How to consolidate Apache configuration: 20

 

Source: http://www.webdn.com/web_file/program/jsp/0602080486/

Statement: security issues are not guaranteed or absolute. These suggestions can make your server safer, but do not consider your server safe after following these suggestions. In addition, some suggestions in these suggestions may reduce server performance or cause problems due to your environment. It is up to you to decide whether any change I suggest is suitable for your needs. In other words, it is your risk.

1. Make sure you have installed the latest patch.

If the door is open, locking the window makes no sense. Similarly, if you do not install patches, it is unnecessary to continue the following operations.

Ii. Hide apache version numbers and other sensitive information

By default, Many Apache installation displays the version number and operating system version, and even the Apache module installed on the server. This information can be used by hackers, and they can also learn that many of the settings on the server you configured are default.

There are two statements to add to your httpd. conf file:

Serversignature off

ServerTokens Prod

Serversignature appears at the bottom of the page generated by Apache, such as page 404 and directory list. The ServerTokens directory is used to determine what information Apache will fill in the header of the server HTTP response package. If ServerTokens is set to prod, the HTTP response header is set:

Server: Apache

If you really want to try other things, you can change the source code to something other than Apache, or you can use the mod_security Implementation described below.

3. Ensure that Apache runs with its own user accounts and groups

Some Apache installation processes enable the server to run as a nobody user. Therefore, it is assumed that Apache and your email server both run as nobody accounts, therefore, APACHE-based attacks may simultaneously attack the email server, and vice versa.

User Apache

Group Apache

4. Ensure that files outside the web root directory do not provide services

Apache is not allowed to access any files outside the Web root directory. Assume that all your web site files are stored in a directory (for example,/Web). You can set the following:

Order deny, allow

Deny from all

Options none

AllowOverride none

 

Order allow, deny

Allow from all

 

Note: Because we set opitins none and AllowOverride none, this will disable all options and override of the server. You must set each directory to option or override.

5. Disable directory browsing

You can use the option command in the directory label to implement this function. Set option to none or-indexes.

Options-Indexes

6. Disable des

This can also be done by using the option command in the directory label. Set option to none or-pair des.

Options-des

7. Disable CGI execution Program

If you do not need CGI, disable it. Set the option to none or-execcgi in the directory label:

Options-execcgi

8. Disable Apache from following symbolic links

Same as above, set the option to none or-followsymlinks:

Options-followsymlinks

9. Disable multiple options

To disable all options, it is easy:

Options none

If you only want to link some independent options, you can do so by setting options as follows:

Options-execcgi-followsymlinks-Indexes

10. Disable support for. htaccess files

Implement the following in a directory label:

AllowOverride none

If you need to reload these files, make sure they cannot be downloaded, or change the file name to a non-. htaccess file. For example, we can change it to The. httpdoverride file, and then block all files with. Ht headers as follows:

Accessfilename. httpdoverride

Order allow, deny

Deny from all

Satisfy all

11. Run mod_security

Run mod_security is the author of Apache Security published by o'reilly Publishing House. Ivan ristic is a very useful Apache module. You can use it to implement the following functions:

· Simple filtering

· Regular filter-based expressions

· URL encoding Verification

· Unicode encoding Verification

· Auditing

· Prevents empty byte attacks

· Upload storage restrictions

· Server identity hiding

· Built-in chroot support

· More other functions

12. Disable any unnecessary modules

Apache usually installs several modules, browse the module documentation of Apache, and learn about the usage of installed modules. In many cases, you will find that you do not need to activate those modules.

Find the code that contains loadmodule in httpd. conf. To disable these modules, you only need to add a # sign before the code line. To find a running module, use the following statement:

Grep loadmodule httpd. conf

The following modules are usually activated but not widely used: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, and mod_autoindex.

For more methods, see http://www.petefreitag.com/item/505.cfm