Apache Web Server Security Tips for Debian-based Systems


Apache is one of the most widely spread Open Source web server for web hosting in Internet due to its stability, robustness and rich variety of modules and features. Due to its popularity, Apache comes with pre-build binary packages for almost all major Linux distributions and can also be installed on other Operating Systems such as Unix, Windows, Mac OSX, BSD etc.

However, a basic installation of Apache on Linux systems, by default, doesn’t offer a full protection against attackers, so a few security measures must be taken in order to protect your machines, web servers and web documents against such types of malicious attacks.

This article will provide you a few tips on how you can secure and protect Apache Web Server installed on Debian-based Linux distributions.


Before starting to enumerate and use the security tips, first we need to run a few commands in order to get an inside on how Apache software is compiled and works on the system, what version of the server with what modules are installed and what modules and Virtual Hosts are actively.

– View Apache Version

In order to get Apache short version run the following command:

apachectl -v

For an exhaustive view of Apache build-in options run the following command:

apachectl -V
apache version and build options

apache version

– View Apache Configuration

To see Apache webroot path, enabled Virtual Hosts, PidFile and other useful information run the below command:

apachectl -S
apache configuration

apache configuration

– View Apache Active Modules

To view all the Apache loaded modules at runtime issue the following command:

apachectl -M
loaded apache modules

loaded apache modules

To disable an Apache activated module issue the following command:

sudo a2dismod [TAB] module_name


Armed with all this knowledge about how Apache is build and runs on your system, it’s time to proceed with software enforcement by covering the following tips best suited for your environment.

1. Disable Apache Version and Server Signature

By default, whenever a HTTP request comes to Apache by whatever methods, the web server automatically displays its installed Version and the Operating System name as illustrated in the below screenshot, making it more easily for attackers to exploit server and system vulnerabilities known for that specifically version number.

view apache version

view apache version

In order to hide this type of information for outside request, open Apache security.conf file and change the ServerSignature statement from On to Off and, also, change the ServerTokens statement to Prod. Use the below screenshot as a guide.

sudo nano /etc/apache2/conf-enabled/security.conf

security.conf modified statements:

ServerTokens Prod
ServerSignature Off

hide apache version

hide apache version


After you have made all the above changes, restart Apache daemon to reflect changes and use a browser to test the configuration by directing it to a URL non-existent path at your server’s IP Address or domain, such as http://server-ip/test (where the test resource doesn’t exist on webroot path)

sudo service apache2 restart
test apache version

test apache version

In order to test the ServerSignature changes from command line use a utility such as wget, telnet or curl as in the below examples:

– With Telnet

telnet localhost 80
test apache version with telnet

test apache version with telnet

– With Curl

curl -I -L http://localhost
test apache version with curl

test apache version with curl

– With Wget

wget --server-response --spider http://localhost
test apache version with wget

test apache version with wget

2. Disable Directory Listing (Autoindex)

Autoindex is an Apache module which automatically generates and outputs a web directory listing, similar to ls command, when no index files are provided.

apache autoindex

apache autoindex

To disable Apache autoindex module on Debian based distributions issue the following commands on your server console.

sudo a2dismod autoindex
sudo service apache2 restart
disable apache autoindex

disable apache autoindex

To test the changes refresh the webpage and a Not Found message error should be displayed on your browser as in the below screenshot.

apache autoindex disabled

apache autoindex disabled

3. Disable CGI Scripts Execution, Server-Side Includes and Follow Symbolic Links

SSI represents a way for Apache to generate dynamic content based on HTML files without the need to run CGI programs. On the other hand, CGI programs provides a way for Apache to generate dynamic webpage content based on external programs or scripts written in different programming languages such as Bash, Python, Perl, C, C++ etc.

In order to turn off CGI scripts, Follow Symlink and Server-Side Includes for a specific directory add the following Options directives as presented below:

Options -Includes -ExecCGI -FollowSymLinks
disable apache ssi and cgi

disable apache ssi and cgi

4. Create an .htaccess File and Change Directory Index

This can be more evaluated as a trick than a security tip. First create and .htaccess file on your webroot and add the below directive in order to change Apache default index file to a arbitrary index file (here I have used script.cgi file as an index file for ubuntu.lan Virtual Host which will be automatically served).

sudo nano /var/www/html/ubuntu.lan/.htaccess

.htaccess excerpt:

DirectoryIndex script.cgi

Change .htaccess permissions to match Apache user:

sudo chown www-data:www-data /var/www/html/ubuntu.lan/.htaccess

After you have created the .htaccess file on your Virtual Host DocumentRoot, open the Virtual Host configuration file for editing, add the below statements and restart Apache server to apply changes. The Require all granted instruction is only necessary when the Directory path is changed to a different location than /var/www/.

<Directory "/var/www/html/ubuntu.lan">
     AllowOverride All
     Require all granted
     Order allow,deny
     Allow from all
allow .htaccess directives

allow .htaccess directives

To disable .htaccess file just change the AllowOverride directive from All to None.

5. Enable Apache SSL and Create Apache SSL Certificates

For Apache Self-Signed Certificates please follow the instructions from this article: Create Self-Signed Certificates and Enable Apache SSL in Ubuntu

6. Enable Rewrite Module and Redirect HTTP to HTTPS

To redirect HTTP non-secure requests to HTTPS for a specific domain name, enable the rewrite module and add the following statements on non-SSL Virtual Host configuration file. For on-fly activation (without server restart) you can add the statements to .htaccess file at your domain webroot with the condition that the .htaacess file must be activated.

RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}

or replace the above RewriteRule with the one below:

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Enable rewrite module and restart Apache to apply changes in case you are not using an activated .htaccess file:

sudo a2enmod rewrite
sudo service apache2 restart

7. Use Apache Access Control List to Restrict or Allow Access

Access Control are a set of rules which can limit access to a specific Apache resource. In order to completely block access to an Apache Vhost webroot add the following statements on your Virtual Host configuration file:

<Directory "/">
    Options None
    Order allow,deny
    Deny from all

To allow just visitors from a specific IP Address or Network or domain use the following syntax:

Order Deny, Allow
Deny from all
Allow from host.domain.tld

This set of rules can also be applied on-fly to an .htaccess file.

8. Protect Web Documents Using Linux File Permissions

Another simple but effective security measure that you can take into consideration is to protect web documents by changing file permissions. Suppose you want to protect a HTML page hosted on Apache DocumentRoot issue the following command against that file:

sudo chmod 600 /var/www/html/document.html

More drastically, if Apache user and group www-data are the owners of that file you can use the following command to completely deny access:

sudo chmod 000 /var/www/html/document.html

To revert changes issue the following command:

sudo chmod 644 /var/www/html/document.html

To deny access to an entire directory along with its content run the following command:

sudo chmod -R 000 /var/www/html/dir_to_deny_access

Revert changes to directory:

sudo chmod -R 755 /var/www/html/dir_to_deny_access

To protect a web document from being changed use the chattr Linux command and change the attribute file to immutable:

sudo chattr +i /var/www/html/document.html

To view the files with immutable attributes and revert changes issue the following commands:

sudo lsattr /var/www/html/
sudo chattr -i /var/www/html/document.html

9. Create Custom Apache Log Files

For instructions concerning Apache log files please review Apache Virtual Hosts Article

10. Change Apache User Shell

On most Debian based Linux distributions, Apache runs under www-data user. By defult, the www-data user has a valid Linux shell which points to /bin/sh. In order to block Apache user from attempting to log in into the system, change the system shell to point to nologin by issuing the following command:

sudo usermod -s /usr/sbin/nologin www-data


change apache user shell

change apache user shell

This are just a couple of security and hardening tips that you should take intro consideration whenever you are using Apache in a production environment.

You might also like
Notify of

Inline Feedbacks
View all comments