My previous article focused on basic security tips and tricks to secure Apache web server in Ubuntu.
Here I am going to show you some advance security tips and tricks for securing an Apache web server.
Secure Apache From Clickjacking Attack
Clickjacking is a well-known web server vulnerability. It is known as a “UI redress attack.” It is a malicious technique used by an attacker to collect an infected user’s clicks. Clickjacking is made up from two words – Click and Hijacking. Click means “mouse clicks” and Hijacking means “force a user to click.” Clickjacking means forcing a user to click on a Web page on which the hacker wants him to click to perform the desired malicious activity.
To secure your Apache web server from a Clickjacking attack, you need to use “X-FRAME-OPTIONS” to prevent it.
You can do this by editing the “apache2.conf” file.
Add the following line inside Directory /var/www/html/:
Save the file and restart Apache.
Now, try to open a web browser to access your web server. Check HTTP response headers in firebug; you should see X-Frame-Options as shown in the below image.
Disable Etag
Etags, also known as “Entity Tags,” are a vulnerability in Apache. They allow remote users to obtain sensitive information like inode number, child process IDs and multipart MIME boundary using the Etag header. It is recommended to disable Etag.
Now, try to open a web browser to access your web server. Check HTTP response headers in firebug; you should not see Etag at all.
Disable Old Protocol
Old HTTP protocol (HTTP 1.0) has a security vulnerability related to session hijacking and Clickjacking attacks. It is recommended to disable old protocol.
You can disable it using the “mod_rewrite” rule by only allowing HTTP 1.1 protocol.
For this, edit the “apache2.conf” file.
HTTP Request Methods
In Ubuntu, HTTP 1.1 protocol supports many request methods like “OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT” which may not be required. It is recommended to enable only HEAD, POST and GET request methods.
To fix this, edit the Apache configuration file.
Secure Apache from an XSS Attack
XSS (also known as Cross-site Scripting) is one of the most common application-layer vulnerabilities. It allows an attacker to execute code on the target web server from a user’s web browser. Attackers can attack on XSS vulnerable web server by using a browser side scripting (JavaScript), so it is recommended to enable XSS protection on Apache.
You can do this by editing the Apache configuration file.
Now, try to open a web browser to access your web server. Check HTTP response headers in firebug; you should see X-XSS-Protection Options as shown in the below image.
Protect Cookies with HTTPOnly Flag
The HTTPOnly Cookie is also known as a secure cookie used for transmitting http or https over the Internet. It is recommended to use “HttpOnly” and “Secure flag” in a cookie. This will protect your Apache web server from most common attacks like CSS, cookies attacks, and cookies injections.
Conclusion
I hope that you have enough knowledge now to secure your Apache web server from various kinds of attacks. If you have any questions feel free to comment below.
Our latest tutorials delivered straight to your inbox
