the resource. Here's an example ETag header:
Using nmap we can query for the methods allowed
Results of nmap
You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies, and it’s dangerous.
You can set up cookies using PHP or the config files of apache2.
Clickjacking is a well-known web application vulnerabilities.
Cross Site Scripting (XSS) protection can be bypassed in many browsers. You could apply this protection for a web application if it was disabled by the user. This is used by a majority of giant web companies like Facebook, Twitter, Google, etc.