Apache Security Configuration and apache configuration

Apache Security Configuration and apache configuration
1 Security Policy 1.1 Security directory

. Htaccess is used for Directory Security protection. to read this protected directory, you must first press the correct user account and password. This can be used as a directory for specialized management of web page storage or as a Member area.

AllowOverride All

LoadModule rewrite_module modules/mod_rewrite.so

Create the. htaccess text in the automatically authenticated directory (in windows, save notepad as the created one)

1.1.1. htaccess Configuration:

(The. htaccess file can be equivalent to the httpd. conf configuration of the current directory. Pay special attention to the access permission of the. htaccess file during the setting to avoid malicious modification by people who are interested, and the consequences are unimaginable)

AuthName hihihihi indicates the prompt message when you enter the user name and password.

AuthType Basic indicates the required authentication type

AuthUserFile c: \ ss refers to the file location (. htpasswd) for saving the user name and password. In this example, it refers to the. htpasswd file, which is in the same location as our. htaccess file.

Require valid-user specifies that only valid users in the. htpasswd file can access the service.

1.1.2. htpasswd Configuration

User name: Password

Aaa: aaa

 

Not necessarily in. the configuration in the htaccess file can also be found in httpd. conf (Master configuration) to improve the efficiency of apache. Otherwise, Apache will search for the client to access the Web in every directory. the htaccess file reduces Apache efficiency. it is dangerous to modify htaccess.

1.2 error page

ErrorDocument 500 "The server made a boo ."

ErrorDocument 404/missing.html

ErrorDocument 404 "/cgi-bin/missing_handler.pl"

ErrorDocument 402 http://www.js.com/subscription_info.html

2. Security Risks: 2.1 directory Leakage

<Directory "/usr/local/apache/htdocs">

Options-Indexes FollowSymLinks

AllowOverrride None

Order allow, deny

Allow from all

</Directory>

Add-or remove before Indexes

2.2 symbolic Connection Tracing

<Directory "/usr/local/apache/htdocs">

Options Indexes-FollowSymLinks

AllowOverrride None

Order allow, deny

Allow from all

</Directory>

Add or remove FollowSymLinks

2.3 Listen instruction

Httpd. conf contains a "Listen 80" command. Change it to a specified IP address. If you have multiple IP addresses, pay special attention

Version 2.4 Leakage

Add the following in httpd. conf:

ServerTokens ProductOnly

ServerSignature Off

2.5 run permission

The default running permission of Apache in windows is the system permission. If a hacker finds a vulnerability, the whole service can be controlled. Therefore, the Apache running permission must be minimized to avoid security incidents.

2.6 clear the default comments in httpd. conf

Only a small part of the 400 lines is the actual Apache commands, and the rest is only to help users properly place command comments in httpd. conf. Based on the author's experience, these annotations sometimes play a negative role, and even store Dangerous commands in files. On many Apache servers managed by the author, the httpd. conf file is copied to other files, such as httpd. conf. orig, and redundant comments are cleared completely. Files become easier to read, so as to better solve potential security problems or misconfigure files.

2.7 spoofing attackers

Revised version name:

Modify system name:

2.8 apache parsing vulnerability:

<FilesMatch ". (php. | php3.)">

Order Allow, Deny

Deny from all

</FilesMatch>

2.9 apache does not have the execution permission to set the upload directory

Disable php parsing in the/www/home/upload path:

<Directory "/www/home/upload">

<Files ~ ". Php">

Order allow, deny

Deny from all

</Files>

</Directory>

2.10 apache restricted directory

Php_admin_value open_basedir/var/www

2.11 http Request Method Security

The OPTIONS method can detect the methods that can be requested by the current resource and disable the configuration of this method:

<Location/>

<Limit OPTIONS>

Deny from all

</Limit>

</Location>

2.12 access to the specified extension is not allowed

<Files ~" \. Inc $ ">

Order allow, deny

Deny from all

</Files>

2.13 prohibit access to some specified directories

<Directory ~ "^/Var/www/(. +/) * [0-9] {3}">

Order allow, deny

Deny from all

</Directory>

2.14 prohibit using file matching

<FilesMatch \.(? I: gif | jpe? G | png) $>

Order allow, deny

Deny from all

</FilesMatch>

2.15 prohibit access to relative URLs

<Location/dir/>

Order allow, deny

Deny from all

</Location>

3. Other security configurations: 3.1 Options

The meaning of the Options Parameter

ALL users can do anything in this directory.

ExecCGI allows CGI script execution in this directory

FollowSymLinksSever can use symbolic link to link files or directories not in this directory

IndexesSever can generate a list of files in this directory

Includes provides SSI Functions

IncludesNOEXEC can use the SSI function, but the # exec and # include CGI functions are canceled.

MultiViews allows different files to be obtained through conversations. For example, a webpage in the French version can be sent as requested by a browser'

None security does not allow access to this directory

SymLinkslfOwnerMatch allows access to the Directory of the symbolic links link, but only the owner of this directory

3.2 AllowOverride

AllowOverride None indicates that the. htaccess document is not read.

AllowOverride AuthConfig allows basic user name and password verification.

AllowOverride Allall indicates that the original access permission is changed based on The. htaccess content.

3.3 Location

# <Location/server-status> restrict <Location> is similar to <Directory>, but it is used to restrict URLs.

# SetHandler server-status

# Order deny, allow

# Deny from all

# Allow from. your_domain.com

# </Location>

 

# <Location/server-info> Configure the service program settings in this block. It must be added to the mod_info.c module.

# SetHandler server-info

# Order deny. allow

# Deny from all

# Allow from. your_domain.com

# </Location>

 

# <Location/cgi-bin/phf *> This block is blocked because of bugs in earlier versions of Apache, which may be exploited by some users.

# Deny from all: Enable this block to direct it to the webpage specified by ErrorDocument.

# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi

# </Location>

3.4 from

Allow from all allow all users to access

# Allow from flag.com.tw allow only allow access from flag.com.tw domain, but "deny from all" must be used to deny access from other places

# Deny from 203.74.205 reject from 203.74.205

3.5 reduce CGI and SSI risks

Reduce the Risk of SSI scripts. If you run external programs using commands such as exec, there will also be risks similar to CGI scripts. In addition to internal program debugging, you should use

Disable the option command:

Option IncludesNOEXEC

To use CGI or SSI, you can use suEXEC for configuration.

3.6 use ssl to reinforce Apache link