The default security of a web server usually prioritizes compatibility over protection. Hardening involves reducing the attack surface by disabling unnecessary modules, hiding system information, and mitigating common web vectors. Below, we explore the three configuration pillars in a LAMP stack.
/etc/apache2/apache2.conf)Timeout 60
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5Apache should deny access to the filesystem root (/) by default and only allow access to /var/www/html.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /var/www/html>
# The MINUS sign (-) disables directory listing
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory># BAD: Shows "Apache/2.4.41 (Ubuntu)"
ServerTokens OS
ServerSignature On
# GOOD: Only shows "Apache"
ServerTokens Prod
ServerSignature Off
TraceEnable OffA vulnerability scanner just tore apart our Staging environment. The report shows active directory listing, OS version leakage, and PHP command execution enabled. As a Sysadmin, audit and patch the config files to secure the Production deployment.
>_ START CTF 23 CHALLENGE# Prevent Clickjacking
Header set X-Frame-Options: "SAMEORIGIN"
# Prevent MIME Sniffing
Header set X-Content-Type-Options: "nosniff"
# HSTS
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"# Hide the "X-Powered-By" header
expose_php = Off
# NEVER display errors in Production
display_errors = Off
log_errors = Ondisable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, show_sourcesession.use_strict_mode = 1
session.use_only_cookies = 1
session.cookie_httponly = 1
session.cookie_secure = 1