Detailed explanation of the security of Apache service under UNIX platform

The Apache server is a more secure program in many Web servers, but it also has many drawbacks, such as the use of HTTP protocol to deny access attacks. So a reasonable setting is the primary task of ensuring that the Apache service is protected from attack.

　　I. Apache SERVICE FLAW Analysis

Buffer overflow. The attacker uses some of the bugs written by the program to deviate from the normal process, and then sends an extra long request to overflow the buffer. Once the system buffer overflows, the attacker can use a variety of malicious instructions on the attacker's side.

Get root permissions easily. This flaw is mainly because the Apache server normally runs as root, and the attacker will gain root access through this approach, thereby controlling the entire Apache system.

Denial of service (DoS) attack. It is primarily in the Apache Chunk encoding, an HTTP protocol-defined feature that accepts data submitted by web users. This will result in an increase in Apache demand for system resources, and ultimately cause the system to become slow and even paralyzed.

　two. Main Apache service configuration reference

The Apache service has two important profiles in addition to the main configuration file "Httpd.conf", which are:

srm.conf fill in the resource file

access.conf Settings File access rights

All three files are located in the/usr/local/apache/conf directory, and most service configurations are completed in these three files.

　　1. Configure the Apache server directory security authentication.

In Apache server is allowed to use the. htaccess directory security, to read this protected directory needs to first type the correct user account and password. This can be done as a special management of Web pages stored in the directory or as a member area. Or you can do so by adding the following content to the configuration file "httpd.conf":

The following is a code fragment: Options Indexes FollowSymLinks AllowOverride authconfig Order Allow,deny Allow from all

　　2. Set access control reasonably.

The main settings profile "access.conf". It contains instruction controls such as what users are allowed to access the Apache directory, and so on. You can allow access from a domain, an IP address, or an IP segment by setting the following example.

The following is a code fragment: <directory/usr/local/http/docs/private> <limit> Order Deny,allow Deny from all Allow from Safechina.net </limit> </directory>

Explanation: In this configuration directive, set "deny from all" as an initialization directive, and then use the "Allow from" directive to open access rights.

3. Set the password protection reasonably.

Password protection is a problem that any program, any system should pay attention to. In the Apache service environment, you can use the "accessfilename" directive in the "httpd.conf" or "srm.conf" configuration file to open access control for the directory. Examples are as follows:

The following is a code fragment: AuthName Privatefiles AuthType Basic Authuserfile/path/to/httpd/users Require Phoenix # htpasswd-c/path/to/httpd/users Phoenix #增加一个用户

　　Summary:

Apache is a very good server, as long as you can properly configure and maintain the Apache server, you will feel the Apache service brings the appeal. In general, the following aspects should be noted in the installation and maintenance of Apache:

Check the permissions of files and directories properly.

Httpd.conf, srm.conf, and access.conf These three configuration file settings are appropriate.

Use the password protection mechanism (. htaccess) for certain directories that require special protection.

Make the server log files as detailed as possible to record information.

Encapsulate the CGI script, and if the CGI script is written in Perl, be sure to examine its security in detail.

Use the TCP wrappers and tripwire security tools. where "TCP Wrappers" can restrict access to telnet and FTP, "Tripwire" is a data integrity monitoring tool that can be used to monitor the system for changes in real time.