Table of Contents |
---|
Install
...
With Ubuntu installing is very straightforward,
Code Block | ||
---|---|---|
| ||
sudo apt-get install apache2 |
Apache 2.x is now installed.
Info |
---|
What about Zero Footprint Apache? Definitely doable, but practically with virtualization, and how rarely Apache actually changes right now I'm leaning towards just scripting configuration files only inside of a container. Having said that, if time permits I might build a BonsaiFramework version. |
Test
Verify that the Apache Web Server is running first by hitting your server's IP Address. If you do not know your ip address, at the console type,
...
You should see a default Apache webpage.
Status, Stopping, Starting, Restarting and Reload
You should know the basic commands to running Apache 2. Go ahead and try them. Note ignore the warning message about "fully qualified domain name" as that is covered in the next section.
...
Code Block | ||
---|---|---|
| ||
sudo service apache2 status
sudo service apache2 stop
sudo service apache2 start
sudo service apache2 restart # restart will restart the service (safer, as not all services support reload)
sudo service apache2 reload # reload will re-load the configuration files, with little or no downtime. Not all services support it (source: http://askubuntu.com/questions/105200/what-is-the-difference-between-service-restart-and-service-reload) |
...
Code Block | ||
---|---|---|
| ||
sudo /etc/init.d/apache2 status
sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start
sudo /etc/init.d/apache2 restart
sudo /etc/init.d/apache2 reload |
Provide Server Name
Note |
---|
This is now corrected as part of Apache 2.4.18 and onwards. |
Apache is working fine, but during restart you will get the warning message, "apache2: Could not reliably determine the server's fully qualified domain name, using ...".
...
Code Block | ||
---|---|---|
| ||
sudo service apache2 restart |
Include Page | ||
---|---|---|
|
Here are some of the basic hardening steps I take today.
Note |
---|
As with any security notes, I will write a disclaimer that there are more advanced ways to secure Apache. You can go as far as compiling your own custom version but that's out of scope for now. |
Edit etc/apache2/conf-available/security.conf
set ServerTokens Prod - This turns off all the extra header information sent by Apache. Primarily, it would let a client know what version of Apache is being used. The information could be used to look up vulnerabilities on the particular version of Apache you are running.
set ServerSignatures Off - Removes footer information from default apache pages. For example, page not found.
Note |
---|
Older versions of Apache use /etc/apache2/conf.d/security |
Restart Apache to take effect.
Optional Optimization
I found that you can save about 3MB of memory if the status apache module is disabled,
Code Block | ||
---|---|---|
| ||
sudo a2dismod
Your choices are: alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgid
deflate dir env filter jk mime negotiation proxy proxy_http rewrite setenvif status substitute
Which module(s) do you want to disable (wildcards ok)?
status
Module status disabled.
To activate the new configuration, you need to run:
service apache2 restart
sudo service apache2 restart
|
That is for now. I might flush this section out a bit more later.
|
Uninstall Apache Completely
.. these instructions need to be improved, and there is nothing here about removing logs.
1. stop apache:
sudo service apache2 stop
sudo /etc/init.d/apache2 stop
2. remove:
sudo apt-get remove apache2
sudo apt-get purge apache2
References
http://cloudservers.mosso.com/index.php/Ubuntu_-_Apache_configuration#Security_Settings - Rackspace wiki on hardening Apache Web Server.
Apache Web Server Hardening Guide - https://geekflare.com/apache-web-server-hardening-security/