Apache Server Security Recommendations

General questions
Server requirements
Mail on the server
Where to download the distribution
Where can I download the plugin or payment module distribution?
How to install the sсript
How to updаte the sсript
How to updаte a plugin or payment module
Site setup
Site Setup (Part 2)
Safety
Computer security
Internet safety
Apache Server Security Recommendations
Recommendations for securing the Nginx server
Script security
DDOS protection
SSL certificate for a domain
Brute force protection
Basics
The rk-hook.php file
The rk-config.php file
What is a cron job?
Website theme, website design
Front and personal account
Admin panel or admin panel
Where can I see the version of the sсript?
New Event Indicators
What is a distribution?
Settings page
Adding/Editing Elements
Sorting elements
Calculator with shortcodes element
Element "Password"
Color Selector Element
Date Picker Element
Encrypted Data Element
Data Selector element
sеlect from List Element
Element "URL-Image"
Text Editor Element
Text Field Element
What are shortcodes?
Editor shortcodes
Tables with elements
Table filters
Table display settings
Action buttons in the table
Uploading images
Merchants and automatic payments
Active choice
Checkbox element
Information Text Element
Warning element
Hint element
Site management
Change the website language
Maintenance mode
Test mode
Updаte mode
Authorization on the site
Admin panel address
Address for authorization in the admin panel
Creating the first administrator
Cron jobs
File for robots, robots.txt
XML sitemap file. sitemap.xml
Console. Widgets in the console
Change the admin panel language
Section "Plugins"
User Files Section
Images section
E-mail settings
Section "Settings"
User roles section
User authorization notification
Two-factor authentication
User authorization log
User editing
Adding a new user
Section "Users"
Widgets
Menu. Control
Section "Appearance"
Section "Pages"
Section "Migration"
Exchanger management
Exchange filters
Exchange table settings
Exchanger settings
Application section
Currency codes
Payment systems
Additional currency fields
Currencies
Additional fields for exchange directions
Exchange Direction Templates
Bulk editing of exchange directions
Exchange directions
Plugins
Converting numbers (beautynum)
User authorization (userlogin)
User password recovery (userlostpass)
User registration (userregister)
Copying additional modules (extcopy)
Proxy settings and Timeout of additional modules (extproxy)
News (news)
Articles (articles)
Form rules (formrules)
Tech support chat (techchat)
Telegram (telegram)
SEO (seo)
Logging administrator actions (admin_logs)
Personal account (useraccount)
Professional status customization (profistatus)
Reserve amount settings (reservedisplay)
Reserved Reserves (reservetieds)
Reserve limit for currencies (currencylim)
Links with crypto transactions and addresses (currexplorer)
User exchanges (userxch)
Export bids (export_bids)
Export contacts (export_contacts)
Setting the initial bid ID (setbidid)
Widget for checking the status of the application (checkstatus)
The effect of entering numbers in a calculator (beautyinput)
Financial statistics (finstats)
Log of additional modules (extlogs)
Card number with spaces in the admin panel (beautycard)
Error Page
Shortlinks (shortlinks)
PHPmailer (phpmailer)
E-mail mailopost.ru (email_mailopost)
Disabling CDN (nocdn)
Captcha for the site (captcha)
Website notifications (notices)
HTML sitemap (htmlmap)
Bookmarks for admin bar (fav)
Block partners (partners)
Email notification log (emaillogs)
Recalculation of exchange amount and course (bidrecalc)
Reviews (reviews)
Block with advantages (advantages)
Contact form (feedback)
301 redirects
Rates block
User comments (usercomments)
API (api)
Stylized email template (beautyemail)
Comments (comments)
Confirmation of e-mail before registration (confrmail)
Custom Shortcodes (indxs)
Currency pages (currpages)
Custom shortcodes from file (fileindxs)
Maintenance mode (maintenance)
Operator status (operator)
SMS (sms)
Formatting additional fields (fieldsformat)
Reserve adjustments (correserve)
Site parser (parsers)
BestChange parser (bestchangeapi)
Archiving exchange requests (archive)
Automatic user registration (autoreg)
Crypto transaction confirmation counter (bcc)
Phone verification before creating an application (confephone)
Confirming your email before creating an application (confemail)
Work operators (workoperators)
Request a reserve (zreserve)
Instruction shortcodes (txtshtds)
Exchange request editor (bidedit)
Log of application statuses (bidlogs)
Bid comments (bidscomment)
Custom bid statuses (bidstatus)
Direction of exchange commissions (dircom)
Copying directions (dircopy)
Direction groups (dirgroups)
Exchange filter for guests (dirguest)
Filter exchange directions by languages ​​(dirlangs)
Reserve limit in the direction of exchange (dirlim)
Redirect to exchange directions (dirredirect)
Direction of exchange reserve (dirreserve)
User restrictions (dirrestrictions)
Exchange amount multiple (kratn)
Check for a new user when exchanging (newuser)
Saving auto-payout coupons in the application (payout_coupons)
Automatic deletion of unpaid bids (bidsautodel)
Coupons for exchange discounts (coupons)
User discounts (discounts)
Bank card information (cardinfo)
GEO IP (geoip)
Blacklist bestchange (blacklistbest)
Money transfer number (transfernum)
Payment checks (transfercheck)
Blacklist (blacklist)
Setting up the output of exchange directions in an XML/TXT file (dirxml)
User accounts (userwallets)
Internal Account Module (intacc)
AML (aml)
Selecting a city in the direction of exchange (cities)
Cashback (cashback)
User verification (userverify)
VK Bot (vkbot)
Telegram Bot (tgbot)
Plugin for additional options in the menu (addmenuoptions)
Logging settings (logssettings)
Accepting deposits from an internal account (deposits)
Affiliate program (pp)
User security settings (usersecurity)
Merchants
Merchants
Creating a merchant
Automatic Payments
Automatic payments
Creating an auto-payment
300 140

Practical Recommendations for Securing an Apache Server for a Cryptocurrency Exchange

Apache is a powerful and flexible web server, but its default configuration is not designed to mitigate targeted attacks on financial services. Installing a currency exchange script requires a proactive approach to security. This guide provides step-by-step instructions for hardening your Apache server to minimize the risk of hacking and compromise of funds.

1. Basic Configuration and Updates

1.1. Current Versions

Use the latest stable versions of Apache and PHP. Outdated software is the main attack vector.

# For Ubuntu/Debian

sudo apt update && sudo apt upgrade apache2 libapache2-mod-php -y

# For CentOS/RHEL

sudo yum update httpd mod_php -y

1.2. Hiding Server Information

Hide Apache and PHP versions in response headers to make it more difficult for attackers to identify them.

In the main Apache configuration file (e.g. /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf), add:

ServerTokens Prod ServerSignature Off

To hide the PHP version in headers, create or edit the file /etc/php/*/apache2/php.ini (the path may vary):

expose_php = Off

1.3. Protection from Information Collection

Restrict access to your script's service and sensitive files using .htaccess directives or in the virtual host.

In the virtual host configuration (or in .htaccess in the site root), add:

# Block access to all hidden files and directories (starting with a dot)

Require all denied

# Block access to specific sensitive files

Require all denied

# Prevent viewing directory contents

Options -Indexes

# Block script execution in directories with user content (e.g., downloads)

Require all denied

2. Configuring SSL and a secure connection

2.1. Use modern protocols and ciphers

Disable obsolete and insecure protocols and ciphers. Enable only TLS 1.2 and TLS 1.3.

In the virtual host SSL configuration (usually in ), add:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384

SSLHonorCipherOrder on

SSLSessionTickets off

2.2. Mandatory HTTPS redirection

Configure redirection of all HTTP traffic to a secure connection.

Add a separate virtual host for port 80:

ServerName your-exchange.com

ServerAlias ​​www.your-exchange.com

# Redirect to HTTPS

Redirect permanent / https://your-exchange.com/

2.3. HTTP Security Headers

Add critical security headers to protect against XSS, clickjacking, and other attacks.

Enable the headers module and add it to the virtual host configuration:

# Activate the module (if not active) sudo a2enmod headers # In the virtual host configuration:

Header always set X-XSS-Protection "1; mode=block"

Header always set X-Content-Type-Options "nosniff"

Header always set Referrer-Policy "strict-origin-when-cross-origin"

Header always set Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';"

# Warning! Carefully configure the CSP for your script.

3. Request Limiting and DDoS Protection

3.1. Rate limiting with mod_security and mod_evasive

Install and configure modules for brute force and DDoS protection.

mod_evasive (for basic DDoS protection):

# Installation

# For Ubuntu/Debian:

sudo apt install libapache2-mod-evasive

# For CentOS/RHEL:

sudo yum install mod_evasive

# Configuration in /etc/apache2/mods-enabled/evasive.conf

DOSHashTableSize 3097

DOSPageCount 10

DOSSiteCount 100

DOSPageInterval 2

DOSSiteInterval 2

DOSBlockingPeriod 600

mod_security (WAF - Web Application Firewall:

# Installation

# For Ubuntu/Debian:

sudo apt install libapache2-mod-security2

# For CentOS/RHEL:

sudo yum install mod_security

Enable OWASP CRS core rules to protect against SQL injection, XSS, and other attacks.

3.2. Request Size and Time Limits

Protect your server from resource exhaustion attacks.

LimitRequestBody 1048576 # Limit request body to 1 MB TimeOut 60 # Request timeout

4. Access Control and File System

4.1. Minimum privileges for the Apache process

Run Apache under a separate user with minimal privileges (usually www-data or apache).

Make sure the configuration (file envvars or httpd.conf):

User www-data Group www-data

4.2. Setting Correct File Permissions

The script files are owned by your user (e.g., deploy).

File permissions: 644, directory permissions: 755.

The Apache user (www-data) should only have read access to most files and write access to specific directories (uploads, tmp, logs).

4.3. Blocking IP Access to the Admin Panel

Restrict access to the admin panel only from trusted IP addresses.

Require IP 192.0.2.100 203.0.113.50

# Or, if using authentication:

# AuthType Basic

# AuthName "Restricted Area"

# AuthUserFile /etc/apache2/.htpasswd

# Require valid-user

5. PHP Configuration for Security

Since most exchange services are written in PHP, its security is no less important.

5.1. Secure php.ini Settings

Edit the php.ini file used by Apache:

; Disable dangerous functions

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,show_source

; Restrict access to the file system outside the website root

open_basedir = /var/www/your-exchange.com/:/tmp/

; Enable safe mode for file processing

file_uploads = On

upload_max_filesize = 2M

max_file_uploads = 3

; Error logging (without displaying)

display_errors = Off

log_errors = On

error_log = /var/log/php_errors.log

6. Monitoring and Logging

6.1. Detailed Logging

Configure the extended Apache log format for better analysis.

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D" extended

CustomLog ${APACHE_LOG_DIR}/access.log extended

ErrorLog ${APACHE_LOG_DIR}/error.log

6.2. Regular Log Analysis

Use fail2ban to automatically block IP addresses based on attack patterns in Apache logs. Example configuration for fail2ban to block multiple 404 errors or login attempts.

Quick Checklist

  • ServerTokens Prod and ServerSignature Off are set.
  • expose_php = Off in php.ini.
  • Redirect from HTTP to HTTPS is configured.
  • Only TLS 1.2/1.3 and modern ciphers are used.
  • Critical security headers are added.
  • Access to sensitive files (.env, .git, logs) is denied.
  • Module mod_evasive and/or mod_security are installed and configured.
  • Access to /admin is restricted by IP.
  • Dangerous functions are disabled in php.ini and open_basedir is configured.
  • Access permissions to site files are set correctly.

Conclusion

Apache security for a cryptocurrency exchange is a multi-layered process that requires attention to detail. The presented settings create a solid foundation capable of resisting most automated attacks and significantly increasing the cost of hacking for attackers.

Important: After making any changes to the Apache or PHP configuration, be sure to check their syntax and restart the service:

# Check Apache syntax

sudo apache2ctl -t

# Restart Apache

sudo systemctl reload apache2

# Or for CentOS/RHEL

sudo httpd -t

sudo systemctl reload httpd

Regular audits and updates are the key to maintaining a high level of security for your exchange service.

Category: Safety
Back to Wiki

© 2025-2026 RichExchanger - professional, reliable, secure currency exchange sсript.

E-mail: support@richexchanger.com
Telegram news: @RichExchangerNews
Русский English

We use cookies to improve the functioning of the site and its interaction with users. By continuing to use the site, you consent to the use of cookies (find out more).

You can always disable cookies in your browser settings.