Apache-Hardening
From Notes_Wiki
Apache Hardening for wordpress site
Overview
This KB article describes the Apache hardening steps to be implemented in apache web server for ex test.com. The changes include secure global defaults, HTTP method restrictions, directory-level protections, and validation procedures.
Step 1: Backup Existing Configuration Files
Before making any changes, take backup of the following files:
/etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd-le-ssl.conf
Example backup command:
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak cp /etc/httpd/conf/httpd-le-ssl.conf /etc/httpd/conf/httpd-le-ssl.conf.bak
Step 2: Global Apache Secure Defaults
File to Modify:
/etc/httpd/conf/httpd.conf
2.1 Deny-by-Default Access Control at Filesystem Root
<Directory /> AllowOverride None Require all denied </Directory>
2.2 Define Secure DocumentRoot
DocumentRoot "/var/www/html"
2.3 Allow Access to Web Content Directory
<Directory "/var/www"> AllowOverride None Require all granted </Directory>
2.4 Harden Main Web Application Directory
<Directory "/var/www/html"> Require all granted Options -Indexes -ExecCGI -Includes -IncludesNOEXEC +SymLinksIfOwnerMatch AllowOverride All </Directory>
2.5 Configure Default Index Files
<IfModule dir_module> DirectoryIndex index.html index.php </IfModule>
2.6 Protect Sensitive Configuration Files
<Files ".ht*"> Require all denied </Files>
Step 3: Per-Site HTTP Method Hardening (Port 80)
File to Modify:
/etc/httpd/conf/httpd.conf
(Inside existing VirtualHost *:80 for test.com)
3.1 Restrict HTTP Methods for WordPress Application
<Directory "/var/www/html"> Require all granted Options -Indexes -ExecCGI -Includes -IncludesNOEXEC +SymLinksIfOwnerMatch AllowOverride All </Directory> <Location /> <LimitExcept GET POST HEAD> Require all denied </LimitExcept> </Location>
Effect:
- Allowed Methods: GET, POST, HEAD
- Blocked Methods: PUT, DELETE, OPTIONS, TRACE, and others
3.2 Secure WordPress Uploads Directory
<Directory "/var/www/html/wp-content/uploads"> Require all granted Options -Indexes -ExecCGI -Includes -IncludesNOEXEC AllowOverride None <FilesMatch "\.(php|php[0-9]*|phtml|pl|py|jsp|asp|sh|cgi)$"> Require all denied </FilesMatch> <LimitExcept GET POST HEAD> Require all denied </LimitExcept> </Directory>
Security Controls Applied:
- Allowed uploads using POST
- Blocked execution of scripts in uploads directory
- Restricted uploads directory to minimum required access
Step 4: Per-Site HTTP Method Hardening (Port 443 - HTTPS)
File to Modify:
/etc/httpd/conf/httpd-le-ssl.conf
(Inside existing VirtualHost *:443 for test.com)
4.1 Restrict HTTP Methods for WordPress Application
<Directory "/var/www/html"> Require all granted Options -Indexes -ExecCGI -Includes -IncludesNOEXEC +SymLinksIfOwnerMatch AllowOverride All </Directory> <Location /> <LimitExcept GET POST HEAD> Require all denied </LimitExcept> </Location>
4.2 Secure WordPress Uploads Directory
<Directory "/var/www/html/wp-content/uploads"> Require all granted Options -Indexes -ExecCGI -Includes -IncludesNOEXEC AllowOverride None <FilesMatch "\.(php|php[0-9]*|phtml|pl|py|jsp|asp|sh|cgi)$"> Require all denied </FilesMatch> <LimitExcept GET POST HEAD> Require all denied </LimitExcept> </Directory>
Step 5: Validation Procedures
5.1 Apache Configuration Syntax Verification
apachectl configtest
Expected Output:
Syntax OK
5.2 Restart Apache Service
systemctl restart httpd
Step 6: HTTPS Method Validation Tests
Run the following commands:
curl -k -I -X GET https://test.com curl -k -I -X POST https://test.com curl -k -I -X PUT https://test.com curl -k -I -X DELETE https://test.com curl -k -I -X OPTIONS https://test.com
Expected Results:
- GET → 200 OK
- POST → 200 OK
- PUT → 403 / 405
- DELETE → 403 / 405
- OPTIONS → 403 / 405
Step 7: Functional Validation
Final validation to be done including:
- Image upload testing
- Form submission testing
- Email delivery verification
Summary of Security Improvements
- Deny-by-default Apache configuration
- HTTP method restriction
- Script execution blocked in uploads directory
- Directory listing disabled
- Sensitive files protected
- Verified HTTPS enforcement
- Production validation completed
