Apache Security Configuration

Apache Security Configuration
0x00 test environment

Centos6.5 + apache2.2.15 + php5.3.3

0x01 php running mode Introduction

Php runs in four modes:

1. CGI universal Gateway Interface 2. fast-cgi resident CGI 3. cli command line running 4. web module Mode

Generally, apache runs php in the web module mode.

0x02 introduction to Apache operating principles

Apache is based on Modular Design. Each module is loaded as needed when the system is started. Apache's php Parsing is done through the php Module in many modules.

 

Therefore, php is loaded into a module of apache. apache and php can be regarded as a whole.

When the browser requests a php file, we can understand that apache directly processes the returned results to the browser, and there will only be httpd processes on the server, rather than php processes.

Some apache configurations are mainly implemented through httpd. conf, but you can enable. htaccess in httpd. conf, and then configure it in. htaccess. However, the. htaccess file should not be used unless you have no access permission to the main configuration file .. The htaccess file should be used when the content provider needs to change the server configuration for a specific directory without the root permission. If the server administrator is unwilling to modify the configuration frequently, you can modify the configuration by yourself through the. htaccess file.

0x03 Apache Security configuration Scheme 1. Select the apache version with fewer vulnerabilities and add security patches.

View apache version: httpd-v

Search for any vulnerability in this version number on sebug. You can upgrade the version or patch it as prompted.

2. Disable unused modules and functions

You can add # Before LoadModule to comment out unused modules.

3. Hide banner information

Change ServerTokens OS to: ServerTokens Prod (the Server OS name is not displayed when an error page appears)

ServerSignature On: ServerSignature Off (do not echo apache version information)

4. delete default websites and pages

Delete default pages to prevent Server Information Leakage

5. You can modify the banner information. 6. Configure httpd. conf to disable directory browsing.

Change Options Indexes FollowSymLinks to Options-Indexes FollowSymLinks.

7. Configure httpd. conf to set the default document

DirectoryIndex index.html

8. properly configure the apache running account

Create a separate account and account group for apache and configure it in httpd. conf.

User apacheGroup apache

9. reasonably control the write and execute permissions of the apache running account to the disk

Cancel the write permission of the apache running account on the website directory, except for the upload directory. do not grant permissions to other non-website directories if possible.

10. reasonably control the execution permissions of the apache running account on sh and so on.

The execution permission of the running account on sh and so on is revoked to prevent webshell from executing commands through the default sh.

11. Configure httpd. conf to cancel the php Execution permission on the upload directory

<Directory "/var/www/html/aaa">         <FilesMatch ".(php|php5)$">             Deny from all         </FilesMatch> </Directory> 

12. Configure httpd. conf to restrict access to folders, such as the background directory.

<Directory "/var/www/html/aaa">             Deny from all     </Directory> 

13. Configure httpd. conf to restrict specific ip addresses in some special directories, such as internal interfaces.

<Directory "/var/www/html/aaa">         Order Deny,Allow    Deny from all    Allow from 192.168.1.111    </Directory> 

14. Configure httpd. conf to restrict access to some file types, such as txt logs.

<Files ~ ".txt$">     Order allow,deny     Deny from all </Files> 

15. Configure httpd. conf to modify the listening port to prevent some internal systems from being scanned.

This prevents hackers who directly scan port 80.

Listen 12345 

16. Disable support for. htaccess.

AllowOverride All 

Change

AllowOverride None 

17. Configure httpd. conf to record access logs 0x04. Reference to common configuration methods for htaccess

First, it is not recommended to use. htaccess. htaccess must be in httpd. conf. after htaccess is supported, you must go to httpd. conf configuration to prevent. the htaccess file is downloaded. The following describes some basic configuration methods. For more information, see other websites. htaccess configuration method.

1. Customize the default directory document

DirectoryIndex index.html index.php index.htm 

2. custom error page

ErrorDocument 404 errors/404.html 

3. Control the access file and directory levels

order deny,allow  deny from all  allow from 192.168.0.0/24 

4. Prevent column Directories

Options -Indexes 

0x05 Summary

In fact, the protection of a web server is divided into several layers (program vulnerabilities are not considered for the time being ):

1. Hide yourself

To protect a web server, you must first learn to hide yourself. For some internal systems, such as the background and internal interfaces, We can modify ports and restrict ip addresses to prevent hacker discovery.

2. Hide an identity

Most web systems provide external access, so it is difficult to hide yourself. However, we still need to learn to hide the identity. We can hide the identity by modifying the banner, and the returned information to increase the difficulty of hacker attacks.

3. Select a secure version and fix known vulnerabilities.

In fact, the previous two steps are very easy to break through, and then we know the web server version used by a web system. What we can do at this time is to select a version with few vulnerabilities and install security patches.

4. Complete Security Configuration

Make basic security configurations, prohibit directory browsing, set default documents, and restrict php Execution of uploaded directories to prevent hacker intrusion.

5. Reasonably configure the permissions of the web service process account

When a hacker has uploaded a webshell through a program vulnerability and successfully executed it, the account permissions of the service process can only be well configured, including disk read and write permissions, special programs such as sh execution can minimize the damage.

6. log recording

Finally, when hackers are visiting, we can only analyze logs to see where the problem is.