Securing Apache2

Enable the default ssl conf.. first easy steps, we'll go deeper later.

ocm@achtung:/etc/apache2/mods-enabled$ sudo ln -sf ../mods-available/ssl.load ./ssl.load
ocm@achtung:/etc/apache2/mods-enabled$ sudo ln -sf ../mods-available/ssl.conf ./ssl.conf
ocm@achtung:/etc/apache2/mods-enabled$ sudo service apache2 restart
 * Restarting web server apache2   .

HAHA not enough.. we have the following error at error.log:

[Thu Feb 23 18:26:57 2012] [error] [client] Invalid method in request \x16\x03\x01
[Thu Feb 23 18:28:19 2012] [error] [client] Invalid URI in request get index

We enabled listening at secure port but not told our server to encrypt data… it happens, so:
Enable ssl site:
root@achtung:/etc/apache2/sites-enabled# ln -sf ../sites-available/default-ssl ./default-ssl

Create :

rroot@achtung:/etc/apache2# openssl req -new -x509 -nodes -out achtung.crt -keyout achtung.key
Generating a 1024 bit RSA private key
writing new private key to 'achtung.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Edit the conf file in order to point the new cert file(s):

root@achtung:/etc/apache2# vi sites-enabled/default-ssl
        SSLEngine on
        SSLCertificateFile    /etc/apache2/achtung.pem
        SSLCertificateKeyFile /etc/apache2/achtung.crt

Bind to service or only desired ports:

look for the httpd.conf or ports.conf wich helds your "Listen" attribute, and add as many lines as you need to activate listening:

ocm@achtung:/etc/apache2$ vi ports.conf
NameVirtualHost *:80
#Listen 80
Listen localhost:80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    #Listen 443
        Listen localhost:443

<IfModule mod_gnutls.c>
        #Listen 443
        Listen localhost:443

Restart and check:
ocm@achtung:/etc/apache2$ sudo netstat -tnlp | grep apache
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0*               LISTEN      7763/apache2
tcp        0      0  *               LISTEN      7763/apache2
tcp        0      0*               LISTEN      7763/apache2
tcp        0      0 *               LISTEN      7763/apache2

More secured than before, but not enough!

Other improvement, certificate creating:
apache cert creation