Key Points of enterprise-level Apache Server Security Protection (1)

Apache has always been the top three Web server software in the world. Enterprises need to comprehensively consider the security of their Web applications to ensure they can respond to network threats such as denial of service (DoS) attacks, traffic eavesdropping, and data leakage, this ensures the security of enterprise portal websites.

In addition to the industry's popular firewalls, IDS/IPS Intrusion Detection Systems/intrusion defense systems), WAFWeb application firewalls), and UTM unified Threat Management) as an excellent open-source server software, Apache itself has many outstanding features that can provide security configurations for server administrators, to prevent various network attacks. Therefore, fully and efficiently exploring the security capabilities of Apache servers is also an essential skill for enterprise security workers. Based on this, this article will detail the security protection points of Apache servers from four aspects.

Policy 1: server-side Security Settings

1. Restrict the root user to run the Apache server

Generally, the root permission is required to start the httpd process of the Apache server in Linux. As root permissions are too large, there are many potential security threats. For the sake of security, some administrators believe that the httpd server cannot have no security vulnerabilities, so they prefer to use the permissions of common users to start the server. Http. the conf main configuration file contains the following two configurations: Apache security guarantee. After Apache is started, it sets itself as the user and group permissions set for these two options to run, reduces the risk of servers.

Userapache

Groupapache

Note that the above two configurations are the default options in the master configuration file. After the httpd process is run as the root user, the system automatically changes the user group and permissions of the process to apache, so that the permissions of the httpd process are restricted to apache users and groups, thus ensuring security.

2. Hide Apache server information from the client

The version number of the Apache server can be used as an important information for hacker intrusion. After obtaining the version number, they can search for vulnerabilities on the server, therefore, targeted intrusion using corresponding technologies and tools is also a key step in penetration testing. Therefore, to avoid unnecessary troubles and security risks, you can use the following two options in the main configuration file httpd. conf:

1)ServerTokens: This option is used to control whether the server responds to requests from the client and outputs important information such as the server system type or the corresponding built-in module to the client. The RedHatEnterpriseLinux5 operating system provides a global default control threshold of OS in the master configuration file, that is, ServerTokensOS. They expose the operating system information and related sensitive information to the client. Therefore, to ensure security, you must use "ProductOnly" after this option, that is, "ServerTokensProductOnly.

2)ServerSignature: This option controls page error messages generated by the system ). The default value is off, that is, ServerSignatureoff. In this case, no page information is output. The other case is on, that is, ServerSignatureon. In this case, a line of information about the version number is output. Set the security status to off.

Figure 1 and figure 2 show a detailed comparison of setting the preceding and following options for security to access the Apache server in Rhel5 through the MozillaFirefox browser in Rhel5. You can clearly see that after security settings, you can fully hide the Linux operating system information and Apache server version information from the client users.

Figure 1 indicating that security options are not set in case of an error

Figure 2 Comparison of Security Settings

3. Set virtual directory and Directory Permissions

To publish from a directory other than the home directory, you must create a virtual directory. The virtual directory is a directory located outside the Apache main directory. It is not included in the Apache main directory, but it is the same as the sub-directory in the main directory for users who visit the Web site. Each virtual directory has an alias. You can use this alias in your Web browser to access the virtual directory, such as http: // server IP Address/alias/file name, you can access any files in the virtual directory.

You can use the Alias option to create a virtual directory. In the main configuration file, Apache has created two virtual directories by default. These two statements create two virtual directories: "/icons/" and "/manual, their physical paths are "/var/www/icons/" and "/var/www/manual ". In the main configuration file, you can see the following configuration statement:

Alias/icons/"/var/www/icons /"

Alias/manual "/var/www/manual"

You can create a virtual directory by yourself. For example, to create a virtual directory named/user, the corresponding path is/var/www/html/rhel5 commonly used in the above examples:

Alias/test "/var/www/html/rhel5"

If you need to set the permission, you can add the following statement:

<Directory "/var/www/html/rhel5">

AllowOverrideNone

OptionsIndexes

Orderallow, deny

Allowfromall

</Directory>

After setting the virtual directory and directory permissions, you can use the client browser for test and verification, and use an alias to access the files in the directory. view result 3.

 

Figure 3 test results using virtual directories

Policy 2: restrict the running environment of the Apache service

The Apache server needs to be bound to port 80 to listen for requests, while the root server is the only user with such permissions. As the attack methods and intensity increase, the server is under considerable threat, once the buffer overflow vulnerability is exploited, the entire system can be controlled. To further improve system security, the Linux kernel introduces the chroot mechanism, which is a system call in the kernel. The software can call the chroot function of the function library to change the root directory that a process can see.

The chroot mechanism is to restrict the running of a software in a specified directory, so that the software can only take actions on the files in the directory and Its subdirectories, thus ensuring the security of the entire server. In this case, even if hackers or illegal users use the software to damage or intrude into the system, the damage to the Linux system is limited to the root directory of the Set, without affecting other parts of the system.

One problem with chroot software is that all programs, configuration files, and library files required for running the software must be installed in the chroot directory in advance, this directory is usually called "chroot ". If you run httpd in "prison", you cannot see the real directory in the Linux File System, thus ensuring the security of the Linux system.

When using this technology, you usually need to create a directory in advance and copy the executable file httpd of the daemon to it. At the same time, because httpd requires several library files, it is very troublesome to manually complete the work because several lib files on which the httpd program depends must be copied to the same directory at the same time. Fortunately, you can use the open-source jail software package to simplify the chroot "prison" establishment process. The specific steps are as follows:

The official Jail website is http://www.jmcresearch.com/projects /. First download the package, and then execute the following command to compile and install the source code package:

#Tarxzvfjail_1.9a.tar.gz

# Cdjail/src

# Make

The jail package provides several Perl scripts as its core commands, including mkjailenv, addjailuser, and addjailsw, which are located in the decompressed directory jail/bin. The basic usage of these commands is as follows:

Mkjailenv: used to create the chroot "prison" directory and copy the basic software environment from the real file system.

Addjailsw: used to copy binary executable files and other related files, including library files, auxiliary files, and device files, from a real file system to the "prison.

Addjailuser: Create a New chroot "prison" user.

The steps for creating a prison using jail are as follows;

1)First, stop the currently running httpd service and create the chroot directory. The command is as follows. This command creates the chroot directory under the path/root/chroot/httpd:

# Servicehttpdstop

# Mkjailenv/root/chroot/httpd

Kjailenv

AcomponentofJail (version1.9forlinux)

Http://www.gsyc.inf.uc3m.es /~ Assman/jail/

JuanM. Casillas <assman@gsyc.inf.uc3m.es>

Makingchrootedenvironmentinto/root/chroot/httpd

Doingpreinstall ()

Doingspecial_devices ()

Doinggen_template_password ()

Doingpostinstall ()

Done.

2)Add an httpd program for "prison". The command is as follows:

#./Addjailsw/root/chroot/httpd/-P/usr/sbin/httpd

Addjailsw

AcomponentofJail (version1.9forlinux)

Http://www.gsyc.inf.uc3m.es /~ Assman/jail/

JuanM. Casillas <assman@gsyc.inf.uc3m.es>

Guessing/usr/sbin/httpdargs (0)

Warning: can 'tcreate/proc/mountsfromthe/procfilesystem

Done.

In the above process, the user does not need to care about the warning information, because jail will call ldd to check the library files used by httpd. Almost all binary executable files based on the shared library need the above library files.

3)Then, copy the httpd-related files to the "prison" directory. The command is as follows:

# Mkdir-p/root/chroot/httpd/etc

# Cp-a/etc/httpd/root/chroot/httpd/etc/

......

The added directory structure is as follows:

# Ll

Total 56

Drwxr-xr-x2rootroot409603-2313: 44dev

Drwxr-xr-x3rootroot409603-2313: 46etc.

Drwxr-xr-x2rootroot409603-2313: 46lib.

Drwxr-xr-x2rootroot409603-2313: 46 selinux.

Drwsrwxrwx2rootroot409603-2313: 46tmp.

Drwxr-xr-x4rootroot409603-2313: 46usr.

Drwxr-xr-x3rootroot409603-2313: 46var.

4)Restart httpd and run the ps command to check the httpd process. It is found that the process is running in prison, as shown below:

# Ps-aux | grephttpd

Warning: badsyntax, perhapsabogus '-'? See/usr/share/doc/procps-3.2.7/FAQ

Root35460.60.338281712pts/2S13: 570: 00/usr/sbin/nss_pcacheoff/etc/httpd/alias

Root355014.23.64938817788? Rsl13: 570: 00/root/chroot/httpd

Apache35590.21.4493886888? S13: 570: 00/root/chroot/httpd

Apache35600.21.4493886888? S13: 570: 00/root/chroot/httpd

Apache35610.21.4493886888? S13: 570: 00/root/chroot/httpd

Apache35642521.4493886888? S13: 570: 00/root/chroot/httpd

Apache35630.21.4493886888? S13: 570: 00/root/chroot/httpd

Apache35640.21.4493886888? S13: 570: 00/root/chroot/httpd

Apache352.16.21.4493886888? S13: 570: 00/root/chroot/httpd

Apache35660.21.4493886888? S13: 570: 00/root/chroot/httpd

Root35680.00.14124668pts/2R + 13: 570: 00 grephttpd