Apache Security Configuration baseline Guide

This document defines the security settings that should be followed by the Apache server maintained and managed by maintenance engineers. This document aims to guide system administrators in the Security Configuration of Apache servers. This document applies to versions 2.0.x and 2.2.x of Apache servers.

Chapter 3 log configuration operations
1.1 log Configuration
1.1.1 Audit Logon
Security baseline project name Apache audit Login Policy security baseline requirements item security baseline No. SBL-Apache-02-01-01 security baseline items description the device should be configured with log function, recording operation errors, user access, etc, the recorded content includes the time and IP address used by the user. Check operation step 1. Refer to configuration operations
Edit the httpd. conf configuration file and set the log file, record content, and record format.
LogLevel notice
ErrorLog logs/error_log
LogFormat "% h % l % u % t \" % r \ "%> s % B \" % {Accept} I \ "\" % {Referer} I \"\ "% {User-Agent} I \" "combined
CustomLog logs/access_log combined
The ErrorLog command sets the file name and location of the error log. Error logs are the most important log files. Apache httpd stores diagnostic information and processes errors in requests. To send the error log to Syslog, set ErrorLog syslog.
Set the name and location of the access log in the CustomLog command. Access logs record all requests processed by the server.
Set the log format in LogFormat. LogLevel is used to adjust the details of the information recorded in the error log. It is recommended to set it to notice. Baseline conformity judgment basis 1. Judgment Conditions
View the log file content in the logs directory. The record is complete.
2. detection operations
View related log records.
3. RemarksChapter 4 other device configuration operations
2.1 Access Permissions
2.1.1 prohibit access to external files
Security baseline project name Apache directory access permission security baseline requirements item security baseline number SBL-Apache-03-01-01 security baseline item description prohibit Apache from accessing any files outside the Web directory. Check operation step 1. Refer to configuration operations
Edit the httpd. conf configuration file,
<Directory/>
Order Deny, Allow
Deny from all
</Directory>
2. Supplemental operation instructions
Set accessible directories,
<Directory/web>
Order Allow, Deny
Allow from all
</Directory>
/Web is the root directory of the website. Baseline conformity judgment basis 1. Judgment Conditions
Files outside the Web directory cannot be accessed.
2. detection operations
Access to a file on the server that does not belong to the Web directory should not be displayed.
3. Remarks2.2 attack prevention management
2.2.1 handle error pages
Security baseline project name Apache error page security baseline requirements items security baseline No. SBL-Apache-03-02-01 security baseline item description Apache error page redirection detection procedure 1. Reference configuration operations
(1) modify the httpd. conf configuration file:
ErrorDocument 400/custom400.html
ErrorDocument 401/custom401.html
ErrorDocument 403/custom403.html
ErrorDocument 404/custom404.html
ErrorDocument 405/custom405.html
ErrorDocument 500/custom500.html
Customxxx.html is the error page to be set.
(2) determination basis for restarting Apache service baseline compliance 1. Judgment Conditions
Point to the specified error page
2. detection operations
Enter http: // ip/xxxxxxx ~~~ in the URL address bar ~~~ (A nonexistent page) Remarks2.2.2 directory list access restrictions
Security baseline project name Apache directory list security baseline requirements items security baseline No. SBL-Apache-03-02-02 security baseline item description disable Apache list display file detection operation step 1. Reference configuration operations
(1) edit the httpd. conf configuration file,
<Directory "/web">
Options FollowSymLinks
AllowOverride None
Order allow, deny
Allow from all
</Directory>
Remove the Indexes in Options Indexes FollowSymLinks to disable Apache from displaying the directory structure. When no index.html file exists in the directory, the directory structure is displayed.
(2) set the Apache default page and edit the configuration file % apache % \ conf \ httpd. conf,
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
Index.html is the default page, which can be changed to other files as needed.
(3) determination basis for restarting Apache service baseline compliance 1. Judgment Conditions
Contents of directories are not listed when no homepage such as index.html is found in the web directory.
2. detection operations
Directly access http: // ip: 8800/xxx (xxx is a directory) Remarks2.2.3 dos prevention
Security baseline item name Apache Denial of Service (DoS) security baseline requirements item security baseline number SBL-Apache-03-02-03 security baseline items description Denial of Service (DoS) prevention. Check operation step 1. Refer to configuration operations
(1) edit the httpd. conf configuration file,
Timeout 10 KeepAlive On
KeepAliveTimeout 15
AcceptFilter http data
AcceptFilter https data
(2) determination basis for restarting Apache service baseline compliance 1. Judgment Conditions
2. detection operations
Check whether the configuration file is set. Remarks2.2.4 deleting useless files
Security baseline project name Apache useless files security baseline requirements item security baseline number SBL-Apache-03-02-04 security baseline item description Delete useless files of the default installation. Check operation step 1. Refer to configuration operations
Delete the default HTML file:
# Rm-rf/usr/local/apache2/htdocs /*
Delete the default CGI script:
# Rm-rf/usr/local/apache2/cgi-bin /*
Delete the Apache description file:
# Rm-rf/usr/local/apache2/manual
Delete source code files:
# Rm-rf/path/to/httpd-2.2.4 *
Depending on the Installation Steps and versions, some directories or files may not exist or have different locations. Baseline conformity judgment basis 1. Judgment Conditions
2. detection operations
Check the corresponding directory. Remarks2.2.5 hide sensitive information
Security baseline item name Apache hide sensitive information security baseline requirements item security baseline number SBL-Apache-03-02-05 security baseline item description hide Apache version number and other sensitive information. Check operation step 1. Refer to configuration operations
Modify the httpd. conf configuration file:
ServerSignature Off
ServerTokens Prod baseline conformity judgment basis 1. Judgment Conditions
2. detection operations
Check the configuration file. Remarks