CentOS Web Server Security Configuration Guide

1. Install patches frequently.

Changelog on www.apache.org contains the words bug fix and security bug. Therefore, the Linux administrator should pay attention to website defects and promptly upgrade the system or install patches. Using the highest and latest Security versions is critical to enhancing the security of Apache servers. Upgrade your openssl card to version 0.9.6e or higher, and the forged key will not function or penetrate into the system. Some anti-virus programs can detect and kill the ssl virus, but the worm virus may generate variants to escape the pursuit of anti-virus software. Restarting Apache can kill such viruses, but it has no positive effect on preventing future infections.

Hide and disguise Apache versions

Generally, software vulnerabilities are related to specific versions. Therefore, the version number is the most valuable for hackers.

By default, the System Displays all Apache modules (in the HTTP return header ). If the directory is listed, the domain name information (file list body) is displayed. the Apache version number can be removed by modifying the http. conf configuration file. Search for the keyword serversignature and set it:

Serversignature off

Servertokens prod

Then restart the server.

By analyzing the types of web servers, We can roughly predict the types of operating systems. For example, if IIS is used in windows, Apache is the most common type in Linux.

There is no information protection mechanism in the default Apache configuration and directory browsing is allowed. Through directory browsing, you can obtain information such as "Apache/1.3.27 server at apache.linuxforum.net port 80" or "apache/2.0.49 (unix) PHP/4.38.

You can hide Apache Information by modifying the servertokens parameter of the configuration file. However, Apache running in Red Hat Linux is a compiled program, prompting that the information is compiled in the program. To hide the information, you need to modify the Apache source code, and then re-compile and install the program, to replace the prompt content.

Take Apache 2.0.50 as an example. Edit the ap_release.h file and change "# define AP_SERVER_BASEPRODUCT \" Apache "\ To" # define AP_SERVER_BASEPRODUCT \ "micosoft-IIS 6.0 "\". after modification, recompile and install Apache.

After Apache is installed, modify the httpd. conf configuration file, change "servertokens full" to "servertokens prod", change "Serversignature on" to "Serversignature off", and then save the disk and exit. After the server is restarted, use a tool to scan the surface and you will find that the operating system displayed in the prompt is windows.

2. Create a secure directory structure

The Apache server contains the following four directories:

· Serverroot stores configuration files (conf sub-Directories), binary files, and other server configuration files.

· Documentroot stores website content, including HTML files and images.

· Scripalias saves the CGI script file.

· Customlog and errorlog save access logs and error logs.

Set up such a directory. The above four main directories are independent of each other and there is no parent-child logical relationship.

Requirement: The serverroot directory should be configured to be accessible only by the root user. documentroot should be accessible only by users who manage the web site content and by the Apache user group of the Apache server. The Scripalias directory can only be accessed by CGI developers and Apache users. Only the root user can access the log directory.

3. Use special users and user groups for Apache

According to the principle of least privilege (one of the most basic principles to ensure system security, it limits the minimum permissions required for users to access the system and data. In this way, that is, to ensure that the user can complete the required operations, while also to ensure that the loss caused by illegal users or abnormal operations is minimized), Apache needs to assign a suitable permission, the permission error of a directory does not affect other directories.

Make sure that Apache uses a dedicated user and user group. Do not use a preset account, such as the nobody user and nogroup user group. Because only the root user can run Apache, documentroot should be able to be accessed by users who manage web site content and by Apache users and user groups who use the Apache server. Therefore, if you want the "A" user to publish content on the web site and run the Apache server as httpd, you can usually do this:

Groupadd webteam

Usermod-G webteam

Chown-R http. webteam/www/html

Chmod-R 2570/www/htdocs

The root user has access to the log directory, which has the following permissions:

Chown-R root. root/etc/logs

Chmod-R 700/etc/htdcs

4. Web Directory Access Policy

For web directories that can be accessed, you must use a relatively conservative approach, rather than asking users to view any Directory Index list.

(1) prohibit the use of directory Indexes

. If the file does not exist, Apache creates a dynamic list to display the contents of the directory. This setting usually exposes the web site structure, so you need to modify the configuration file to disable the display of dynamic directory indexes.

Modify the configuration file httpd. conf:

Options-indexes followsymlinks

The Options command instructs Apache to disable Directory Indexing. Followsymlinks indicates that symbolic links are not allowed.

(2) Disable default access

A good security policy is to disable the existence of default access and only enable the access permission for the specified directory. If the/var/www/html directory is allowed, the following settings are required:

Order deny, allow

Allow from all

(3) disabling Heavy Loads

To Prevent Users From reloading (modifying) the directory configuration file (. htaccess), you can set it as follows:

Allowoverride None

Apache Service Access Control Method

Apache's access. conf file is responsible for file access settings, which can implement access control for Internet domain names and IP addresses. It contains commands to control which users are allowed to access the Apache directory. You should set deny from all to the initialization command, and then use the allow from command to open the access permission. If you allow access from a host from 192.168.1.1 to 192.168.1.254, you can set it as follows:

Order deny, allow

Deny from all

Allow from pair 192.168.1.0/255.255.255.0

5. Configure the Apache server access log

(1) related configuration file description

A good Linux administrator will pay close attention to the server's log system, which can provide clues for abnormal access. Apache can record all access requests. Likewise, incorrect requests are recorded. In the Apache configuration file, there are two configuration files related to the relationship and log:

$ CustomLog/www/logs/access_log common # record each access request to the web site #

$ ErrorLog/www/logs/error_log common # records requests that generate error states

Customlog is used to indicate the location and format of Apache access logs. Errorlog is used to indicate the location where Apache error logs are stored. For servers that do not configure virtual hosts, you only need to find the customlog configuration in httpd. conf and modify it. For web servers with multiple virtual servers, the access logs of each virtual server need to be separated for access statistics and analysis on each virtual server. Therefore, you need to configure independent logs in the virtual server configuration.

(2) Web server log round robin

There are three good ways for Web server log rotation: the first is to use the log file rotation mechanism logrotate of the Linux system. The second method is to use the cronolog program that comes with Apache. For large web servers, Server Load balancer technology is often used to improve the service capabilities of web sites. In this way, multiple backend servers provide web Services, which greatly facilitates Server distribution planning and expansion. If there are multiple servers, you need to merge the logs for unified statistical analysis. Therefore, to ensure statistical accuracy, logs must be generated automatically according to the daily time range.

(3) Use logrotate to implement log Rotation

Logrotate in Linux is a program dedicated to round-robin of various log files (syslog and mail. The program is run by the program running service crond at every day. You can see the logrotate file in the/etc/cron. daily directory:

#! /Bin/sh/

$ User/sbin/logrotate/etc/logrotate. conf

Every morning, crond starts the logrotate script under the/etc/cron. daily directory to perform log rotation.

· Use rotatelogs to implement log Rotation

Apache provides the ability to send logs to another program through pipelines instead of Directly Writing logs to files. In this way, the log file processing capability is greatly enhanced. The program obtained through the pipeline can be any program, such as a log analyzer and a compressed logstore. To write logs to pipelines, you only need to replace the log file content in the configuration file with "| program name". For example:

# Compressed logs

$ Custmonlog "|/user/bin/gzip-c>/var/log/access_log.gz" common

In this way, you can use the built-in tracking tool of the Apache service to repeat log files. Rotatelogs controls logs by time or size.

6. Password protection for the Apache server

The. htaccess file is a configuration file on the Apache server. It is a text file and can be written in any text editor .. The htaccess file provides a method for changing the configuration of directories, that is, by placing a file containing one or more commands in a specific document directory (. to act on this directory and all its subdirectories .. The htaccess function includes setting the webpage password, setting the file that appears when an error occurs, changing the homepage file name, prohibiting reading the file name, redirecting to the file, adding the MIME category, and forbidding the file; list files in a directory. Note that the. htaccess file is a complete file name. Instead of **. htaccess or other formats. In addition, upload. when using an htaccess file, you must use the ASCII file format and use the chmod command to change the permission to 644 (RW_R_R _) for each placement. the Directory of the htaccess file and its sub-directories will be. htaccess impact. For example,. htaccess file, so all the files in/abc/AND/abc/def will be affected by it, which is very important.

(1) create a. htaccess File

First, create a file under the directory (such as htdocs) where access control is set. The file name can be customized. Generally, the server is set to. htpasswd, which cannot be read by HTTP .. Each row in the htpasswd file represents a user. The user's name and encrypted password are separated by colons.

(2). htaccess File Protection

The. htaccess file is as follows:

Authtype basic

Authuserfile/usr/home/***/htdocs/. acname1

Authgroupfile/usr/home/***/htdocs/. abcname2

Authname information

Require valid-user

The *** in the second or third line can be changed to the ftp Logon Name of the individual .. Abcname1 and. abcname2 can be any file name, such as. htpasswd, But not. htaccess. Upload. htaccess to the directory for Trojan protection. The "require" at the end of the. htaccess file tells the server which users can access the file. Requre valid-user indicates that any one of. htpassword can be entered. You can also specify one or more people on the list to pass through.

(3) Add new licensed users

Go to the htdocs directory and enter the following command in the command line status:

Echo>. abcname1

/Var/www/bin/htpasswd. abcname1 abc

In this way, the. abcname1 file can be generated.

Abc indicates the username to be added. After entering this command, the system will prompt you to enter the password of this user, so that the user name will take effect. If you want to add more users later, you can change the user name when running the second line of command. If this user exists, the system will prompt you to change the password.

(4) create a group for access

You can set up a text file named. htgroup as follows:

Groupname1: username1 username2 username3

Groupname2: username1 username3 username4

Add "authgroupfile/absolute/path/. htgroup" to the. htaccess file. After all files are uploaded in ASCII mode, the files in the directory will be protected.

(5) prohibit reading files

If some content, such as a password, is stored in a file, other people only need to know the corresponding location of the file, it can be clear at a glance. This is not safe. You only need to add the following lines to the. htaccess file:

Order allow, deny

Deny from all

In short, it is more secure and convenient to protect the website through the. htaccess file. Because it is not like using a program to implement password protection, it is possible to obtain the password through speculation. Password protection using the. htaccess file is generally difficult to crack.

7. Reduce CGI and SSI risks

The CGI Script Vulnerability has become the top security risk for web servers. It is usually caused by many vulnerabilities in CGI Script Programming. The CGI script control vulnerability should not only check the validity of input data, but also exercise caution when using system calls. First, what is the uid of the CGI script owner. Even if these CGI programs have some vulnerabilities, the harm is limited to the files that the uid can access. That is to say, this will only harm the user's files and will not harm the entire system.

By installing the suEXEC application, you can provide CGI program control support for the Apache service. You can regard suEXEC as a package. After Apache receives a call request to the CGI program, it sends the Response Request to suEXEC to complete the specific call and obtains the returned result from suEXEC.

SuEXEC can solve some security problems, but also reduce service performance, because it can only run on the CGI version of PHP, while the CGI version is slower than the module version. The reason is that the module version uses the thread, while the CGI uses the process.

Therefore, we recommend that you use suEXEC when the security performance requirements are relatively high, at the cost of speed,

To reduce the risk of SSI scripts, if you run external programs using commands such as EXEC, there will also be a risk of CGI script programs, in addition to internal program debugging, you should be able to use the option command to disable it.

Run Apache in "prison"

The so-called prison refers to the use of the chroot mechanism to change the permissions of the root directory seen when a software is running. That is, the running of a software is restricted to a specified directory, so that the software can only take actions on the directory or its sub-directory files to ensure the security of the entire server. In this way, even if it is damaged or intruded into, the loss will not be very great.

Chroot is a system call in the kernel. The software can call the database function chroot to change the root directory that a process can see, for example, install Apache Software in the/usr/local/httpd directory and start Apache as a root user. The root-authorized parent process will derive multiple sub-processes that run with the nobody permission. In this way, the parent process listens to the TCP data stream of port 80 and then assigns the request to a sub-process based on the internal Algorithm for processing. In this way, the Directory of the Apache sub-process inherits the parent process. However, once the directory permission settings are incorrect, the attacked Apache sub-process can access/usr/local,/usr,/tmp or even the entire system. Because the root directory of the Apache process is still the root of the entire file system, if you can use chroot to restrict Apache to/usr/local/httpd, all files that Apache can access are files under/usr/local/httpd. The function of creating a chroot prison is to restrict the process permission to a subtree in the directory tree of the file system.

8. Use SSL to reinforce Apache

Using a web server with the SSL function can improve the security performance of the website. the SSL protocol works between the TCP/IP protocol and HTTP protocol of Linux.

SSL uses encryption to protect the information flow between the web server and the browser. SSL is used not only to encrypt data streams transmitted over the Internet, but also to provide identity verification between the two parties, so that you can securely shop online without worrying about others stealing credit card information. This feature makes SSL applicable to areas where important information is exchanged.

Apache servers generally have two options for using SSL: the master server and the virtual web site.

If you use Linux in 3.0 ~ 4.0, you can directly run the command "rpm-qa | grep mod_ssl" to check. If the command is not installed, Log On As root and enter the command:

System-config-packages

Use the Web server of the GUI management tool, click "details", and then select "mod_ssl". A prompt is displayed, indicating that the appropriate CD can be installed.

Then, you can access a secure page with a URL starting with https.

9. Prevent DoS attacks on the Apache server

You can prevent Denial of Service attacks or reduce the damage level by editing the specific parameters of the httpd. conf file.

· Timeout value: Set to 300 or less

· KeepAlive: Set to KeepAlive ON

· KeepAliveTimeout value: Set to 15 or less

· StartServers: between 5 and 10

· MinSpareServers value: between 5 and 10

· MaxSpareServers value: 10 or less

· MaxKeepAliveRequests value: not equal to 0

· MaxSpareServers value: 10 or less

· MaxClients value: 256 or less