Set permissions to all configuration files
root:root 600
Files *.tmp
order deny,allow
deny from all
/Files
Files *.log
order deny,allow
deny from all
Disable autoindex module or disable directory index, in virtual host or directory context
Restrict access to service files
files *.bak
order deny, allow
deny from all
/files
files *.bak
order deny, allow
deny from all
/files
Files *.tmp
order deny,allow
deny from all
/Files
Files *.log
order deny,allow
deny from all
/Files
Directory ~ ".*\.svn"
Order allow,deny
Deny from all
Satisfy All
/Directory
Directory ~ ".*\.svn"
Order allow,deny
Deny from all
Satisfy All
/Directory
Disable autoindex module or disable directory index, in virtual host or directory context
Options -Indexes
Configure fault tolerance
Configure file integrity monitoring
Disable magic_quotes_gpc, allow_url_fopen, display_errors in php.ini
Set open_basedir in Virtual host context to document root of the site + some sites require to include /tmp dir to openbase_dir
Set max_connections in my.cnf to appropriate value, for example 100 for small site.
Set max_connect_errors in my.cnf to 10
Disable LOCAL INFILE syntax: set-variable=local-infile=0
Disable show databases command: skip-show-database
Hide Apache version
or
Apache 2.0 Hardening Guide
About SSL cipher suite
Hide PHP version:
In php.ini:
Allow PHP to access only certain dirs
in Virtualhost:
But if just enable these options, PHP will publish Warnings to the page with undesireable information. To prevent it you need to disable warnings. First method is to write ”@” before function. Another method is to specify in php.ini:
Third method is to add to the script: ini_set('display_errors', 'Off');
allow_url_fopen=no
Limit usage of methods
Order allow,deny
Allow from all Order deny,allow
Deny from all
Allow from all Order deny,allow
Deny from all
Configure fault tolerance
Timeout 60KeepAlive OnKeepAliveTimeout 12 LimitRequestBody 1000000
Options IncludesNoExec
Options SymLinksIfOwnerMatch
Configure file integrity monitoring
Disable magic_quotes_gpc, allow_url_fopen, display_errors in php.ini
Set open_basedir in Virtual host context to document root of the site + some sites require to include /tmp dir to openbase_dir
Set max_connections in my.cnf to appropriate value, for example 100 for small site.
Set max_connect_errors in my.cnf to 10
Disable LOCAL INFILE syntax: set-variable=local-infile=0
Disable show databases command: skip-show-database
Hide Apache version
ServerTokens Prod ServerSignature Off
Disable TRACE method:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
or
TraceEnable off
Apache 2.0 Hardening Guide
About SSL cipher suite
Hide PHP version:
In php.ini:
expose_php = Off
Allow PHP to access only certain dirs
in Virtualhost:
php_admin_value open_basedir
php_admin_value upload_tmp_dir
php_admin_value session.save_path
But if just enable these options, PHP will publish Warnings to the page with undesireable information. To prevent it you need to disable warnings. First method is to write ”@” before function. Another method is to specify in php.ini:
display_errors = Off
Third method is to add to the script: ini_set('display_errors', 'Off');
allow_url_fopen=no
