Centos enhances Apache server security
The Apache server is there and unix/linux is there, which is enough to show the excellent performance and market share of Apache in the WEB Server field.
In today's Internet environment, web services have become an essential business for companies. Most security problems have also followed, and the focus of attacks has also shifted to web attacks, many web applications are combined with valuable customer services and e-commerce activities, which is also an important reason for attracting malicious attacks.
First, let's take a look at the security risks faced by the web.
HTTP Denial of Service Attack
Attackers use some means to make the server refuse to respond to http, which causes Apache to greatly increase the demand for system resources (CPU time and memory), resulting in system slowdown or even complete paralysis, the biggest drawback of Apache server is that its universality makes Apache server a target. Apache server is threatened by DoS attacks all the time, mainly including the following types
1. Packet flood attacks
A Method to interrupt the server or local network is packet flood attacks. It usually uses the internet Control Packet Protocol (ICMP, which belongs to the network layer protocol)
Packet or udp packet. In the simplest form, all these attacks overload the server or network load, which means that the attacker's network speed must be faster than the target host's network speed, the advantage of using udp packets is that no packet is returned to the hacker's computer (udp efficiency is 17 times higher than tcp). The advantage of using ICMP packets is that attackers can make attacks richer and more varied, sending defective packets will mess up and lock the victim's network. The current popular trend is that attackers fool servers to believe they are being attacked by their own floods.
2. Disk attacks
This is a very immoral attack. It not only affects computer communication, but also damages its hardware. Forged user requests use write commands to attack the hard disk of the target computer, so that it exceeds the limit, and force close, the ending is miserable
3. Route inaccessibility
Usually DoS attacks are concentrated on routers. Attackers obtain control and manipulate the target machine first. When attackers can change route table entries, the entire network cannot communicate. This attack is very sinister and concealed, there are many causes for network disconnection to be ruled out by the network administrator, and some of them need to be identified in detail.
4. Distributed Denial of Service Attack
This is also the most threatening DDoS attack. The name is easy to understand. in simple words, it is group Europe. Many clients have a single server at the same time, and you will find that you will be scarred, apache servers are particularly vulnerable to DDos attacks or hidden source attacks, because Apache is everywhere, especially the virus specially designed for Apache (specially selected SSL worm), lurking on many hosts, attackers can use viruses to manipulate a large number of infected machines, launch a massive DDoS attack on a specific target, spread worms to a large number of hosts, and launch large-scale point-to-point attacks, unless you do not provide services, you can hardly prevent such attacks. Such attacks are usually targeted on large websites.
Buffer overflow, which is a common attack. Attackers use CGI programs to write defective programs that deviate from the normal process. When the program uses static memory allocation, attackers can send a very long request to overflow the buffer, for example, some perl gateway scripts for processing user requests, once the buffer overflows, attackers can execute malicious commands.
The root permission is invalid.
If Apache runs with the root permission, some program logic defects or buffer overflow vulnerabilities on the system may make it easy for attackers to obtain administrator privileges on the linux server on the local system, in some remote cases, attackers may exploit some defective system daemon processes executed as root to obtain root permissions, or exploit the vulnerability of defective service processes to obtain common user permissions, remote login to control the entire system.
These are the attack methods that the service will encounter. Next we will discuss how to build a secure Apache server.
If you can follow these suggestions, you will get a relatively secure apache server.
I. Frequent Patching
You must believe that this is the most useful method. Buffer overflow and other vulnerabilities must be prevented using this method. Be diligent and believe that there is no harm to you.
The latest changelog on http: www.apache.org has the words bug fix and security bug fix. As a responsible administrator, you must pay attention to related vulnerabilities and promptly upgrade the system to add patches. Using the latest security version is critical to strengthening apache
Ii. Hiding and disguising Apache versions
Disrupting the steps of an attacker may cause trouble to the attacker. It is believed that the Administrator is willing to see it. The vulnerability information and version of the software are related. It is a good choice to confuse attackers when collecting your service software information. Besides, the version number is equally important for attackers as GPS locating.
By default, the System Displays all apache version modules (http return headers). If a directory is listed, Domain Name Information (file list body) is displayed ), to remove the Apache version, modify the configuration file, find the keyword, and change it to the following
ServerSignature off
ServerTokens prod
By analyzing the web server type, we can roughly estimate the operating system type. Windows uses iis and apache in linux. By default, there is no information protection mechanism in Apache configuration and directory browsing is allowed, you can obtain information similar to "apache/1.37 Server at apache.linuxforum.net Port 80" or "apache/2.0.49 (unix) PHP/4.3.8" through directory browsing.
By modifying the ServerTokens parameter in the configuration file, you can hide Apache-related information. If not, you may be prompted that the information has been compiled in the program. To hide the source code that requires apache Modification, then re-compile the program to replace the content
Edit the ap_release.h file,
Modify "# define AP_SERVER_BASEPRODUCT \" Apache \"
"# Define AP_SERVER_BASEPRODUCT \" Microsoft-IIS/5.0 \"
Edit OS/unix/OS. h file
Modify "# define PLATFORM \" Unix \"
"# Define PLATFORM \ 'win32"
After the modification is complete, re-compile and install apache. After modifying the configuration file to the previous one, start apache again and use a tool to scan. The prompt message is displayed as windows OS.
By the way, the current forum is not very particular. This is the wrong message returned from the forum, and I feel a bit sweaty.
Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 mod_ssl/2.2.8 OpenSSL/0.9.8g Server at forum.ubuntu.org.cn Port 80
This is to tell malicious users a lot of useful information. Although it is not counted, it is quite dangerous to be told where the door is.
3. Establish a secure directory structure. The apache server has four directory structures.
ServerRoot # Save the configuration file, binary file, and other server configuration files
DocumentRoot # Save website content, including HTML files and Images
ScripAlias # Save the CGI script
Customlog and Errorlog # Save logs and error logs
The recommended directory structure is that the preceding four directories are independent of each other and there is no parent-child logical relationship.
Note:
The ServerRoot directory can only be accessed by the root user
The DocumentRoot directory should be accessible to users who manage the content of the web site and apache users and groups who use the apache server.
The ScripAlias directory should be accessible only to CGI developers and apache users.
Customlog and Errorlog can only be accessed by the root user.
The following is an example of a secure directory structure.
+ -------/Etc/
|
| + ----/Http (ServerRoot)
| + ----/Logs (Customlog and Errorlog)
|
+ ------- Var/www
|
| + ---/Cgi-bin (ScripAlias)
| + ---/Html (DocumentRoot)
Such a directory structure is relatively safe, because directories are independent, a directory permission error does not affect other directories
4. Use special users and groups for apache
According to the principle of least privilege, you need to assign an appropriate permission to apache so that it can complete the web service.
Note:
The principle of least privilege is one of the most basic principles in system security. It limits the minimum permissions required for users to access the system and data to ensure that users can complete tasks, at the same time, it also ensures the loss caused by theft or abnormal operations.
Make sure that apache uses a dedicated user and group. Do not use the account that is scheduled by the system, such as the nobody user and nogroup group.
Because only the root user can run apache, DocumentRoot should be able to be accessed by users who manage web site content and apache users and groups who use the apache server, for example, you want the "test" user to publish content on the web site and run the apache server as httpd.
Groupadd webteam
Usermod-G webteam test
Chown-R httpd. webteam/www/html
Chmod-R 2570/www/htdocs
Only the root user can access logs. We recommend this permission.
Chown-R root. root/etc/logs
Chown-R 700/etc/logs
V. web Directory Access Policy
For web directories that can be accessed, you must use a relatively conservative approach, rather than asking users to view any Directory Index list.
Disable directory indexing:
If the file does not exist, apache will create a dynamic list to display the contents of the directory to the user, which will expose the web site structure. Therefore, you need to modify the configuration file to prohibit the display of dynamic directory indexes, modify httpd. conf
Options-Indexes FollowSymLinks
The Options command instructs apache not to use directory indexes. FollowSymLinks indicates that symbolic connections are not allowed.
Disable default access:
You must disable the default access to the specified directory by using the following security policy:
Order deny, allow
Allow from all
Disable User overloading:
In order to prevent users from overloading (modifying) the directory configuration file (htaccess), you can set
AllowOverride None
Vi. apache server access control
Apache's access. conf file is responsible for setting file access permissions to implement access control for Internet domain names and IP addresses.
For example, to allow access from a host from 192.168.1.1 to 192.168.1.254, you can set
Order deny, allow
Deny from all
Allow from pair 192.168.1.0/255.255.255.0
VII. Password protection for the apache server
The. htaccess file is a configuration file on apache, which is a text file. The. htaccess file provides methods for changing the configuration of directories.
You can place a file (. htaccess file) containing one or more commands in a specific document directory to act on this directory and sub-directory.
.Htaccess's function is to set the webpage password, set the current file when an error occurs, change the name of the initial file (for example, index.html), prohibit reading the file name, redirect the file, add the MIME category, and prohibit files under the directory.
Note :. htaccess is a complete file name, not ***. htaccess or other formats, put one in the/abc directory. htaccess file,/abc and Its subdirectories will be affected by this file, but/index.html will not be affected
. The establishment and use of htaccess is more complex. If you are interested, you can reply and ask questions. This is not specific here. This protection is more secure than some programs, that method can be used to obtain the password. htaccess is difficult to crack, but text verification is slow and does not affect a small number of users. However, a large number of users must use the verification with data modules, this requires you to enable the module when compiling the source code. It is disabled by default.
8. run apache in "prison"
"Prison" means to use the chroot mechanism to change the root directory that can be seen when a software is running. Simply put, it is restricted to the specified directory, ensure that the software can only act on the directory and subdirectory files, so as to ensure the security of the entire server, even if it is damaged or intruded, the damage is not big
Previously, daemon on unix/linux was started with root permissions. At that time, it was a matter of course that server software such as apache had to be bound to port 80 to listen for requests, root is the only user with such permissions. With the increase in attack means and intensity, the server will be greatly threatened, you can control the entire system. The current server design is usually started as root, and then the process gives up the root permission and changes to a low-level account to run. This method will obviously reduce the harm to the system, but attackers will still find vulnerabilities to escalate permissions. Even if they cannot obtain root permissions, they can also delete files and modify the homepage.
To further improve system security, the Linux kernel introduces the chroot mechanism. chroot is a system call in the kernel. The software can call the chroot function of the function library to change the directory that a process can see, for example, install apache Software in the/usr/local/httpd directory and start apache as root. The root-authorized parent process will derive several sub-processes running with the nobody permission, and the parent process will listen to port 80, then it is handed over to a sub-process for processing. At this time, the sub-process's directory is inherited from the parent process, that is, the/usr/local/httpd directory, but once the directory permission is set incorrectly, the attacked apache sub-process can access/usr/local,/usr,/tmp or even the entire file system, because the directory of the apache process is still the directory of the entire file system, if you can use chroot to restrict apache to/usr/local/httpd/, the files accessed by apache will be restricted to/usr/local/httpd to create chroo. T's role is to restrict process permissions under the file directory tree to ensure security.
If you manually install apache, it will be very cumbersome and complicated. You need to involve the library files. Here you can use the jail package to simplify the implementation of the prison.
Jail's official website is: http://www.jmcresearch.com interested can visit
It is not difficult to write the specific creation process here. If you have security requirements, please reply and make up the information in time.
9. Prevent Dos attacks on apache servers
Apache services often encounter Dos attacks. The main defense method is through the software, apahce Dos Evasive Maneuvers Module
It is a software alternative to mod_access, which can defend against DoS attacks. The software can quickly reject repeated requests from the same address to the same URL, query the hash table of each sub-process.
You can download the software at http: // online/.securityfocus.com/tools/.
10. Reduce CGI and SSI risks
The CGI Script Vulnerability has become the top security risk for WEB servers. It is usually caused by many vulnerabilities in programming CGI scripts. Besides the CGI control vulnerability, pay attention to the legal check of input data during compilation, in addition to the careful use of system calls and other factors, the CGI program owner's ID is used to run these programs. Even if the program is compromised by the vulnerability, only files accessible by this ID are allowed, it will not cause fatal harm to the entire system, so you need to use CGI programs with caution.
Apache version 1.3 integrates the suEXEC program to provide control support for CGI programs for apache. It can regard suEXEC as a package. After Apache receives a call request from the CGI program, send this request to suEXEC to complete the specific call and return the result from suEXEC. suEXEC can solve some security problems, but may affect the speed.
If you have high security requirements, we recommend that you use suEXEC. In addition, there is a software CGIWrap, which is highly secure with suEXEC.
Reduce the Risk of SSI scripts. If you run external programs using commands such as exec, there will also be risks similar to CGI scripts. In addition to internal program debugging, you should use
Disable the option command:
Option IncludesNOEXEC
11. Reinforce Apache with ssl
Servers with SSL functions can improve the security performance of website sensitive pages. SSL works between TCP/IP and HTTP.
SSL can encrypt data streams transmitted over the Internet, provide identity authentication, and shop online without worrying about theft of credit card information. It is important in e-commerce and web-based mail.