Here are just few things to keep in mind when setting up Apache and undergoing a quick security audit.
1. Turn off TRACE or TRACK Methods on Apache
A Trace or Track method is a debug method used to debug webserver connections. A server supporting Trace connections can be subject to cross-site scripting attacks, dubbed XST for “Cross-Site Tracing” (cf to http://www.apacheweek.com/issues/03-01-24)
To disable Trace or Track methods… make sure first that mod_rewrite is enabled, then
RewriteRule .* - [F]
in your vhost directirves.
In case you are using Apache 1.3.34, 2.0.55 or 2.2, then you could use the TraceEnable directive.
2. Disable UserDir
It is very easy for an attacker to guess which local user are currently on a selected system. When UserDir is enabled (which is by default), http://IP/~userA, will try to read the web content of /home/userA/public_html (or depending on your home configuration path). When the public_html folder is inexistant, apache will then return a code error, which would give enough hint to the attacker that this user exists.
Valid system users can therefore be used in ssh brute force attacks (for example).
3. Disable SSL2
When setting up https connection, it is important to disable SSL2 and enable SSL3. The reason for it, is that SSL2 suffers from diverse cryptographic flaws. A possible attack when using SSL2 is the famous man-in-the-middle attack.
4. Hide Apache’s version number
This trick is quite over-seen and left out… Make sure to give no more info to anyone about your server configuration and mostly about your apache version.
Set “ServerSignature Off and ServerTokens Prod”
5. Apache’s conf and binaries permissions
Make sure only root has access to the apache’s configuration (httpd.conf in RedHat/Centos) and apache’s binaries
chown -R root:root /etc/httpd
chmod -R o-rwx /etc/httpd