Hardening your Apache and PHP on Ubuntu 9.04 Server

You have installed LAMP and OpenSSH on your Ubuntu 9.04 Server. The first thing to do is to harden it in order to avoid some kind of attacks. You can do the following steps in front of your Ubuntu 9.04 Server or remote access it via OpenSSH.

For OpenSSH, your Ubuntu 9.04 Server is at 10.23.140.222 :
ssh 10.23.140.222 -l dzul

Step 1 :

The avoid someone to list your files on your Apache directory, you should do the following step.
sudo nano /etc/apache2/sites-available/default

Add a minus "-" in the front of "Indexes" and it will looking like this :

    Options -Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all


Step 2 :

To enable the rewrite module of Apache.
sudo a2enmod rewrite

To avoid Cross-Site-Tracing attack. Add the following lines within " " :

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]


Step 3 :

To avoid HTTP DoS, DDoS or Brute Force attack, you should install this module.
sudo apt-get install libapache2-mod-evasive

Step 4 :

To screen out bad URL requests, such as /etc/shadow or MySQL injection and etc. You should install mod_security module. If you installed a amd64 (64-bit) version of Ubuntu Server, please replaced i386 with amd64 for the following commands.
wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/libapache-mod-security_2.5.9-1_i386.deb

wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/mod-security-common_2.5.9-1_all.deb

sudo dpkg -i libapache-mod-security_2.5.9-1_i386.deb mod-security-common_2.5.9-1_all.deb

Step 5 :

Do not allow any Apache and Ubuntu Server information to be print on the error pages.
sudo nano /etc/apache2/conf.d/security

Change the following lines as the following :
ServerToken Prod
ServerSignature Off

Step 6 :

Now, it is time to harden the PHP.
sudo nano /etc/php5/apache2/php.ini

Change the following lines as the following :

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd

Step 7 :

Final step is to restart Apache server.
sudo /etc/init.d/apache2 restart

Step 8 :
sudo nano /etc/sysctl.conf
Uncomment the following line and make it look like this.
#Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

Make the change active.
sudo /sbin/sysctl -p

note:- can be applied to ubuntu 9.10 and ubuntu 10.04 too.
if you want to change the publishing dir which is default to /var/www/, make sure you set the permission it nicely.