Apache Security reinforcement
I. account settings
Run Apache with a dedicated user account and group.
1. Create users and groups for Apache as needed
2. Refer to the configuration operation. If no user or group is set, create a user and specify
(1) Create an apache Group: groupadd apache
(2) create an apache user and join the apache Group: useradd apache-g apache
(3) Add the following two lines to the Apache configuration file httpd. conf.
User apache
Group apache
3. Check the httpd. conf configuration file. Check whether a non-dedicated account (such as root) is used to run apache
By default, it is generally compliant. in Linux, apache or nobody users are by default, and in Unix, daemon users are by default.
Ii. Authorization settings
Strictly control the access permissions of the Apache main directory. Non-superusers cannot modify the contents in this directory.
1. the Apache home directory corresponds to the Apache Server
Configuration file httpd. conf
Server Root control,
Should be:
Server Root/usr/local/apache"
2. Judgment Conditions
Non-Super Users cannot modify the contents in this directory.
3. detection operations
Try to modify it to see if it can be modified
4. It is generally the/etc/httpd directory. By default, the subordinate owner is root: root, and other users cannot modify the file. The default value is normal.
Strictly set the configuration file and log file permissions to prevent unauthorized access
1. "chmod 600/etc/httpd/conf/httpd. conf" sets the configuration file as the owner and can be read and written. Other users have no permissions.
2. Run the "chmod 644/var/log/httpd/*. log" command to set the log file as the owner and read/write permission for other users.
3. The default permission of/etc/httpd/conf/httpd. conf is 644. You can change the permission to 600 as needed.
4. The default permission of/var/log/httpd/*. log is 644. The default permission is generally as required.
3. Log Settings
The device should configure the log function to record running errors and user access, and record
The content includes the time and the IP address used by the user.
1. Edit the httpd. conf configuration file and set the log file, record content, and record format.
Here, the error log:
LogLevel notice # Log Level
ErrorLog /... /Logs/error_log # log storage location (error log)
Access log:
LogFormat % h % l % u % t \ "% r \" %> s % B "% {Accept} I \" % {Referer} I \ "% {User -Agent} I \""
Combined
CustomLog /... /Logs/access_log combined (access log)
The ErrorLog command sets the file name and location of the error log. Error logs are the most important log files,
Apache httpd will store diagnostic information in this file and handle errors that may occur during request.
To send the error log to Syslog, set ErrorLog syslog.
The CustomLog command specifies the location of the log file to be saved and the log format. Access logs record all requests processed by the server.
Set LogFormat to combined.
LogLevel is used to adjust the details of the information recorded in the error log. It is recommended to set it to notice.
Log level. The default value is warn. The notice level is more detailed. In practice, because the log occupies a large amount of hard disk space, it is generally not set.
4. Prohibit Access to external files
Prohibit Apache from accessing any files outside the Web directory.
1. Refer to configuration operations
Edit the httpd. conf configuration file,
Order Deny, Allow
Deny from all
2. Set accessible directories,
Order Allow, Deny
Allow from all
Where/web is the root directory of the website
3. The default configuration is
Options FollowSymLinks
AllowOverride None
Generally, you can set it as needed.
5. List Directories
Disable Apache list file display
Edit the httpd. conf configuration file.
Options Indexes FollowSymLinks # Delete
Indexes
AllowOverride None
Order allow, deny
Allow from all
Remove the Indexes in Options Indexes FollowSymLinks to disable Apache from displaying the directory structure.
Indexes is used to display the directory structure when there is no index.html file in the directory.
2. Restart the Apache service.
3. You can set/etc/httpd. conf. To delete the Indexes settings of Options.
6. Error Page redirection
Apache error page redirection
1. Modify the httpd. conf configuration file:
ErrorDocument 400/custom400.html
ErrorDocument 401/custom401.html
ErrorDocument 403/custom403.html
ErrorDocument 404/custom404.html
ErrorDocument 405/custom405.html
Http://www.013188.com
ErrorDocument 500/custom500.html Customxxx.html is the error page to be set.
2. Restart the Apache service.
3. This option requires the application system to have an error page or not set in httpd to be fully implemented by the business logic.
7. Dos prevention
Set the session time reasonably based on business needs to prevent DoS attacks.
1. Edit the httpd. conf configuration file,
Timeout 10 # interval between the client and the server before establishing a connection
KeepAlive On
KeepAliveTimeout 15 # restrict the holding time of each session to 15 seconds. Note: This is a recommended value. The specific setting depends on the actual situation.
2. Restart the Apache service.
3. The default value is Timeout 120 KeepAlive Off and KeepAliveTimeout 15. This setting involves performance adjustment, which is generally not performed.
8. Hide Apache version
Hide Apache versions and other sensitive information.
1. configuration operations
Modify the httpd. conf configuration file: ServerSignature Off ServerTokens Prod
2. The default value is ServerSignature On and ServerTokens OS, which can be set
9. Disable TRACE
Disable TRACE to prevent malicious use of the TRACE method by visitors.
1. Configure and modify vim/etc/httpd/conf/httpd. conf
Add "TraceEnable Off"
Note: Applicable to Apache 2.0 and later versions
2. This parameter is not set by default. You can do this.
10. Disable CGI
If you do not need to run CGI programs on the server, we recommend that you disable CGI.
1. Modify and configure vim/etc/httpd/conf/httpd. conf.
Comment out the configuration and modules of the cgi-bin directory.
# LoadModule cgi_module modules/mod_cgi.so
# ScriptAlias/cgi-bin/"/var/www/cgi-bin /"
#
# AllowOverride None
# Options None
# Order allow, deny
# Allow from all
#
2. Set it as needed. If there is no CGI program, close it.
11. Listening Address binding
When the server has multiple IP addresses, only the IP addresses that provide services are monitored.
1. Modify the vim/etc/httpd/conf/httpd. con configuration.
Modify
Listen x. x: 80
2. detection operations
Run "cat/etc/httpd/conf/httpd. conf | grep Listen" to check whether the IP address is bound.
3. The default setting is Listen 80 listening for all addresses. If the server has only one IP address, do not set this setting. If there are multiple IP addresses, you can set as needed.
12. Delete useless files installed by default
Delete useless files installed by default.
1. Refer to the configuration operation to delete the default HTML file:
# Rm-rf/usr/local/apache2/htdocs /*
Delete the default CGI script:
# Rm-rf/usr/local/apache2/cgi-bin /*
Delete the Apache description file:
# Rm-rf/usr/local/apache2/manual
Delete source code files:
Http://www.620788.com)
# Rm-rf/path/to/httpd-2.2.4 * depending on the Installation Steps and versions, some directories or files may not exist or are located differently.
2. It can be deleted based on actual conditions. Generally,/var/www/html/var/www/cgi-bin is empty by default.
13. Disable illegal HTTP methods
Disable dangerous HTTP methods such as PUT and DELETE;
1. Edit the httpd. conf file.
Only get and post methods are allowed.
Deny from all
2. detection operations
View the httpd. conf file,
Check whether only get and post are allowed.
Method
Deny from all
3. You can set it as needed. If you do not need to use the put delete HTTP method,
Added to/etc/httpd/conf/httpd. conf .