Apache Web Server Hardening

By Ermin

In this course, learn about Apache web server hardening and why it plays a crucial part in the process of running a web server.

19 hours
  • 64 Lessons
  • 16 Hands-On Labs

About the course

In this course, we teach Apache web server hardening and cover what web server hardening is and why it plays a crucial part in running a web server. We go over several configurations we can perform to help secure our Apache web server as much as possible. In addition, we talk about the different kinds of vulnerabilities Apache is susceptible to. Apache HTTP Server is a free, open-source web server that runs approximately 45% of today’s websites, which is why learning how to secure it properly is extremely important.

Web servers are in many cases located at the edges of networks, so they are exposed to attacks more frequently than other parts of networks. Web servers are always targeted with requests, both manually and automatically, through scripts. At the beginning of this course, we provide an introduction to web server hardening and teach how to properly install and configure an Apache server. All steps are performed on Centos7, but we could use the same commands for other Linux operating systems. Keep in mind that the installation process is precisely where the process of server hardening begins. It is very important to conduct a proper installation and configuration in order to protect the server and make it less vulnerable. Remember that the default settings are easily bypassed.

Moreover, we also cover how to configure a firewall correctly. We share some basic firewalld concepts and terms like:

  • zones
  • instances
  • firewalld commands
  • blacklists

Subsequently, we present several other topics. For example, we dive into Security-Enhanced Linux (SELinux) and see why it is important to use it with Apache and how it benefits us. SELinux represents mandatory access controls (MAC), allowing fine-grain access controls for resources such as files, devices, networks, and inter-process communication. In many cases, administrators disable SELinux because it causes complications with Apache, and there is not enough time to configure everything correctly in the system. This usually results in decreased security.

Some practical skills this course imparts are how to create automated scripts, manage apache directory access, perform log examination, and exploit a server using a well-known vulnerability: ShellShock. Automated scripts enable us to automatically perform server and SELinux checks, which is necessary when handling thousands or even millions of Apache instances at once. We create our own automated script for our needs, but we can always incorporate scripts written by others as well. We also create a capture file using the tcdump tool so we can recognize if there’s anything suspicious going on in the system. If something suspicious is detected, we will then inspect the traffic in Wireshark.

We also cover information over logs. Logging is essential in any system. We share how to configure our own log level for both general and specific traffic. By the end of this course, you will have a better understanding of the Apache server and be more aware of the dangers it’s exposed to. You will also be able to set up and configure various parts of the system more securely, as well as search for potential threats.

Course Diagram

  • Chapter 1 5 Lessons Getting Started 20:15

    An Important Note About A Cloud Guru and Linux Academy Courses

    1:19

    Course Introduction

    8:23

    About the Training Architect

    1:56

    How to Get Help

    3:16

    Prerequisites

    5:21
  • Chapter 2 10 Lessons Secure Access to the Apache Server 52:22

    General Configuration and Setup Part 1

    9:33

    General Configuration and Setup Part 2

    9:37

    General Configuration and Setup Part 3

    14:39

    Securing Access to the Apache Web Server OS Part 1

    7:27

    Securing Access to the Apache Web Server OS Part 2

    11:06

    Install Apache Web Server and Perform the Initial Firewall Configuration

    0:00 Hands-On Lab

    Download and configure web application frontend

    0:00 Hands-On Lab

    Configure a Back End for a Web Application

    0:00 Hands-On Lab

    Change SSH Port from 22 to 61613

    0:00 Hands-On Lab

    Configuring Key-Based Authentication

    0:00 Hands-On Lab
  • Chapter 3 7 Lessons Apache Exploits, Attack Vectors, and Automation 1:32:32

    Vulnerability Scans and Cloud Provider Policies Part 1

    7:50

    Vulnerability Scans and Cloud Provider Policies Part 2

    8:39

    Vulnerability Scans and Cloud Provider Policies Part 3

    14:10

    Apache Exploits and Attack Vectors Overview Part 1

    17:25

    Apache Exploits and Attack Vectors Overview Part 2

    22:23

    Writing Automated Scripts

    22:05

    Write an Automated Script to Perform a Vulnerability Scan and Log the Results

    0:00 Hands-On Lab
  • Chapter 4 8 Lessons Firewall 1:20:26

    Firewall Configuration Part 1

    9:01

    Firewall Configuration Part 2

    13:03

    Firewall Configuration Part 3

    16:11

    Firewall Configuration Part 4

    11:10

    Firewall Configuration Part 5

    18:14

    Firewall Configuration Part 6

    12:47

    Initial Firewall Configuration

    0:00 Hands-On Lab

    Create a Blacklist

    0:00 Hands-On Lab
  • Chapter 5 8 Lessons SELinux 52:27

    SELinux Configuration Part 1

    9:46

    SELinux Configuration Part 2

    15:22

    SELinux Configuration Part 3

    13:18

    SELinux Configuration Part 4

    14:01

    Rotate Between_3 SELinux Modes

    0:00 Hands-On Lab

    Change Apache port and give it a proper SELinux label

    0:00 Hands-On Lab

    Change DocumentRoot of the Apache Web Server

    0:00 Hands-On Lab

    Convert SELinux Log File with sealert and Find Entries for HTTP in the Log File

    0:00 Hands-On Lab
  • Chapter 6 6 Lessons Apache Modules 31:02

    Module Management

    7:16

    Mod_Security Part 1

    8:56

    Mod_Security Part 2

    8:57

    Mod_Evasive

    5:53

    Configure ModSecurity

    0:00 Hands-On Lab

    Configure Mod Evasive

    0:00 Hands-On Lab
  • Chapter 7 4 Lessons Apache Directory Access 23:07

    Directory Access Part 1

    10:23

    Directory Access Part 2

    5:09

    Directory Access Part 3

    7:35

    Configure Directory and File Access and Add Basic Authentication

    0:00 Hands-On Lab
  • Chapter 8 15 Lessons Check List 1:44:35

    Apache Logs Part 1

    11:11

    Apache Logs Part 2

    7:25

    Apache Logs Part 3

    7:06

    Encryption Configuration Part 1

    8:18

    Encryption Configuration Part 2

    8:01

    Encryption Configuration Part 3

    9:42

    Encryption Configuration Part 4

    12:44

    DDoS Protection and Server Side Includes (SSI) Part 1

    14:25

    DDoS Protection and Server Side Includes (SSI) Part 2

    4:19

    Server Banner and Entity Tag (ETag)

    4:11

    HTTP Request Methods

    3:43

    Setting Up Cookie with `HttpOnly` and `Secure` Flag and X-XSS Protection

    2:19

    The Clickjacking Attack

    4:57

    Disabling HTTP 1.0 Protocol, HTTP Trace, Apache Following of Symbolic Links and `HostnameLookups`

    6:14

    Hiding Apache Data and Implementing Safeguards

    0:00 Hands-On Lab
  • Chapter 9 1 Lesson Final Steps 6:06

    What's Next?

    6:06

What you will need

  • * Basic previous knowledge and experience working with Apache Web Server. * Basic previous knowledge and experience working with Bash scripts. * Basic understanding of firewalls. * Basic understanding of mandatory and discretionary access controls.

What are Hands-on Labs

What's the difference between theoretical knowledge and real skills? Practical real-world experience. That's where Hands-on Labs come in! Hands-on Labs are guided, interactive experiences that help you learn and practice real-world scenarios in real cloud environments. Hands-on Labs are seamlessly integrated in courses, so you can learn by doing.

Get Started
Who’s going to be learning?
Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!