How can we enhance the security of Apache Web servers? (1)

Bkjia.com exclusive translation] It is not easy to install and maintain secure Web servers on Linux. This requires an in-depth understanding of Linux, Apache, and PHP server options. One of the main problems is how to strike a balance between security, productivity, and usability. The best solution depends on the specific needs of the project, but all the servers installed have some common characteristics. The following are some best practices to protect the LAMP server, covering many aspects from server configuration to PHP configuration fine-tuning.

To protect Web servers, reinforce the Linux operating system. The topic of Linux reinforcement can write a whole article, but some concepts are particularly important in providing Web content:

◆ Linux kernel reinforcement.The kernel is the target most often targeted by attackers. To improve user permissions, it is the easiest way to gain access to the kernel. Depending on the operating system, Apache uses a limited user nobody on Red Hat-based releases such as CentOS by default) or www-data users On Debian-based releases, including Ubuntu. Each attacker attempts to break through the identity of a limited user and exploit a vulnerability in the kernel to obtain the root access permission. Using grsecurityhttp: // olex.openlogic.com/packages/grsecurity) to patch the kernel ensures that you are protected and can even prevent zero-day vulnerabilities. In addition, Ksplicehttp: // www.ksplice.com/) ensures that you promptly update all the kernel versions to minimize security risks.

◆ Mandatory access control MAC ).In a normal Web Server deployment environment, normal users do not need to access the compiler gcc), system configuration files, or utilities such as find. Red Hat-based releases can use MAC policy software named SELinuxhttp: // olex.openlogic.com/packages/selinux. Ubuntu administrators can use similar AppArmorhttp: // olex.openlogic.com/packages/apparmor ). Although the features of these MAC tools are different, they can help you restrict the destructive actions of attackers. When it comes to unfavorable factors, improperly configured MAC tools can weaken the functionality of Web servers. This is why all MAC tools have non-execution modes, so that you can track false positives and reconfigure the tool for your specific environment. However, if you think MAC tools are too complicated, you only need to change the permissions of some executable files to 700, and only allow root users to use them.

◆ Firewall.You must restrict inbound and outbound traffic to prevent malicious connections to and from the server. For various types of servers, protecting inbound traffic is a common practice. However, for Web servers, it is particularly important to Restrict outbound connections so as to limit the impact of malicious script execution locally. Therefore, the most reliable method is to set the default iptables chain policy to DROP. In addition, you explicitly allow the required inbound and outbound connections. But be careful when limiting outbound traffic, because many Web scripts require external resources RSS and external application programming interfaces ). If you think that iptables firewall is not used to it, you can use scripts to help generate and maintain necessary rules, such as Shorewall and Firestarter.

Apache best security practices

Once you have ensured the security of the Linux operating system, you can start to handle the security issues of the Apache Web server. The following instructions are specific to Apache, but may also apply to other Web servers, such as LiteSpeed and nginx. The differences between them are often reflected in the module name or configuration command.

To reinforce Apache, perform these steps:

◆ Install mod_security,This Apache module plays a role in the application firewall. It can filter all parts of a Web request and end malicious code. It plays a role before the Web server performs any practical processing, and thus has nothing to do with Web applications. Mod_security is suitable for filtering any malicious traffic from SQL injection to XSS attacks. It is also the fastest and easiest way to protect vulnerable Web applications. The software has many rules that can be used at any time, but you can easily write the rules on your own. For example, if you have an outdated Joomla version, you are worried about being attacked by SQL injection. This simple rule filters out any POST and GET content containing the jos _ Joomla table prefix): SecFilter "jos.

◆ Install mod_evasive,This is another important Apache module that can protect Web applications from DOS requests. Its effect is subject to this reality: It works at the application layer, which means that Apache accepts connections in any way, thus consuming bandwidth and system resources. However, this module can be helpful if it is caused by a small number of weak DOS attacks on remote hosts. Once mod_evasive is loaded, you need to configure it as follows:

 
 

  
  
DOSPageCount 2  
  
  
DOSSiteCount 30  
  
  
DOSBlockingPeriod 120 
 
 

This indicates that the server prevents HTTP error 403 Forbidden from being returned by default.) Two accesses to the same page or the default interval within one second) any host with a total of 30 requests. Intruders are blocked for 120 seconds.

◆ Filter the visitor's IP address.This may be considered an extreme measure, but the results are good. First, install mod_httpbl, which is the Project Honeypot implemented by Apache. Once this module is installed and enabled, it can block IP addresses with malicious activities. Another method is to use mod_geoip, which can be used to allow only visitors from some countries to access pages that receive messages, registration and login information. It can even block and allow server-side visitors from some countries.

Other recommended Apache options include setting the Timeout option to a lower value, for example, 15 seconds. This shortens the time for the Web server to wait for certain events and limits the impact of DOS attacks. It is worth further reading of the official Apache Documentation and Security Tips http://httpd.apache.org/docs/2.3/misc/security_tips.html ).