Apache Security Optimization: Set up anti-theft chain, hide version information (including Apache source package and grab kit tool)

anti-theft chain: Some bad site sometimes in order not to increase the cost and want to expand their site content, often misappropriation of links to other sites, on the one hand damage the legitimate interests of the original website, on the other hand, the burden of the server increased

Hide version information: In general, the vulnerability information of the software and the specific version is relevant if XXX or an ulterior motive to get the Apache version information, will make the server suffers from the risk of XXX, in order to prevent these things, we can hide the version number, reduce the risk of occurrence

Experimental environment: A Linux as a Web server, IP for 192.168.100.222

A Win7 as hotlinking website with IP as 192.168.100.3

A Win7 as a client to visit the site, on this Win7 need to install the Capture tool, the IP address is 192.168.100.4

Apache installation package: HTTPS://PAN.BAIDU.COM/S/1F4RBBO3-BZHDZMBHAWPUHW Password: 75hy

Grab Bag tool Link: Https://pan.baidu.com/s/1pxYbLdmfMdmeo7oGJfjbaA Password: dbf3

1, first uninstall the system comes with the Apache service, followed by manual compilation installation, the specific installation process has been demonstrated in the previous article, here will no longer demonstrate

In the execution of the installation process must be added under the Configure this executable file to add a page rewrite function, or the anti-theft chain can not be executed

2. Perform the make command to compile these files

The Apache execution file is then placed in a manageable directory

Enter this execution file at the beginning to insert a script note information

3, the script is added after we check the permissions of the service, and found that there is no execution permissions, so it needs to add a execute permission, but also need to put it into the chkconfig, easy to manage the system

4, the implementation of the file configuration after the master configuration file can be changed, in order to facilitate from the operation here we can create a soft link to put the main configuration file in the ETC directory

In the main configuration file needs to change is the listening address and domain name, here I will listen to the address of the server, the definition of the domain name is www.benet.com

After the file configuration is complete, you can execute the apachectl command in the usr/local/httpd/bin/directory to check if there are any syntax errors in the file .

After discovering that there are no errors, you can turn on the httpd service, then you need to turn off the firewall and Setenforce, or the client will not be able to access

5, the Apache service is also required after the DNS server for resolution, so you also need to install a DNS feature, DNS can be installed with rpm

After the installation of DNS we need to configure the three files inside, first of all, the main configuration file, where the listening address is set to its own server address, allowing the client to resolve the set to all

Next, you need to configure the zone to add a module named Www.benet to this file.

finally need to modify the zone data file, where the Benet domain name corresponding IP address is 192.168.100.222

6, then we in the site directory to add a picture, in 100.3 this Win7 to visit, is the site's access effect, note that the source of this picture is Benet, and the picture above the words "It works!"

7, then we use 100.4 this win7 to imitate hotlinking

First open the window's website service, and then build a named "This is Test!!!" "Page, and put this image on the Benet website in this page

is to visit the Hotlinking Web site interface, where the picture path is still Benet

8, in order to prevent the occurrence of hotlinking need to set up a security chain on the server

First, turn on the Web page rewrite in the main configuration file of the httpd module option

Then find the directory of this module, at the end of the anti-theft chain set rules, the specific content has been pointed out in the picture

After the rule is set up, you need to add the error image you specified to the site directory, so that when others visit this image from other websites, it will show the error picture, such as display

Hide version Information experiment

1. Install a grab kit on the 100.3 client computer, displaying some of the information displayed when I visit the Apache website, which shows detailed version information in the lower right corner, which is not safe for Apache service.

2, in order to hide the version information we can configure some files

First, the httpd-default.conf file is opened under the main profile, which contains the contents of whether the version information is returned

Enter this file, find servertokens this keyword, this is to display the server after the compilation of the description information, the full to prod, and then only display the service name and not display the version number

3, as shown, this shows only the service name, and does not show the version number

Apache Security Optimization: Set up anti-theft chain, hide version information (including Apache source package and grab kit)