Hardened Apache

Categories: Scripts

A short script to deploy hardened Apache2 on Ubuntu 18.04 LTS

apt-get install -y apache2 libapache2-mod-security2
a2enmod ssl
sed -i 's/^Listen 80/# Listen 80/' /etc/apache2/ports.conf
  
echo "ServerTokens Full" > /etc/apache2/conf-available/security.conf
echo "ServerSignature On" >> /etc/apache2/conf-available/security.conf
echo "TraceEnable Off" >> /etc/apache2/conf-available/security.conf
echo "FileETag None" >> /etc/apache2/conf-available/security.conf
echo "" >> /etc/apache2/conf-available/security.conf
echo "# Do Header stuff" >> /etc/apache2/conf-available/security.conf
echo "Header unset Pragma" >> /etc/apache2/conf-available/security.conf
echo "Header unset ETag" >> /etc/apache2/conf-available/security.conf
echo "Header always set x-xss-protection \"1; mode=block\"" >> /etc/apache2/conf-available/security.conf
echo "Header always append X-Frame-Options SAMEORIGIN" >> /etc/apache2/conf-available/security.conf
echo "Header always set X-Content-Type-Options nosniff" >> /etc/apache2/conf-available/security.conf
echo "Header always set Referrer-Policy \"no-referrer\"" >> /etc/apache2/conf-available/security.conf
echo "" >> /etc/apache2/conf-available/security.conf
echo "<IfModule mod_ssl.c>" >> /etc/apache2/conf-available/security.conf
echo "  Header always set Strict-Transport-Security \"max-age=63072000; includeSubDomains\"" >> /etc/apache2/conf-available/security.conf
echo "  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM" >> /etc/apache2/conf-available/security.conf
echo "  SSLProtocol ALL -TLSv1.1 -TLSv1 -SSLv2 -SSLv3" >> /etc/apache2/conf-available/security.conf
echo "  SSLHonorCipherOrder On" >> /etc/apache2/conf-available/security.conf
echo "</IfModule>" >> /etc/apache2/conf-available/security.conf
echo "" >> /etc/apache2/conf-available/security.conf
echo "<IfModule security2_module>" >> /etc/apache2/conf-available/security.conf
echo " SecServerSignature "PiaB"" >> /etc/apache2/conf-available/security.conf
echo "# Include /usr/share/modsecurity-crs/*.conf" >> /etc/apache2/conf-available/security.conf
echo "# Include /usr/share/modsecurity-crs/activated_rules/*.conf" >> /etc/apache2/conf-available/security.conf
echo "</IfModule>" >> /etc/apache2/conf-available/security.conf
«
»