8 security setting techniques for Linux Apache Web server _linux

Apache server is an open source Web server, is supported by the non-profit organization Apache Software Foundation, many of our virtual host, VPS, etc. will use the Apache server architecture environment, but any architectural environment will be subjected to a variety of possible attacks, security vulnerabilities detection, SQL injection, various denial of service attacks, and so on.

As our vps/server users, we need to do more backup to ensure the security of the site data on the server, and also need to observe the monitoring of our servers at any time, three need to pay attention to the latest vulnerabilities security update script, as the basis of the application, we need to ensure the basis of the Apache security settings , and ensure the security of the server on the basis.

First, regular updating of the system

First of all, we need to make sure that the latest version and Apache security patches are already installed and attached such as Cgi,perl and PHP scripting code. We need to periodically update the data source dependency pack operation.

# Ubuntu/debian

apt-get update apt-get dist-upgrade

# fedora/centos/redhat

Yum Update

Select the update upgrade command according to your system environment.

Second, set up and protect our SSH security

After we get the VPS, we recommend that you modify the port, root password, and authorize individual non-root user rights management, or we can use the key to login to SSH client Management VPS. For example, you can refer to the "Set Putty SSH use key to login to Linux VPS host" and "Xshell set key login to ensure Linux VPS and server more secure" article set key login.

Third, disable unused services

To ensure our web server is secure, it is recommended that you check all running services and open ports on the server and disable all services that we do not need on the server.

#要显示所有服务 Service--status-all
#显示所有的端口规则 iptables-l
#显示所有的运行信息 (Redhat/centos/fedora) chkconfig--list
#检查/ETC/INIT.D whether there are any suspicious scripts ls/etc/init.d

Four, disable the unnecessary Apache module

By default, many of the Apache modules are open, but some do not need to be used, and we can turn them off and simplify. For example, previously shared "6 steps to achieve CentOS system environment streamlined optimization" and "4 steps to achieve the Debian system environment streamlining optimization" can effectively improve the implementation efficiency and reduce the occupancy resource rate.

A-ubuntu/debian

cat /etc/apache2/mods-enabled/* | grep -i loadmodule

Open module

a2enmod module_name

Close Module

A2dismod module_name

B-centos/fedora/redhat

cat /etc/httpd/conf/httpd.conf | grep -i LoadModule

Edit httpd.conf file, search loadmodule keyword, need to close in front Plus # Memo save can, reverse start then remove #

V. Let Apache run with the specified users and groups

Most default Apache uses the default user and group as Apache, and to ensure security, we can use a different user/group. Suppose you run the mail server as a nobody user, you run Apache with the same user. If your mail server is compromised, your Apache will also be affected. For example, we are running as root, and if there is a security risk, the whole system will be at great risk. To check/change the user/group, edit the httpd.conf file.

#Fedora/centos/redhat
vi/etc/httpd/conf/httpd.conf
#Ubuntu/debian
vi/etc/apache2/httpd.conf

We can use the default user group or create a new user/group.

Copy Code code as follows:

User Apache
Group Apache

VI. Prevention of information disclosure

The default Apache installation will show port, version information, etc. on the default page, and we need to hide this information.

#Fedora/centos/redhat
vi/etc/httpd/conf/httpd.conf
#Ubuntu/debian
vi/etc/apache2/conf-enabled/ Security.conf

Search for Servertokens and serversignature characters and then modify

Servertokens Prod
Serversignature off

and restart Apache.

#Fedora/centos/redhat
Service Apache2 Restart
#Ubuntu/debian
Service httpd Restart

Then our 404 pages will not see the version information.

VII, hide PHP version information

#Fedora/centos/redhat
vi/etc/php.ini
#Ubuntu/debian
Vi/etc/php5/apache2/php.ini

Then search expose_php, and the corresponding parameter on is changed to OFF

Eighth, disable automatic indexing module

#Fedora/centos/redhat
/etc/httpd/conf/httpd.conf

Put "LoadModule autoindex_module modules/mod_autoindex.so" in front of the line.

#Ubuntu/debian
Rm-rf/etc/apache2/mods-enabled/autoindex.conf

Delete an automatic indexing module

Summary, above the old left on the 8 point Apache security settings, there are some settings we can view. htaccess file security settings, we do not overlook this small file, some security settings or need to pass. htaccess file, later have time to specifically organize an article. In any case, whether we are using a virtual host, or a vps/server, we need to monitor and regularly back up the site and project data.