Introduction

What?

• Remove all unnecessary web server modules. A lot of web servers by default come with several modules that introduce security risks.

• Modify default configuration settings.

• Install and run a web application firewall (WAF). Most web servers support the open-source ModSecurity firewall.

• If possible, either patch server software to the latest version automatically or turn on notifications for manual patching.

Why?

Build a more secure foundation for web applications.

How?

• Keep only required modules

• Disable unwanted services

• Restrict file and directory access

• Disable unwanted HTTP methods

• Create non-root users

• Install and use ModSecurity

• Install and use ModEvasive

• Set up and configure logging