Iii. security settings for the service program
Here is the focus of this article, we will spend more text to describe, of course, so the description is not necessarily very correct, but also hope to have some help to you. Our system is run by default, including Apache, Mysql, Vsftpd,ssh and other services, we have one by one explanations below.
1. Apache Security Settings
Apache's core setup is in the httpd.conf, we installed the Apache directory is under/usr/local/apache2/, then our configuration file is in/usr/local/apache2/conf/httpd.conf , if you are installing using ports, the configuration file should be in the/etc or/usr/local/etc directory. To open a profile using EE or VI:
# ee/usr/local/apache2/conf/httpd.conf
Below we are going to make more security settings, the basic services, ports, home directory, and so on settings do not say, only to talk about security-related settings.
(1) Specify the users and groups running the Apache service
This is more important because permissions are inherited, and if the user rights to run the Apache service are too high, it is likely that intruders will be severely threatened by the webshell of the system. In general we run Apache with nobody users and nobody groups. The user and group options are found between the 250-275 lines of httpd.conf, such as our default settings as follows (the annotation information is removed):
<ifmodule!mpm_winnt.c>
<ifmodule!mpm_netware.c>
User Nobody
Group #-1
</IfModule>
</IfModule>
(2) Apache log files
Apache log file is very important, you can find Apache health and access, for the detection of intrusion and so have important help. Its default options are:
# error log storage directory, default is stored in the Apache installation directory under the logs
ErrorLog Logs/error_log
# level of logging, level has debug, info, notice, warn, error, crit, etc., default is "warn" level
LogLevel warn
# access to the format of the log records, each format has different content, tailored to your needs to obtain the most access information
Logformat "%h%l%u%t \%r\"%>s%b \ "%{referer}i\" \ "%{user-agent}i\" "combined
Logformat "%h%l%u%t \"%r\ "%>s%b" common
Logformat "%{referer}i->%u" Referer
Logformat "%{user-agent}i" Agent