Computer Tips - Linux: lock down Apache webserver

Date: 2021nov15 OS: Linux Product: Apache Keywords: prevent break-ins, theft of service eg crypto mining Q. Linux: lock down Apache webserver A. 1. Disable/remove cgi-bin In /etc/httpd/conf/http.conf 1a. Change:
ScriptAlias /cgi-bin "/var/www/cgi-bin"
# ScriptAlias /cgi-bin "/var/www/cgi-bin"
1b. Change:
<Directory "/var/www/cgi-bin"> AllowOverride None Options None Require all granted </Directory>
# <Directory "/var/www/cgi-bin"> # AllowOverride None # Options None # Require all granted # </Directory>
2. Make sure ExecCGI is *not* on the whole tree. It is not by default, but check anyhow. Change:
<Directory "/var/www/html"> Options <other-options> ExecCGI </Directory>
<Directory "/var/www/html"> Options <other-options> </Directory>
If some folder requires it, only turn it on individually:
<Directory "/var/www/html/aaa/bbb/ccc"> Options +ExecCGI </Directory>
3. Disable UserDir In file /usr/htttp/conf.d/userdir.conf Ensure you have:
<IfModule mod_userdir.c> UserDir disabled </IfModule>
4. For all virtual hosts, only allow POST and GET. There are many other httpd methods that are rarely used. Of course don't do this if you need other methods:
<Location /> <LimitExcept POST GET> Require all denied </LimitExcept> </Location>
5. Some sneaky hackers might try to access your /etc/passwd or /bin/sh or other key files with 5a. So deny and any location that starts with /. for all virtual sites:
# But Let's Encrypt uses .well-known so allow that <LocationMatch "/.well-known"> Require all granted </LocationMatch>
<LocationMatch "\/\."> Require all denied </LocationMatch>
5b. 2E is the hexadecimal ASCII code for dot so bad guys try that too. Here is an actual message from my from a Russian hacker:
[client] AH10244: invalid URI path (/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh)
So deny anything that starts with /%2e (case insensitive):
<LocationMatch "(?i)\/%2e"> Require all denied </LocationMatch>
Finally, reload Apache and make sure you didn't introduce any syntax errors:
systemctl reload httpd