Eight security settings for Apache Web Server Security in CentOS

Eight security settings for Apache Web Server Security in CentOS

Apache server is an open-source WEB Server supported by the Apache Software Foundation, a non-profit organization. Many of our virtual hosts and VPS use the Apache server architecture environment, however, any architecture environment may suffer from various possible attacks, Security Vulnerability Detection, SQL injection, and various denial-of-service attacks.

As our VPS/Server users, we need to back up more data to ensure the security of website data on the server, and we also need to observe the monitoring trend of our servers at any time, third, we need to pay attention to the latest vulnerability Security Update scripts. As a basic application method, we need to ensure basic Apache Security Settings and server security.

1. Regularly update the system

First, we need to ensure that the latest version and Apache security patches and additional CGI, Perl, and PHP script code are installed. We need to update the dependent packages of the data source on a regular basis.

# Ubuntu/Debian

Apt-get update; apt-get dist-upgrade

# Fedora/Centos/RedHat

Yum update

Select the update command based on your system environment.

2. Set and protect SSH Security

After obtaining the VPS, we recommend that you modify the port, ROOT password, and authorize independent non-ROOT user permission management, or you can log on to the SSH client to manage the VPS using a key. For example, you can refer to "set Putty SSH to log on to a Linux VPS host using a key" and "Xshell to set a key logon to ensure a safer Linux VPS and server.

Third, disable unused services

To ensure the security of our Web server, we recommend that you check all running services and open ports on the server and disable all services we do not need on the server.

# Display all services -- status-all

# Display all port rules iptables-L

# Display all running information (redhat/centos/fedora) chkconfig -- list

# Check whether/etc/init. d has a suspicious script ls/etc/init. d

Fourth, disable unnecessary Apache Modules

By default, Many Apache modules are enabled, but some do not need to be used. We can disable and streamline them. For example, the "6 steps to streamline the CentOS system environment" and "4 steps to streamline the Debian system environment" shared previously can effectively improve the execution efficiency and reduce the resource occupation rate.

A-Ubuntu/Debian

Cat/etc/apache2/mod-enabled/* | grep-I loadmodule

Enable Module

A2enmod module_name

Disable modules

A2dismod module_name

B-Centos/Fedora/RedHat

Cat/etc/httpd/conf/httpd. conf | grep-I LoadModule

Edit the httpd. conf file and search for the LoadModule keyword. If you want to disable the file, add # remarks to the front and save the file. If you do not start the file, remove #

Fifth, let Apache run with specified users and groups

Most default Apache users use apache by default. To ensure security, we can use different users/groups. Assume that the mail server you run is a nobody user, and you use the same user to run Apache. If your email server is broken, your Apache will also be affected. For example, if we are running as root, if there is a security risk, the entire system will be at great risk. To check/change users/groups, edit the httpd. conf file.

# Fedora/Centos/Redhat

Vi/etc/httpd/conf/httpd. conf

# Ubuntu/Debian

Vi/etc/apache2/httpd. conf

You can use the default user group or create a new user group.

User apache
Group apache

6. Prevent Information Leakage

After the default Apache installation, the port and version information are displayed on the default page. We need to hide the information.

# Fedora/Centos/Redhat

Vi/etc/httpd/conf/httpd. conf

# Ubuntu/Debian

Vi/etc/apache2/conf-enabled/security. conf

Search for the ServerTokens and ServerSignature characters and modify

ServerTokens Prod
ServerSignature Off

Restart Apache

# Fedora/Centos/Redhat

Service apache2 restart

# Ubuntu/Debian

Service httpd restart

Then, we cannot see the version information on the 404 page.

7. Hide PHP version information

# Fedora/Centos/Redhat

Vi/etc/php. ini

# Ubuntu/Debian

Vi/etc/php5/apache2/php. ini

Search for expose_php and change the on parameter to off.

8. Disable the automatic index module.

# Fedora/Centos/Redhat

/Etc/httpd/conf/httpd. conf

Add # block before the line "LoadModule autoindex_module modules/mod_autoindex.so"

# Ubuntu/Debian

Rm-rf/etc/apache2/mod-enabled/autoindex. conf

Delete automatic index module

To sum up, we have sorted out the Apache Security Settings from the previous steps to, and we can check some other settings. for the security settings of the htaccess file, we should not underestimate this small file. Some Security Settings still need to be passed. the htaccess file will be specially organized later. In any case, whether we are using a virtual host or a VPS/server, we need to monitor and regularly back up website and project data at any time.

The Fixed Link: http://www.laozuo.org/5503.html | old left blog