Installation of a secure Web server (3)

Web|web Service |web Server | Security This will ensure that the Apache, SCANLOGD, and SuSE firewalls are automatically executed when the computer is started. Now we continue to configure the local firewall to change the corresponding lines in the/etc/rc.config.d/firewall.rc.config (details of individual variables to be found in this file) into the following form:

Fw_dev_world= "eth0" # Query No. 2
fw_services_external_tcp= "www https" # query No. 9
Fw_services_trusted_nets= "1.1.1.0/24" # Query No. 10-1.1.1.0 is the Netswheresthe administrators connect from.
fw_trusted_services_tcp= "SSH" # Query No. 10

The/sbin/susefirewall command can update firewall rules. These rules are loaded in each system boot cycle.

Now we integrate SUSE-specific security modules in the following form:
erde# Cat >>/sbin/init.d/boot.local
Insmod secumod hardlink=1 symlink=1 pipe=1 trace=1 systable=1 logging=1
^d

When the system boots, the module is loaded and configured to prevent symlink, hardlink, pipe, and some Unix-specific forms of attack.

Fifth Step: Configure Apache

Web software and pages when the core of the server. We need to make sure that no one can access unauthorized data or change the page. For this purpose, the page must be specially protected and then given the Apache secure configuration.

All pages must be managed by the site administrator and are locally protected for everyone except him. The Web server is best to run as a non-page administrator, so that even if the intruder invades the Web server, he does not have sufficient permissions to change the page. In this way, you need to set up a user and create a cron job, which ensures that all page modification rights belong to the page administrator and have the correct authorization.

erde# useradd-m Wwwdocs
erde# Cat >/etc/cron.daily/wwwdocs
#!/bin/sh
/bin/chown-r-H wwwdocs/usr/local/httpd/htdocs/*
/bin/chmod-r go-w/usr/local/httpd/htdocs/*
/bin/chmod-r a+r/usr/local/httpd/htdocs/*
^d
erde# chmod 700/etc/cron.daily/wwwdocs
Since Apache may have been preconfigured, you may not need to reconfigure at all. Of course, the values of the Minspareservers, Maxspareservers, and startservers in the/etc/httpd/httpd.conf file should be set correctly at the beginning.

The maxclients option can be used to avoid connect-denial-of-service attacks. It should be noted that if this option is set too low, the average visitor's access may be rejected, and if it is too high, the administrator's response to log tracking and intrusion events can be more difficult. In addition to their own attempts, it seems that there is nothing to determine the appropriate number of better advice.

You should turn off the serversignature option so that when you access a nonexistent page, you will not be able to respond to the software and version number information you are using. But that doesn't solve much of a problem, because the HTTP headers contain these--or more--information.

Aliases for/hilfe/,/doc/,/cgi-bin-sdb/,/sdb/, and/manual/should be prohibited. The following shows the approximate appearance of the standard configuration changes: ("diff-u0")

---httpd.conf.orig Sun Apr 9 19:37:44 2000
+++ httpd.conf Sun APR 9 19:42:57 2000
@@ -141,2 +141,2 @@
-minspareservers 1
-maxspareservers 1
+minspareservers 3
+maxspareservers 10
@@-148 +148 @@
-startservers 1
+startservers 5
@@-157 +157 @@
-maxclients 150
+maxclients 100
@@-401 +401 @@
-serveradmin root@localhost
+serveradmin webdocs@echte-domain.de
@@-415 +415 @@
-#ServerName Hawking.suse.de
+servername www.echte-domain.de
@@-485 +485 @@
-userdir public_html
+ #UserDir public_html
@@-646 +646 @@
-serversignature on
+serversignature off
@@ -665,11 +664,0 @@
-alias/hilfe//usr/doc/susehilf/
-alias/doc//usr/doc/
-alias/cgi-bin-sdb//usr/local/httpd/cgi-bin/
-alias/sdb//usr/doc/sdb/
-alias/manual//usr/doc/packages/apache/manual/
-
-
-Options FollowSymLinks
-AllowOverride None
-
-
@@ -697,9 +685,0 @@
-# Cgi-bin for SuSE Help system
-# using SetHandler
-
-
-allowoverride None
-options +execcgi-includes
-sethandler Cgi-script
-
-
@@ -981,4 +961,4 @@
-#
-# Deny from all
-# ErrorDocument 403
http://phf.apache.org/phf_abuse_log.cgi
-#
+
+ Deny from all
+ ErrorDocument 403
http://phf.apache.org/phf_abuse_log.cgi
+
The activation of SSL and the generation of certificates are described in the/usr/doc/packages/apache/readme.suse file.