Web servers are considered as the easier targets for the hackers. As a web server is usually exposed to the entire universe, it's critical to secure it. This is the reason why the sensitive information (such as credit card numbers) stored on a web server are always encrypted. Apache is the most popular web server. It is available on Unix, Windows and Macintosh operating systems. Apache is an open source web server and developers across the world keep on working constantly in order to improve its performance and level of security.

It is very important to make sure that you use the latest Apache for your system. Also, because it is freely available software, one needs to obtain it from a reliable source.

For securing the web server such as Apache, you need to focus on the web server configuration file - httpd.conf. In other words, at the server level, the directives we put in the configuration file will control the access. There are three important directives - order, deny and allow - that will help in controlling the access. Let's have a look at a simple example:

As the name suggests, the order directive instructs the server to process all allow directives before ant deny directives. And "allow from all" allows the server to give access from any client IP address.

Consider a case where we need to be selective in granting access. The following example illustrates this:

You'll notice from the above example that denies directive restricts the access to everyone. Then allow directive grants access selectively - to anyone whose machine name is a part of my_firm.com domain.

Thus by using order, deny and allow directives we can secure the web server to some extent. These directives will be of significant use when we have very sensitive information at some location on the web server.

It is important to disallow web requests to your .htaccess files - by adding the following directive to the web server's configuration file.

As a rule of thumb, there should be no default access. This means that one should get into the habit of permitting no access at first. Then specific access can be permitted to specific locations. The following configuration segment illustrates this:

In order to improve the security of a public web server, one can follow a few security checkpoints.

1. Your network:

The very first checkpoint to consider is your network and the way it is connected to the Internet. The real issue here is where you are placing your web server. It is important to understand here that the web server should be kept out of the secured part of the network.

2. The operating system

Apache runs on almost all flavors of Unix operating system and also on Windows NT and Windows 95. This does not mean that one can use any operating system for Apache to run. Selecting the proper operating system is an important factor to be considered while dealing with security. Once you choose the operating system, make sure that you disable any extra features that are not required for the web server - for example, if you do not require SMTP/POP mail services or FTP services, disable them completely.

3. Web server software

It is very important to make sure here that you are using the latest Apache for your system. It is not a bad idea to compile your own Apache binaries rather than using those of any binary distribution.. When configuring Apache, pay lot of attention to security configuration related issues. The idea here is to disable anything that you do not use. This will significantly reduce the risks and improve the security measures.

Security policy considerations

An administrative security policy describes practices and guidelines to be followed for achieving the security. One can think of adding the following to the existing security policy

* Log anything and everything: The log files at the server end record the behavior of the server to each and every request. By analyzing the log files, you will get the useful information about the security. Make sure that you set up Apache to log both access and errors. These are very useful for debugging when something is going wrong with your web server. One needs to monitor the error log closely.

* Maintain an authoritative copy of your web site: Keep an authoritative copy of your web site. This will help you to restore it when the web server is compromised.

* Administer your site from the web host console: Always make it a habit to administer your web site from the web host console. This will eliminate the network traffic between the web server and the administrator's workstation.

* Compare contents: Hackers always modify and damage files on the system to which they have gained access. It is a good idea to compare the attributes and contents of files and directories to the authoritative copy. With this, you will come to know if the intruders have altered the files.