Harden Apache and Ubuntu

To harden your Apache and Ubuntu installation, I would recommend the following steps are taken:

Step 1) To avoid HTTP DoS, DDoS or Brute Force attack, you should install this module

sudo apt-get install libapache2-mod-evasive

Step 2) ModSecurity is a web application firewall for the Apache web server. In addition to providing logging capabilities, ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. ModSecurity also operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems.

sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
sudo apt-get install libapache-mod-security

Step 3) Do not allow any Apache and Ubuntu Server information to be print on the error pages.

sudo nano /etc/apache2/conf.d/security

Change the following lines as the following :

ServerToken Prod
ServerSignature Off

Step 4) If you have PHP installed, I would also recommend you make the following changes.

sudo nano /etc/php5/apache2/php.ini

Change the following lines as the following :

display_errors = Off
log_errors = On
allow_url_fopen = Off
expose_php = Off
enable_dl = Off
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,system,show_source,symlink,exec,dl,shell_exec,passthru,phpinfo,escapeshellarg,escapeshellcmd
register_globals = Off
magic_quotes_gpc = On

Step 5) After making these changes you will need to restart Apache server.

sudo /etc/init.d/apache2 restart

Step 6) To prevent source routing of incoming packets and log malformed IP’s edit the following:

sudo nano /etc/sysctl.conf

Uncomment the following:
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1

Make the change active.

sudo /sbin/sysctl -p

Step 7) Install NMAP, Network Mapper is a free tool for network discovery and security auditing.

sudo apt-get install nmap

To scan your system to open ports, you can use the following:

nmap -v -sT localhost

SYN scanning with the following :

sudo nmap -v -sS localhost