Apache Security Best Practice Explained

Apache Security

Here will see how to secure our apache web server, how protect from some unexpected attacks.


In order to run apache webserver through a firewall, the ports 80(HTTP) and 443(HTTPS) TCP/IP must be opened.

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT


By default, Apache web server is protected by SElinux in targerred mode. In order to allow apache to be executed through SElinux the following parameters can be configured.

# settsebool -P httpd_enable_cgi 1

Allow cgi scripts to be executed through the webserver

# setsebool -P httpd_enable_home_dirs 1

By default, SElinux does not allow to access to user’s home directories through the web server. This directive makes it possible, but first the home directories must be labelled as web server:

# Chcon -R -t httpd_sys_content_t ~user/public_html

In addition, if some system directory is going to be accessed through the web server, first must be labelled as SElinux http file. For example, if the directory /secwww is going to be used as a webserver DocumentRoot;

# chcon -R -u system_u /secwww
# chcon -R -t httpd_sys_content_t /secwww

Host Access Security

In httpd.conf file the directives allow and deny can regulate access to different areas of the web server based on host names or IP addresses.

<Directory /var/www/html/web>
  Order deny,allow
  Deny from all
  Allow from .foxutech.com
  Allow from

The line ‘Order deny,allow’ means that first deny directives are applied and the allow directives. In this case access is denied to all less hosts on .foxutech,com or in LAN.

Read More: How To Protect Apache Against DoS and DDoS with mod_evasive on CentOS

User Access security

Access to different areas of the web server can be regulated through username and password.

<Directory /var/www/html/technos>
   AuthType Basic
   AuthName “Password Protected Technos”
   AuthUserFile /etc/httpd/technopass
   Require user xxx yyy

This configuration will allow access only to the users xxx and yyy  to technos web area. When connection is made against technos web area the web server asks for a username.password that will be authenticated against the password file on /etc/httpd/technopass. In order to create xxx and yyy accounts the command htpasswd can be used.

# htpasswd -c /etc/httpd/technopass xxx
Password :

# htpasswd -c /etc/httpd/technopass yyy

Where, -c option on htpasswd must be used if the authentication file does not exist (if is the first user that we are creating)

Executable files in Apache

The ScriptAlias directive can be used to enable web directives with executables CGI files. The Following ScriptAlias directive links the default cgi-bin directory to /var/www/cgi-bin.

ScriptAlias /cgi-bin/”/var/www/cgi-bin”
<Directory /var/www/cgi-bin>
  AllowOverride None
  Options None
  Order allow,deny
  Allow from all

Remember to change the SElinux context for this directory to allow SElinux to execute the script through Apache.

# chcon -t httpd_sys_script_exec_t /var/www/cgi-bin

Makes sure the apache can execute cgi scripts through SElinux

# setsebool -P httpd_enable_cgi 1

Limiting Resources and Rejecting DoS attackes

There are some configuration parameters that can be used to limit the system resources that apache can take from the system in order to minimize the impact of a DoS attack.

# StartServers: Number of server processes to start when httpd is started. More httpd process are started of required until reach ‘MaxClinets’ limit

StartServers 8

# ServerLimit: maximum values for maxClinets for the lifetime of the server. Is limits the maximum number of the simultaneous client that can connect to the web server.

ServerLimit 256

#MaxClients: maximum number of server processes allows to start. It limits the maximum number of simultaneous httpd process on the web server. The MaxClicnts directive sets the limit of simultaneous requests that can be service, if there are requests past the maxiclients that will be queued.

MaxClients 256