Apache Security

Trace Back :

Testing if Trace back is enabled :

telnet localhost 80
TRACE / HTTP / 1.0

If you get any response back trace is enabled.

Disabling Trace Back :

vi /etc/httpd/conf/httpd.conf
TraceEnable off 

or , use an htaccess or rewrite rule :

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Hide Apache Software Version :

vi /etc/httpd/conf/httpd.conf
ServerTokens ProductOnly
ServerSignature Off

Disable SSL Protocol V2 :

SSLProtocol all -SSLv2

Check if SSL V2 is supported :

openssl s_client -connect <hostname>:443 -quiet -ssl2

Disable Weak Ciphers :

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

You may also like...