29.15. Securing Apache

Change some important permissions on files and directories for your Web Server. When you install Apache on your server, there are some files and directories that have too many permissions set by default. The binary program httpd can be set to be read-only by the super-user root, and executable by the owner, group, and others for better security. The /etc/httpd/conf and /var/log/httpd directories don't need to by readable, writable or executable by other people.

        [root@deep ]/# chmod 511 /usr/sbin/httpd
        [root@deep ]/# chmod 750 /etc/httpd/conf/
        [root@deep ]/# chmod 750 /var/log/httpd/
      

If you have enabled the automatic indexing of directories in your Apache configuration file; IndexOptions in httpd.conf, then you'll have a security issue since any requests for a directory that don't find an index file will build an index of what is in the directory. In many cases, you may only want people seeing files that you specifically link to. To turn this off, you need to remove read permissions from the DocumentRoot directory but not the files inside it.

        [root@deep ]/# cd /home/httpd/
        [root@deep ]/httpd# chmod 311 ona
        [root@deep ]/httpd# ls -la
      

        d-wx--x--x   13 webadmin webadmin     1024 Jul 28 08:12 ona
      
Now, with this modification, any requests for this protected directory should return an error message like:

        Forbidden
        You don't have permission to access /ona/ on this server.
      

Tip: ona is the DocumentRoot, the directory out of which you will serve your documents, in our example.