Web Server Security Policy

Web Server Security Policy-Linux Enterprise Application-Linux server application information. For details, refer to the following section. Source: seayuan 'blog time: Tue, 25 Jul 2006 13:39:46 + 0000 Author: seayuan
Address: http://www.seayuan.com/read.php/3.htm

With the popularization of network technology, application and continuous improvement of Web technology, Web services have become one of the most important forms of services on the Internet. The original customer/Server mode is gradually replaced by the Browser/Server mode. This article will focus on the main Web threats, and introduce the Web server security configuration techniques in conjunction with the use of a large number of Apache servers in Linux. Security risks faced by Web servers to protect Web servers from malicious attacks and damages, the first step is to understand and identify the security risks it faces. Previously, Web sites only provided static pages, so there were few security risks. The only way for a malicious attacker to access such websites is to obtain illegal access permissions.
In recent years, most Web servers no longer provide static HTML pages, they provide dynamic content, many Web sites are combined with valuable customer services or e-commerce activity applications (this is also a risk, which is usually not paid attention ).
◆ HTTP Denial of Service. Attackers use some methods to make the server refuse to respond to HTTP requests. This results in a sharp increase in Apache demand for system resources (CPU time and memory), resulting in system slowdown or even complete paralysis.
◆ Buffer Overflow. Attackers use some defects in CGI programming to make the program deviate from the normal process. The program uses the static allocated memory to store request data. attackers can send an ultra-long request to overflow the buffer. For example, some Perl gateway scripts for processing user requests. Once the buffer overflow occurs, attackers can execute malicious commands.
◆ Attackers obtain root privileges. If Apache runs with the root permission, some program logic defects or buffer overflow means on the system, attackers can easily obtain the root permission on the Linux server. In some remote cases, attackers may exploit some defective system daemon processes executed as root to obtain root privileges, you can also exploit the vulnerability of a defective service process to obtain common user permissions and remotely log on to the server to control the entire system. Reasonable network configuration can protect Apache servers from multiple attacks.
Configure a secure Apache server:
1. Install patches frequently.
The latest changelog on www.apache.org has the words bug fix and security bug fix. Therefore, Linux network administrators should pay attention to the bug fixes and upgrades of related websites, and promptly upgrade the system or add patches. The use of the highest and latest Security versions is essential to enhance the security of Apache Web servers.
2. Hide Apache version
Generally, software vulnerability information is related to a specific version. Therefore, the version number is the most valuable to hackers. By default, the System Displays all modules of the Apache version (http return headers ). If the directory is listed, the domain name information (file list body) will be displayed. Remove Apache version number: modify the configuration file:/etc/httpd. conf. find the keyword ServerSignature, set it to ServerSignature Off ServerTokens Prod, and then restart the Apache server.

3. Create a secure directory structure
The Apache server contains four main directories: (1) ServerRoot: stores the configuration file (conf sub-directory) binary files and other server configuration files. (2) DocumentRoot: Save the content of the Web site, including HTML files and images. (3) ScripAlias: Save the CGI script. (4) Customlog and Errorlog: Save the access log and Error Log. We recommend that you set such a directory structure. The above four main directories are independent of each other and there is no parent-child logical relationship. TIPS: The ServerRoot directory should be configured to be accessible only by root users; DocumentRoot should be accessible to users who manage Web site content and by Apache servers using Apache users and Apache user groups; the ScriptAlias directory should only be accessed by CGI developers and Apache users; only the root user can access the log directory. The following is the directory structure snapshot used by the author, as shown in 1. Such a directory structure is safer because directories are independent. Permission Errors for a directory do not affect other directories.
4. Apache uses dedicated users and groups
According to the minimum privilege principle, you need to assign an appropriate permission to Apache to complete the Web service. TIPS: the principle of least privilege is one of the most basic principles in system security. It limits the minimum permissions required for users to access the system and data, this not only ensures that the user can complete the operation tasks, but also ensures that the loss caused by illegal users or abnormal operations is minimized. Make sure that Apache uses a dedicated user and user group. Do not use predefined accounts, such as nobody users and nogroup user groups. Because only the root user can run Apache, DocumentRoot should be able to be accessed by users who manage Web site content and by Apache users and Apache user groups on Apache servers. Therefore, if you want the "cao" user to publish content on the Web site and run the Apache server as httpd, you can usually do this: groupadd webteam usermod-G webteam cao chown-R httpd. webteam/www/html chmod-R 2570/www/htdocs only the root user can access the log directory. The recommended permission for this directory is chown-R root. root/etc/logs chmod-R 700/etc/logs
5. Web Directory Access Policy
For Web directories that can be accessed, you must use a relatively conservative approach, rather than allowing users to view any Directory Index list. (1) It is set to prohibit the use of Directory Index files when the Apache server receives user access to a directory, it will find the Directory Index file specified by the Directorylndex command. The file is index.html. If the file does not exist, Apache creates a dynamic list to display the contents of the directory. This setting usually exposes the Web site structure, so you need to modify the configuration file to prohibit the display of dynamic directory indexes. Modify the httpd. conf: Options-Indexes FollowSymLinks Options command to notify Apache to disable directory indexing. FollowSymLinks indicates that symbolic links are not allowed. (2) Disable default access. A good security policy is to disable the existence of default access. First, disable the default access. Only enable the access permission for the specified directory. If the/var/www/html directory is allowed, use the following settings: Order deny, allow Allow from all (3) prohibit users from reload in order to prohibit users from configuring directory files (. you can set AllowOverride None as follows:
6. Apache server access control policy
Apache's access. conf file is responsible for setting file access permissions to control access to Internet domain names and IP addresses. It contains commands to control which users are allowed to access the Apache directory. Set deny from all as the initialization command, and then use the allow from command to open the access permission. If you allow access from hosts with 192.168.1.1 to 192.168.1.254, you can set order deny, allow deny from all allow from pair 192.168.1.0/255.255.255.0.
7. A good Linux Network Administrator will closely record the server log system, which can record abnormal access clues. Apache can record all access requests. Likewise, incorrect requests are recorded. CustomLog/logs/access. log common? # Record every access request to the Web site # ErrorLog/logs/error. log? ? # Record requests that generate error states # tips: We recommend that you use an excellent log analysis tool Wusage (www.boutell.com) for routine analysis and monitoring of log files.
8. Password protection for Apache servers
The. htaccess file is a configuration file on the Apache server. It is a text file and can be written in a text editor .. The htaccess file provides a method for changing the configuration of directories, that is, by placing a file containing one or more commands in a specific document directory (. to apply to this directory and all its subdirectories. .Htaccess's functional package is used to set the webpage password when an error occurs. The current file name (such as index.html) on the first page is changed, the file name cannot be read, the file is redirected, the MIME category is added, and the file in the column directory is prohibited. Using. htaccess to protect websites is more convenient and secure, because using. htaccess files to implement password protection is difficult to crack.
9. Reduce CGI and SSI risks
CGI script vulnerabilities have become the top security risks for Web servers. Generally, many backdoors and vulnerabilities are generated in CGI programming. The CGI script control vulnerability should be used to run these programs by using the UID of the CGI program owner, in addition to checking the validity of the imported data and using the system call with caution, is a good method. Even if these CGI programs have some vulnerabilities, the harm is limited to the files that the UID can access. That is to say, this can only hurt the user's files, without causing a fatal impact on the entire system. By installing and using suEXEC applications, You can provide CGI program control support for the Apache server (from Apache l.3 and later, suEXEC is already part of the Apache server ), we can regard suEXEC as a package. After Apache receives a call request to the CGI program, it submits the call request to suEXEC to complete the specific call and obtain the returned result from here. SuEXEC can solve some security problems, but also reduce service performance, because it can only run on the CGI version of PHP, while the CGI version is slower than the module version. The reason is that the module version uses threads, while the CGI version uses processes. Environment conversion between different threads and access to public storage areas are obviously much faster than between different processes. We recommend that you use suEXEC when you have high security performance requirements, at the cost of speed. In addition, you can try another software CGIWrap, which has higher security performance than suEXEC. Official Website: ftp://ftp.cc.umr.edu/pub/cgi/cgiwrap. Reduce the Risk of SSI scripts: If you run external programs using commands such as exec, there will also be a risk similar to CGI script programs. In addition to internal program debugging, you should be able to use the Option command to disable it. Options IncludesNOEXEC
10. the Apache server is running in prison.
The so-called "prison" refers to the use of the chroot mechanism to change the root directory that can be seen when a software is running, that is, to limit the running of a software in a specified directory, ensure that the software can only act on the files in the directory and Its subdirectories, so as to ensure the security of the entire server. In this way, even if it is damaged or intruded into, it will not suffer much damage. One problem with chroot software is that all programs, configuration files, and library files required for running the software must be installed in the chroot directory in advance, this directory is usually called chroot jail (chroot "prison "). If you want to run Apache in "prison" without actually seeing the real directory in the file system, you need to create a directory in advance and copy httpd to it. At the same time, httpd needs a Library file. You can run the ldd (Library Dependency Display) command to view the file. ldd is used to Display a shared Library that is required by executable programs. This means you also need to create the lib directory in "prison" and copy the library files to it. It is very troublesome to do this manually. In this case, you can use the jail software package to simplify the chroot "prison" establishment process. The official Jail website is http://www.jmcresearch.com/. the latest version is 1.9a.
11. use SSL to reinforce Apache
Using a Web server with the SSL (Secure Socket protocol layer) function can improve the security performance of your website. The SSL protocol works between the Linux TCP/IP protocol and the HTTP protocol, as shown in Relationship 2. SSL uses encryption to protect the information flow between the Web server and the browser. SSL is used not only to encrypt data streams transmitted over the Internet, but also to authenticate the two parties. In this way, you can shop online safely without worrying about others stealing your credit card information. This feature makes SSL applicable to areas where important information is exchanged, such as e-commerce and Web-based mail. S sl uses the public key encryption technology. The server sends a public key to the client at the end of the connection to encrypt the information. The encrypted information can only be unlocked by the server with its own private key. The client encrypts data with a public key and sends the key to the server to uniquely identify itself. This prevents spoofing by impersonating the server or the client between the two ends of the system. The encrypted HTTP connection uses port 443 instead of port 80 to distinguish it from the common unencrypted HTTP connection. When the client uses encrypted HTTP connection, port 443 is automatically used instead of port 80, which makes it easier for the server to respond accordingly. For the SSL running structure, see. When using SSL, the Apache server usually has two options: the master server or virtual Web site.
12. Prevent DoS attacks on Apache servers
The Apache server mainly uses the Apache DoS Evasive Maneuvers Module to prevent attacks. It is an alternative to mod_access and can defend against DoS attacks. The software can quickly reject repeated requests from the same address to the same URL through a hash table query of each sub-process. Download link: http: // online. securityfocus.com/data/tools/dospatch.tar.gz. For software installation configurations, you can view the Linux Chinese homepage http://www.linux.gov.cn/:apache. The procedure is simple and will not be described here. At the same time, the Apache server can use a powerful command in Linux to prevent Dos attacks. Netstat-an | grep-I "Server IP Address: 80 "| awk '{print $6}' | sort | uniq-c | sort-n this command will automatically count the number of TCP connection statuses. If SYN_RECV is high, the possibility of a TCP-based Denial of Service attack cannot be ruled out. In this case, you need to enable tcp_syncookies: echo 1>/proc/sys/net/ipv4/tcp_syncookies. If no/proc/sys/net/ipv4/tcp_syncookies exist, this indicates that your kernel does not support syncookies. You need to recompile the kernel and reduce the number of syn retries. Echo "1">/proc/sys/net/ipv4/tcp_syn_retries echo "1">/proc/sys/net/ipv4/tcp_synack_retries simultaneously increase syn_backlog to ensure user access: echo "2048">/proc/sys/net/ipv4/tcp_max_syn_backlog 13. Other security tools use TCP_wrappers and AIDE to provide additional protection for your system. You can use TCP_wrappers to control the access permission in one step. AIDE is a data integrity detection tool that helps the system administrator monitor whether the system has been changed. You can compile specific policies in the AIDE configuration file, monitors whether the configuration files, data, and CGI files of the Web server are modified.
In fact, most Web sites are maliciously attacked by attackers due to vulnerabilities in applications or scripts. Web security experts believe that scripts or applications running on Web servers are the biggest risk factors. Because CGI scripts are generally responsible for generating dynamic content, they often cause most of the damage. For most Web servers, we should first consider how to enhance security configuration.
Editor's note: The following section describes the FTP service security policies based on the FTP server-WuFTP, Vsftpd, and ProFTP used in Linux. Generated by Bo-blog 2.0.2