Disclaimer: absolute Security does not exist, the following only provide some methods and ideas, the specific situation to be analyzed.
first, Install the latest patches
If the door is open, it doesn't make sense to lock it on the WINDOW. similarly, If you do not have a patch, it is not necessary to continue with the following operations.
second, hide the Apache version number and other sensitive information
By default, Many Apache installations display the version number and the operating system version, and even the Apache modules that are installed on the Server. This information can be used by hackers, and hackers can also learn that many of the settings on the server you are configuring are the default States.
Here are two statements that you need to add to your httpd.conf file:
Serversignature OFF
Servertokens Prod
Serversignature This parameter setting appears at the bottom of the page that Apache produces like 404 pages, directory lists, etc.
Three options on| Off| The emai is mainly switched off and is recommended for off.
Servertokens This parameter sets the Apache version information returned by the HTTP header, for security purposes, to display as little information as possible, the recommended setting is off, the available values and meanings are as follows (the information displayed gradually increases):
Prod: software name only, for example: Apache
Major: includes the major version number, for Example: APACHE/2
Minor: include minor version number, for Example: apache/2.0
Min: only the full version number of apache, for Example: apache/2.0.54
Os: includes operating system type, for example: apache/2.0.54 (Unix)
Full: includes Apache supported module and module version number, for example: apache/2.0.54 (Unix) mod_ssl/2.0.54 openssl/0.9.7g
third, Make sure Apache is running with its own user account and group (apache boot Permission)
Create a new account to replace this account to launch Apache and set the appropriate Permissions.
1. Create an account in Local Users and groups in computer management, for example: apache, set a password, join the Guests group (if there is a problem, you can give user permission);
2. Open the Local security policy, administrative tools, start, and select "log in as a service" in user rights assignment to add Apache users;
3. Computer Management Select the service, find apache2.2, Stop the service first, right-click properties, Select login, Switch the Radio box from the local System account to this account, then look for apache, enter the password apacheuser, Then click OK (this time Apache does not start normally, the general situation will definitely error: Apache2.2 service stopped due to 1 (0x1) services Error. );
4. Configure permissions: Apache install directory (such as "d:/apache") and web directory (such as "d:/wwwroot"), remove each disk root directory except Administror and system all permissions, The Apache installation directory gives the Apache account read and run permissions, The Web directory gives the Apache account read permission, and the upload directory and cache directory give write Permissions.
Iv. ensure that files outside the Web root directory do not provide services
We do not allow Apache to access any files outside the Web root directory. Assuming that your Web site files are placed in a directory (for example,/web), you can set the Following:
Order Deny,allow
Deny from all
Options None
allowoverride None
Order Allow,deny
Allow from all
Note that since we set opitins none and AllowOverride none, this will shut down all option and override for the Server. You must now explicitly set each directory to option or override
five, Close Directory Browsing
You can do this with the option command within the Directory tab. Set option to None Or-indexes.
Options-indexes
Vi. closure of includes
This can also be done by using the option command within the directory Tag. Set option to None Or-includes.
Options-includes
Vii. closing the CGI execution program
If you don't use cgi, please turn it off. Set the option to none or-execcgi in the Catalog tab to:
options-execcgi
Viii. prohibit Apache from following symbolic links
As above, set the option to none or-followsymlinks:
Options-followsymlinks
nine, Close Multiple options
If you want to turn off all options, it's simple:
Options None
If you only want to have some independent options, you can do this by setting the options as Follows:
Options-execcgi-followsymlinks-indexes
X. Closing support for. htaccess files
Implemented in a directory tab:
allowoverride None
If overloading is required, ensure that the files cannot be downloaded, or change the file name to a non-. htaccess file. For example, we can change to A. httpdoverride file, and then block all files that begin With. HT as Follows:
Accessfilename. Httpdoverride
Order Allow,deny
Deny from all
Satisfy all
Xi. Running Mod_security
Run Mod_security is the author of the Apache Security book published by O ' Reilly Publishing house, and Ivan Ristic wrote a very useful Apache Module. You can use it to implement the following features:
• Simple Filtration
• filter-based General expressions
URL encoding Verification
Unicode encoding Verification
• audits
• Null byte attack prevention
• Upload Storage limits
• Server Identity hiding
• Built-in chroot support
• More Other features
12. Close any unnecessary modules
Apache typically installs several modules, browsing Apache's module documentation, to see what each of the installed modules is for. In many cases, you will find that you do not need to activate those modules.
Locate the code that contains loadmodule in the Httpd.conf. To close these modules, simply add a # sign before the line of Code. To find a module that is running, you can use the following statement:
grep loadmodule httpd.conf
The following modules are usually activated and are not large: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex
13. Clear the default annotations from httpd.conf
The default httpd.conf file in Apache 2.2.4 has more than 400 lines. Of these 400 rows, only a small part is the actual Apache instruction, and the rest is only a comment that helps the user to properly place instructions in the HTTPD.CONF. Remove the extra annotations completely. Files become easier to read
14, listen Directive materialized
The first time you install apache, httpd.conf contains a "Listen 80" Directive. It should be changed to "Listen mn.xx.yy.zz:80", where "mn.xx.yy.zz" is the IP address where you want Apache to listen to its request. This is especially important if your Apache is running on a server with multiple IP addresses. If you do not take precautions, the default "Listen 80" command tells Apache to listen for 80 ports per IP address.
Ding Feng Hu Jiashong
qq.2881064155
[email protected]
Apache Server Security Hardening