20 ways to secure Apache

Posted June 21st, 2006 in
These steps are from Pete Freitag's Homepage.
  1. First, make sure you've installed latest security patches.
  2. Hide the Apache Version number, and other sensitive information.
  3. Make sure apache is running under its own user account and group.
  4. Ensure that files outside the web root are not served.
  5. Turn off directory browsing.
  6. Turn off server side includes.
  7. Turn off CGI execution.
  8. Don't allow apache to follow symbolic links.
  9. Turn off multiple Options.
  10. Turn off support for .htaccess files.
  11. Run mod_security.
  12. Disable any unnecessary modules
  13. Make sure only root has read access to apache's config and binaries.
  14. Lower the Timeout value.
  15. Limit large requests.
  16. Limit the size of an XML Body.
  17. Limit Concurrency.
  18. Restrict Access by IP.
  19. Adjust KeepAlive settings.
  20. Run Apache in a Chroot environment.