Securing the web server
In this recipe, we will learn some steps for securing web server installation.
Getting ready
You will need access to a root account or an account with sudo
privileges.
You may need to have a web server stack installed and running.
How to do it…
Follow these steps to secure the web server:
Disable any unwanted modules. You can check all enabled modules with the following command:
$ a2query -m
Disable modules with the following command:
$ sudo a2dismod status
Hide the web server's identity. For Apache, edit
/etc/apache2/conf-available/security.conf
and set the following values:ServerSignature Off ServerTokens Prod
You may want to check other options under
security.conf
.Next, disable the Apache server status page:
$ sudo a2dismod status
For Nginx, edit
/etc/nginx/nginx.conf
and uncomment the following line:# server_tokens off;
In production environments, minimize the detail shown on error pages. You can enable the PHP Suhosin module and strict mode.
Disable directory listing...