Security Hardening of an Apache Virtual Host

There are a number of steps to restrict access to an Apache virtual host. Access restriction is particularly important in a shared web hosting environment where potentially hundreds of different users have shell access.

Application level

Apache configuration

  • Remove all unnecessary modules from the web server configuration.
  • Run an IDS module

  • Remove all unnecessary functionality from the virtual host configuration
    • ScriptAlias

    • Alias
    • suexec
    • Userdir (Use UserDir disabled

  • Run the Apache server as a non-priviliged user (for example, apache).

  • Only process server side scripts (mod_php, mod_python, etc) if you know what you are doing. See ["Embedded_Apache_modules_vs_external_execution"] for a discussion.
  • Restrict access at the URL level:

    # Deny all URLs by default.
    <Location />
        # Deny all access by default
        Order Allow,Deny
    # Order of sections in configuration file is important!.
    <Location /goodstuff>
        # Deny all access by default
        Order Allow,Deny
        # Only allow trusted domains
        Allow from
        # Restrict to SSL mode
        # Restrict to specific client certificates or request attributes..
        # SSLRequire is very powerful even for non-SSL requests.
        # SSLRequire ...
        # Password protect
        AuthType Digest
        AuthName "Restricted data"
        AuthUserFile /home/pron/.htpasswd
        Require valid-user
  • Restrict access at the filename level:

    <Files ~ "^\.ht"> 
        Order Allow,Deny
  • Restrict access at the directory level:

    <Directory />
        Order Allow,Deny
    # More specific directory paths take precedence.
    <Directory /home/pr0n>
        Order Allow,Deny
        # Restrict access....(see directives used in location example above)
        # blah blah

User data

  • Restrict OS permissions: Use extended posix ACLs if you can. man acl(5).
    setfacl -m u:apache:x,g::0,o:0 $HOME
    setfacl -R --physical -m u:apache:rx,g::0,o:0,d:u:apache:rx,m:rx,d:m:rx,d:o:0 "$HOME/public_html"
  • Remove all unnecessary server side executables from the document root