Case analysis of Apache exploit and security reinforcement

Apache as a carrier of Web applications, once security problems, the security of the Web applications running on it can not be guaranteed, so it is very important to study Apache vulnerability and security. This article will combine examples to talk about the exploits and security hardening measures against Apache.

Apache HTTP Server (Apache) is an open source Web server of the Apache Software Foundation, which can run in most computer operating systems and is one of the most popular Web server software. While the market share of Web servers such as Nginx and LIGHTTPD has grown rapidly in recent years, Apache is still a unique giant in the field, and most Web applications on the Internet still run on Apache.

Apache File name parsing features

Apache parses the file name from the back and forth until it encounters a file type it knows. Therefore, if there are files in the Web directory that are named in a format similar to Webshell.php.test, Apache will parse it because it does not know. Test this file type, so it is parsed forward, and when parsing to. PHP, it knows, so it resolves it to a php file.

This parsing feature of Apache is often used to bypass file upload detection for Web applications. When the file upload function of the Web application detects the legality of uploading files, if the file is only judged by the extension of the uploaded file, it can use this file name parsing feature of Apache to bypass the detection of Web application.

Here is an example: the target site backstage there is a upload image function, only allow uploading jpg and GIF image format files. However, the program in verifying the legitimacy of the upload file is a loophole, simply by uploading the file extension to determine whether the file is legitimate, then we can use the Apache File name resolution feature to bypass this detection.
Change the file name to a format similar to phpshell.php.jpg upload, found bypassing the detection, the file was successfully uploaded to the target site,

You can add the following in the httpd.conf configuration file to prevent Apache from parsing this file.

Order Allow,deny

Deny from all

You will need to restart the Apache service to take effect after modification.

This way, even if an attacker uploads a file like phpshell.php.jpg, Apache will not parse it into a php file.

Safety reinforcement

Apache Security Hardening we mainly consider from the following two points: first, whether the Apache Web server itself is secure, such as the existence of security vulnerabilities, and the second is whether Apache Web server provides the security features that can be used, mainly to check the Apache configuration is appropriate To strike a balance between security, availability, and stability.

Selection and installation considerations for the Apache version

Check to see if there is a security vulnerability in the currently used Apache version, and if so, upgrade to a new secure version. When selecting the Apache version, we generally choose the latest stable version. This provides a good balance between security and stability. When upgrading from a low version to a higher version, it is recommended that you test the pass in a test environment before upgrading to avoid problems with compatibility.

Use a custom installation path at installation time, and configure the Web directory to use customizations.

Apache Security Configuration

1. Apache Down Right

This work is only for Apache running on the Windows platform, because in the Windows environment, Apache runs under System permissions by default, and the consequence is that once the Web application is successfully compromised, a high-privileged webshell is directly obtained.

Now let's do the right-down operation on Apache. Create a new user, set a complex password, and leave it out of any user group.

Then open the local Security policy---> Local Policies---> User Rights Assignment, find the "Log on as a service" entry, add the newly created user,

Then open the "services" component, locate the Apache service, right-click "Properties"---> "login", run the Apache service with the newly created Apache account,

Then find the Apache log directory and assign "read" and "write" permissions to the Apache account, or the Apache service will not start.

Once configured, restarting the Apache service takes effect and the Apache service is now running Apache low-privilege account.

The Linux environment does not have to care about this problem, the Apache main process starts with root, the child process is running as Apache, daemon or other user as the default, this is a low-privileged user.

2. Load only the necessary module (modules)

Apache has many official and unofficial module, many of which are caused by Apache module. So we need to check the Apache module installation, according to the "least privilege principle", should be as much as possible to reduce unnecessary module, for the module to be used, check whether its corresponding version has a known security vulnerability. The module that needs to be loaded or disabled can be configured in httpd.conf.

3. Apache Log security settings

The log is a very important part of the server, and we need to protect it. The same is true of Apache. The first thing to do is to modify the default save path for the log, and then set only allow administrators to have full control of the log save directory.

4. Site Directory Permissions Configuration

Principle: Directory has write permission, must not assign Execute permission, Directory has execute permission, must not assign write permission.

Web site upload directory and database directory generally need to assign "write" permission, but must not assign execute permissions. Other directories typically only have read and record access permissions assigned.

5. Turn off the Apache Directory browsing feature

If Apache uses the default configuration, it is dangerous to list all the files and directories in the current directory when there are no default index pages (such as index.html) in the Web directory.

There are two ways to turn off the Directory browsing feature:

A. Open the httpd.conf configuration file, look for "Options Indexes followsymlinks", modify it to "options-indexes", then save and restart the Apache service in effect

B. Modify the. htaccess file--Add "options-indexes" (no double quotes) to the. htaccess file to block the display of the directory list.

When you visit a directory that does not already have a default index page, Apache will return a 403 error page.

6. Modify Apache default banner information

Apache's banner will reveal information about the server's operating system and Apache version, 16 and 17, and this information is very useful for attackers, and we need to modify the default configuration to prevent this information from being compromised.

Open the httpd.conf configuration file, locate the Servertokens and serversignature, and modify their values to prod and off, respectively, with the modified effect such as

Summarize

Through the above analysis of Apache vulnerability and security hardening, I believe that readers of the Apache HTTP Server vulnerability and security hardening have a more in-depth understanding. In fact, the security of Apache is not difficult, many times more important is the security awareness of administrators, as long as there is sufficient security awareness, coupled with the above-described security hardening method, I believe you can create a secure Apache HTTP Server.

Case analysis of Apache exploit and security reinforcement