Apache
Apache The Apache HTTP Server, colloquially called Apache (/əˈpætʃi/ ə-PATCH-ee), is free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation.
The vast majority of Apache HTTP Server instances run on a Linux distribution,[5] but current versions also run on Windows and OS/2, and a wide variety of Unix-like systems. Past versions also ran on OpenVMS, NetWare and other operating systems.
Originally based on the NCSA HTTPd server, development of Apache began in early 1995 after work on the NCSA code stalled. Apache played a key role in the initial growth of the World Wide Web, quickly overtaking NCSA HTTPd as the dominant HTTP server, and has remained most popular since April 1996. In 2009, it became the first web server software to serve more than 100 million websites. As of August 2018, it was estimated to serve 39% of all active websites and 35% of the top million websites.
Contents
Apache error log location
- /usr/local/apache/logs/error_log
Website under attack
This counts the number of ModSecurity hits in the Apache log
- sudo cat /usr/local/apache/logs/error_log | grep -i "modsec" | awk '{print $10}' | sort | uniq -c | sort -n
See who is accessing what in Apache
- sudo cat /usr/local/apache/logs/access_log |awk '{print $1" "$7}'|sort|uniq -c|sort -n -k1
Headers Security
Here are some good mods for the .conf file within the headers for Apache:
Be aware that https has to be forced for HSTS to work.
Header always edit Set-Cookie (.*) "$1;HttpOnly;Secure" <IfModule headers_module> RequestHeader set X-HTTPS 1 Header set Referrer-Policy "no-referrer-when-downgrade" </IfModule> Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://mysiteURL.com" <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule> <IfModule mod_headers.c> Header set X-Content-Type-Options nosniff </IfModule> <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff </IfModule> <IfModule mod_headers.c> Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload" </IfModule> <IfModule mod_headers.c> Header set Expect-CT enforce,max-age=2592000,report-uri="https://foo.example/report" </IfModule> Options -Indexes ServerSignature Off