How To Protect Apache Web Server on CentOS 7

In case, when an attacker gets access to your server, you may lose all data. If at the initial stage you use simple installations, you still need to secure your server.

Install Web Server

The first thing we offer you is installing a web server

yum install httpd php

Personal Home Directory Protection

The following is protection for your home directories. The first thing to understand is that the directories of other users are classified and not visible to anyone, except for the owners, respectively.

We suggest you change all directories to 700; this is to ensure that only the appropriate home directory owners can view their own files

chmod 700 /home
chmod 700 /home/*
chmod 700 /home/*/*

Apply security patch for the Apache to split user privileges

The first thing to learn we need to first install the repository containing the package with the patch. Run the following commands as root or sudo

yum install epel-release
yum install httpd-itk

Through “apache2-mpm-itk” we can see which PHP user should run depending on the virtual host. It adds a new extension in the configuration of AssignUserId virtualhost-user virtualhost-user-group, which allows Apache / PHP to execute user code under a specific user account.

Сreate a virtual host

To create a virtual host in Apache, you can follow this example, which is presented below (for example, taken



DocumentRoot /home/vhost-user/public_html

Next, open the text editor /etc/httpd/conf.d/example-virtualhost.conf and add the contents above. Here is the command to use nano:

nano /etc/httpd/conf.d/example-virtualhost.conf

Configure Apache Web Server to run as another user

After launched the protection of the Apache / PHP server, the following should be added:

AssignUserId vhost-user vhost-user-group

This will look like an example of a virtual host, after the option is added:



DocumentRoot /home/vhost-user/public_html
AssignUserId vhost-user vhost-user-group


Next, you need to Hide the version of Apache. To do this, enter the command:

nano /etc/httpd/conf/httpd.conf

Then in the line “ServerTokens” change the parameter after it to “ProductOnly”. This tell to Apache only to show that it is “Apache” and not “Apache / 2.2” or something like that

At the end, restart the Apache server

service httpd restart

Was this article helpful?

Related Articles

Leave A Comment?