Additional security measures
This section outlines additional security measures to enhance the security of your Swarm installation.
Hide your Apache version and Linux OS
Verbose user interfaces and banner-grabbing applications show system information to users looking for version-specific vulnerabilities in your server environment. The system information can be used for various purposes, such as marketing and competitor analysis. Hiding your OS and Apache version adds a degree of difficulty for potential cyber attackers.
View server HTTP headers
There are many ways to view a server's HTTP headers. The easiest option is to use an online tool such as Security Headers or Mozilla Observatory.
If you’re on a Linux system, you can use the curl or wget terminal commands:
curl --head yourdomain.com
wget --server-response --spider yourdomain.com
If you are logged into the Linux system that you want to modify, use localhost in the following commands:
curl --head localhost
wget --server-response --spider localhost
Within the header information you will see a line that states the web server software and version you are using alongside your server OS.
For example: Server: Apache/2.4.10 (Debian)
Hide Apache Version and OS
To remove your Apache version and OS from HTTP headers and server-generated pages, do the following:
-
Log into SSH (Secure Shell protocol) as root.
-
Edit your Apache server configuration file using a text editor.
CentOS/AlmaLinux:
nano /etc/httpd/conf/httpd.conf
Debian/Ubuntu:
nano /etc/apache2/conf-enabled/security.conf
-
Scroll down to the “ServerTokens” section where you will probably see multiple lines commented out (beginning with “#”) stating “ServerTokens” and different options. Change the uncommented line, likely “ServerTokens OS”, or comment out the line and create a new line to hide the Apache version and OS from HTTP headers: ServerTokens Prod
If you do not see the “ServerTokens” and “ServerSignature” sections, add the necessary lines to the bottom of your configuration file.
-
The next section down should be the “ServerSignature” section. Turning this off hides the information from server-generated pages. For example, Internal Server Error.
ServerSignature Off
-
Save the changes and close the file.
-
Restart Apache server as follows:
CentOS/AlmaLinux:
systemctl restart httpd
Debian /Ubuntu:
systemctl restart apache2
-
Recheck your server HTTP headers:
curl --head localhost
Security risks of using a self-signed certificate
Using a self-signed certificate or untrusted Certificate Authorities exposes your system to vulnerabilities and security breaches. The risks of using a self-signed certificate or untrusted Certificate Authorities are as follows:
-
Not trusted by web browsers: Self-signed certificates or untrusted Certificate Authorities are not trusted by web browsers because they can make it easy for malicious attackers to intercept users' data shared through the server. These certificates contain both private and public keys within the same entity, which cannot be revoked, making it difficult to detect security compromises.
-
Exposure to vulnerabilities: Compromised private keys can be a threat to an organization's infrastructure. Certificate authorities can identify compromised certificates and revoke them. However, organizations cannot revoke self-signed certificates and may not be able to keep track of them, leading to compromised certificates being overlooked or going unnoticed. These compromised certificates can provide opportunities for malicious actors to access the network and carry out advanced malware attacks, man-in-the-middle (MITM) attacks, phishing attacks, and botnets.
-
Not meeting security requirements: Digital certificates issued by trusted certificate authorities adhere to strong cyber security standards, utilizing the latest ciphers and hashing technologies. On the other hand, self-signed certificates are created internally and may not always meet the latest security standards, potentially using weaker ciphers.