The Apache HTTP Server is one of the most stable and secure
services that ships with Red Hat Enterprise Linux. There are an
overwhelming number of options and techniques available to secure
the Apache HTTP Server — too numerous to delve into deeply
It is important when configuring the Apache HTTP Server to read
the documentation available for the application. This includes the
chapter titled Apache HTTP Server in the
Red Hat Enterprise Linux Reference Guide,
the chapter titled Apache HTTP Server
Configuration in the Red Hat Enterprise
Linux System Administration Guide, and the Stronghold manuals,
available at https://www.redhat.com/docs/manuals/stronghold/.
Below is a list of configuration options administrators should
be careful using.
This directive is enabled by default, be sure to use caution
when creating symbolic links to the document root of the Web
server. For instance, it is a bad idea to provide a symbolic link
This directive is enabled by default, but may not be desirable.
To prevent visitors from browsing files on the server, remove this
The UserDir directive is disabled by
default because it can confirm the presence of a user account on
the system. To enable user directory browsing on the server, use
the following directives:
UserDir disabled root
These directives activate user directory browsing for all user
directories other than /root/. To add
users to the list of disabled accounts, add a space delimited list
of users on the UserDir disabled line.
By default, the server-side includes module cannot execute
commands. It is ill advised to change this setting unless
absolutely necessary, as it could potentially enable an attacker to
execute commands on the system.
Be certain to only assign write permissions to the root user for
any directory containing scripts or CGIs. This can be accomplished
by typing the following commands:
chown root <directory_name>
chmod 755 <directory_name>
Also, always verify that any scripts running on the system work
as intended before putting them into