Apache Security reinforcement

Apache Security reinforcement
I. account settings

Run Apache with a dedicated user account and group.

1. Create users and groups for Apache as needed

2. Refer to the configuration operation. If no user or group is set, create a user and specify

(1) Create an apache Group: groupadd apache

(2) create an apache user and join the apache Group: useradd apache-g apache

(3) Add the following two lines to the Apache configuration file httpd. conf.

User apache

Group apache

3. Check the httpd. conf configuration file. Check whether a non-dedicated account (such as root) is used to run apache

By default, it is generally compliant. in Linux, apache or nobody users are by default, and in Unix, daemon users are by default.

Ii. Authorization settings

Strictly control the access permissions of the Apache main directory. Non-superusers cannot modify the contents in this directory.

1. the Apache home directory corresponds to the Apache Server

Configuration file httpd. conf

Server Root control,

Should be:

Server Root/usr/local/apache"

2. Judgment Conditions

Non-Super Users cannot modify the contents in this directory.

3. detection operations

Try to modify it to see if it can be modified

4. It is generally the/etc/httpd directory. By default, the subordinate owner is root: root, and other users cannot modify the file. The default value is normal.

Strictly set the configuration file and log file permissions to prevent unauthorized access

1. "chmod 600/etc/httpd/conf/httpd. conf" sets the configuration file as the owner and can be read and written. Other users have no permissions.

2. Run the "chmod 644/var/log/httpd/*. log" command to set the log file as the owner and read/write permission for other users.

3. The default permission of/etc/httpd/conf/httpd. conf is 644. You can change the permission to 600 as needed.

4. The default permission of/var/log/httpd/*. log is 644. The default permission is generally as required.

3. Log Settings

The device should configure the log function to record running errors and user access, and record

The content includes the time and the IP address used by the user.

1. Edit the httpd. conf configuration file and set the log file, record content, and record format.

Here, the error log:

LogLevel notice # Log Level

ErrorLog /... /Logs/error_log # log storage location (error log)

Access log:

LogFormat % h % l % u % t \ "% r \" %> s % B "% {Accept} I \" % {Referer} I \ "% {User -Agent} I \""

Combined

CustomLog /... /Logs/access_log combined (access log)

The ErrorLog command sets the file name and location of the error log. Error logs are the most important log files,

Apache httpd will store diagnostic information in this file and handle errors that may occur during request.

To send the error log to Syslog, set ErrorLog syslog.

The CustomLog command specifies the location of the log file to be saved and the log format. Access logs record all requests processed by the server.

Set LogFormat to combined.

LogLevel is used to adjust the details of the information recorded in the error log. It is recommended to set it to notice.

Log level. The default value is warn. The notice level is more detailed. In practice, because the log occupies a large amount of hard disk space, it is generally not set.

4. Prohibit Access to external files

Prohibit Apache from accessing any files outside the Web directory.

1. Refer to configuration operations

Edit the httpd. conf configuration file,

Order Deny, Allow

Deny from all

2. Set accessible directories,

Order Allow, Deny

Allow from all

Where/web is the root directory of the website

3. The default configuration is

Options FollowSymLinks

AllowOverride None

Generally, you can set it as needed.

5. List Directories

Disable Apache list file display

Edit the httpd. conf configuration file.

Options Indexes FollowSymLinks # Delete

Indexes

AllowOverride None

Order allow, deny

Allow from all

Remove the Indexes in Options Indexes FollowSymLinks to disable Apache from displaying the directory structure.

Indexes is used to display the directory structure when there is no index.html file in the directory.

2. Restart the Apache service.

3. You can set/etc/httpd. conf. To delete the Indexes settings of Options.

6. Error Page redirection

Apache error page redirection

1. Modify the httpd. conf configuration file:

ErrorDocument 400/custom400.html

ErrorDocument 401/custom401.html

ErrorDocument 403/custom403.html

ErrorDocument 404/custom404.html

ErrorDocument 405/custom405.html

Http://www.013188.com

ErrorDocument 500/custom500.html Customxxx.html is the error page to be set.

2. Restart the Apache service.

3. This option requires the application system to have an error page or not set in httpd to be fully implemented by the business logic.

7. Dos prevention

Set the session time reasonably based on business needs to prevent DoS attacks.

1. Edit the httpd. conf configuration file,

Timeout 10 # interval between the client and the server before establishing a connection

KeepAlive On

KeepAliveTimeout 15 # restrict the holding time of each session to 15 seconds. Note: This is a recommended value. The specific setting depends on the actual situation.

2. Restart the Apache service.

3. The default value is Timeout 120 KeepAlive Off and KeepAliveTimeout 15. This setting involves performance adjustment, which is generally not performed.

8. Hide Apache version

Hide Apache versions and other sensitive information.

1. configuration operations

Modify the httpd. conf configuration file: ServerSignature Off ServerTokens Prod

2. The default value is ServerSignature On and ServerTokens OS, which can be set

9. Disable TRACE

Disable TRACE to prevent malicious use of the TRACE method by visitors.

1. Configure and modify vim/etc/httpd/conf/httpd. conf

Add "TraceEnable Off"

Note: Applicable to Apache 2.0 and later versions

2. This parameter is not set by default. You can do this.

10. Disable CGI

If you do not need to run CGI programs on the server, we recommend that you disable CGI.

1. Modify and configure vim/etc/httpd/conf/httpd. conf.

Comment out the configuration and modules of the cgi-bin directory.

# LoadModule cgi_module modules/mod_cgi.so

# ScriptAlias/cgi-bin/"/var/www/cgi-bin /"

#

# AllowOverride None

# Options None

# Order allow, deny

 

# Allow from all

#

2. Set it as needed. If there is no CGI program, close it.

11. Listening Address binding

When the server has multiple IP addresses, only the IP addresses that provide services are monitored.

1. Modify the vim/etc/httpd/conf/httpd. con configuration.

Modify

Listen x. x: 80

2. detection operations

Run "cat/etc/httpd/conf/httpd. conf | grep Listen" to check whether the IP address is bound.

 

3. The default setting is Listen 80 listening for all addresses. If the server has only one IP address, do not set this setting. If there are multiple IP addresses, you can set as needed.

12. Delete useless files installed by default

Delete useless files installed by default.

1. Refer to the configuration operation to delete the default HTML file:

# Rm-rf/usr/local/apache2/htdocs /*

Delete the default CGI script:

# Rm-rf/usr/local/apache2/cgi-bin /*

Delete the Apache description file:

# Rm-rf/usr/local/apache2/manual

Delete source code files:

Http://www.620788.com)

# Rm-rf/path/to/httpd-2.2.4 * depending on the Installation Steps and versions, some directories or files may not exist or are located differently.

2. It can be deleted based on actual conditions. Generally,/var/www/html/var/www/cgi-bin is empty by default.

13. Disable illegal HTTP methods

Disable dangerous HTTP methods such as PUT and DELETE;

1. Edit the httpd. conf file.

Only get and post methods are allowed.

Deny from all

2. detection operations

View the httpd. conf file,

Check whether only get and post are allowed.

Method

Deny from all

3. You can set it as needed. If you do not need to use the put delete HTTP method,

Added to/etc/httpd/conf/httpd. conf .