Securing apache

Some notes on securing apache..

A few key points

  • Disable access to .
  • Disable banner
  • disabled PHP functions
  • Slow dos mitigation (link)

Disable access to .
https://stackoverflow.com/questions/4352737/apache-configuration-regex-to-disable-access-to-files-directories-beginning-wit

<filesmatch "^\.ht">
Order allow,deny
Deny from all

<filesmatch “^\.”>
Order allow,deny
Deny from all

<directorymatch “^\.|\/\.”>
Order allow,deny
Deny from all

Disable banner
http://www.ducea.com/2006/06/15/apache-tips-tricks-hide-apache-software-version/

Usually found in /etc/apache/conf-enabled/security.conf

Disable PHP functions
https://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/

disable_functions =exec,passthru,shell_exec,system,proc_open,popen,pcntl_exec,curl_exec,curl_multi_exec,parse_ini_file,show_source,phpinfo,eval,assert,create_function

Slow DOS mitigation
http://www.farhanfaisal.com/slow-http-dos-verify-and-mitigate/