If you are a system administrator, follow the 10 suggestions below to ensure the security of the Apacheweb server.
1. disable unnecessary modules
If you plan to compile and install apache in source code, you should disable the following modules. If you run./configure-help, you will see all available modules that you can disable/enable.
- Userdir-request ing for specific users. For example, a URL with a user name is converted into a directory on the server.
- Autoindex-displays the directory list when there is no parent page (such as index.html.
- Status-Display Server statistics
- Env-clear or modify Environment Variables
- Setenvif-set environment variables based on the client request header field
- Cgi-CGI script
- Actions-activates a specific CGI script based on a specific media type or request Method
- Negotiation-supports content negotiation
- Alias-Provides ing and URL redirection from different parts of the file system to the Document Tree
- Include-implement server-side inclusion document (SSI) Processing
- Filter-dynamically configure the output filter based on the actual context
- Version-supports version-based configuration segments
- Asis-send a file containing its own HTTP header content
When you execute./configure, disable all the above modules as follows.
12345678910111213141516. /configure -- enable-ssl -- enable-so -- disable-userdir -- disable-autoindex -- disable-status -- disable-env -- disable-setenvif -- disable-cgi -- disable-actions -- disable -negotiation -- disable-alias -- disable-include -- disable-filter -- disable-version -- disable-asis
If you activate ssl and disable mod_setenv, you will get the following error.
Error: Syntax error on line 223 of/usr/local/apache2/conf/extra/httpd-ssl.conf: Invalid command 'browsermatch', perhaps misspelled or defined by a module not supported ded in the server configuration
Solution: If you use ssl, do not disable the setenvif module. Or you disable the setenvif module and you can comment out BrowserMatch in the httpd-ssl.conf.
After the installation is complete, run httpd-l to list all installed modules.
1234567891011121314151617 #/usr/local/apache2/bin/httpd-lCompiledinmodules: core. Cores
In this example, we have installed the following apache module:
- Core. c-Apache core Module
- Mod_auth *-various Authentication Modules
- Mod_log_config.c-allows logging and custom log file formats
- Mod_ssl.c-SSL
- Prefork. c-a non-thread-type pre-derived MPM
- Httpd_core.c-Apache Core Module
- Mod_mime.c-behavior (processor/filter) and content (MIME type/Language/Character Set/encoding) that depends on the file extension)
- Mod_dir.c-specify the Directory Index File and provide "tail slash" redirection for the Directory
- Mod_so.c-Allow loading the DSO module during runtime
2. run Apache with separate users and user groups
Apache may run with nobody or daemon by default. It is better to run Apache on an account without privilege. For example, apache.
Create an apache user group and user.
12 groupadd apacheuseradd-d/usr/local/apache2/htdocs-g apache-s/bin/falseapache
Change httpd. conf and set the User and Group correctly.
123 # vi httpd. confUser apacheGroup apache
Restart apache and run the ps-ef command. You will see that apache runs as an "apache" user (except for the first running as root ).
1234567 # ps-ef | grep-I http | awk '{print $1}' rootapacheapacheapacheapacheapache3. Restrict access to the root directory (use Allow and Deny)
In the httpd. conf file, follow the settings below to enhance the security of the root directory.
12345 <Directory/> Options NoneOrder deny, allowDeny from all </Directory>
Above:
- Options None-if this parameter is set to None, other dispensable functions are not activated.
- Order deny, allow-This specifies the Order in which Deny and Allow are processed.
- Deny from all-block all requests. Deny is not followed by the Allow command, so no one is allowed to access it.
4. Set appropriate permissions for the conf and bin directories.
Only authorized users can view the bin and conf directories. It is a good way to create a group and add all users who are allowed to view/modify the apache configuration file to this group.
Set this group as follows: apacheadmin
Create group:
1 groupadd apacheadmin
Allow this group to access the bin directory.
12chown-R root: apacheadmin/usr/local/apache2/binchmod-R 770/usr/local/apache2/bin
Allow this group to access the conf directory.
12chown-R root: apacheadmin/usr/local/apache2/confchmod-R 770/usr/local/apache2/conf
Add appropriate users to this group.
12 # vi/etc/groupapacheadmin: x: 1121: user1, user25. Disable directory browsing
If you do not close directory browsing, you can see all the files (directories) in your root directory (or any subdirectories ).
For example, when they browse http: // {your-ip}/images/but there is no default homepage under images, then they will see all the images files in the browser (like ls-l output ). Click here to view the private image file, or click a subdirectory to view the content.
To disable directory browsing, you can set the Opitons command to "None" or "-Indexes ". Adding "-" before the option name will forcibly Delete this feature in this directory.
The Indexes option displays the list and subdirectories of available files in the browser (if there is no default homepage in this directory ). So Indexes should be disabled.
12345678910111213 <Directory/> Options NoneOrder allow, denyAllow from all </Directory> (or) <Directory/> Options-IndexesOrder allow, denyAllow from all </Directory>6. Disable. htaccess
Use the. htaccess file in a specific subdirectory under the htdocs directory. You can overwrite the default apache command. In some cases, this function should be disabled.
You can disable the. htaccess file in the configuration file as follows to prevent overwriting the default apache configuration.
123456 <Directory/> Options NoneAllowOverride NoneOrder allow, denyAllow from all </Directory>7. Disable other options
The available values of some Options commands are as follows.
- Options All-All Options are activated (except MultiViews ). If you do not specify the Options command, this is the default value.
- Options ExecCGI-execute the CGI script (use mod_cgi ).
- Options FollowSymLinks-if there is a symbolic link in the current directory, it will be followed.
- Options uplodes-allows the server to contain files (using mod_include ).
- Options IncludesNOEXEC-allows the server to contain files without executing commands or cgi.
- Options Indexes-List of allowed directories.
- Options MultiViews-multiple views allowed for content negotiation (using mod_negotiation)
- Options SymLinksIfOwnerMatch-similar to FollowSymLinks. However, it is only allowed when the symbolic connection and the connected original directory are the same owner.
Do not specify "Options All". Generally, specify one or more Options above. You can connect multiple options by following the code below.
Options shortdes FollowSymLinks
"+" And "-" are useful when you want to embed multiple Directory commands. It may also overwrite the preceding Directory command.
As shown in the following figure, the/site Directory allows the primary des and Indexes.
123456 <Directory/site> Options except des IndexesAllowOverride NoneOrder allow, denyAllow from all </Directory>
For the/site/en directory, if you need to inherit the Indexes of the/site Directory (DES is not allowed) and only allow FollowSymLinks in this directory, as shown below:
123456 <Directory/site/en> Options-supported des + FollowSymLinkAllowOverride NoneOrder allow, denyAllow from all </Directory>
- The/site Directory allows IncludesIndexes
- The/site/en Directory allows Indexes and FollowSymLink.
8. Delete unnecessary DSO modules
If you load the dynamic shared object module to apache, they should be in the httpd. conf file under the "LoadModule" command.
Note that the statically compiled Apache module is not included in the "LoadModule" command.
Comment out any unwanted "LoadModules" commands in httpd. conf.
1 grepLoadModule/usr/local/apache2/conf/httpd. conf9. Restrict access to a specific network (or IP address)
To allow only a specific IP address or network access to your website, follow these steps:
Only Allow access to your website from a specific network and give the network address under the Allow command.
1234567 <Directory/site> Options NoneAllowOverride NoneOrder deny, allowDeny from allAllow from 10.10.0.0/24 </Directory>
Only a specific IP address is allowed to access your website, and an IP address is given under the Allow command.
1234567 <Directory/site> Options NoneAllowOverride NoneOrder deny, allowDeny from allAllow from 10.10.1.21 </Directory>10. disable displaying or sending Apache version numbers (set ServerTokens)
By default, the HTTP Response Header of the server contains the apache and php versions. As shown in the following figure, this is harmful because it allows hackers to launch known vulnerability attacks by knowing the detailed version number.
1 Server: Apache/2.2.17 (Unix) PHP/5.3.5
To prevent this, you need to set ServerTokens to Prod in httpd. conf. This will display "Server: Apache" in the Response Header without any version information.
12 # vi httpd. confServerTokens Prod
Below are some possible values of ServerTokens:
- ServerTokens Prod displays "Server: Apache"
- ServerTokens Major displays "Server: Apache/2 ″
- ServerTokens Minor displays "Server: Apache/2.2 ″
- ServerTokens Min displays "Server: Apache/2.2.17 ″
- ServerTokens OS displays "Server: Apache/2.2.17 (Unix )"
- ServerTokens Full displays "Server: Apache/2.2.17 (Unix) PHP/5.3.5" (if you specify any value, this is the default response)
In addition to the preceding 10 apache Security suggestions, you must also ensure the security of your UNIX/Linux operating system. If your operating system is insecure, it makes no sense to ensure apache Security. We usually need to keep the apache version updated. The latest apahce version will fix all known security issues. Also, ensure that apache log files are frequently viewed.