Linux server security policy details (11)

Article Title: Linux server security policy details (11 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

6.3 configure a safe Apache server

Reasonable network configuration can protect Apache servers from many attacks.

6.3.1 frequent Patching

The latest changelogs on http://www.apache.org/contain the words bug fix and security bug fix. Therefore, Linux network administrators should pay attention to website defects and promptly upgrade the system or add patches. The use of the highest and latest Security versions is essential to enhance the security of Apache Web servers. Upgrade OpenSSL to version 0.9.6e or later. Forged keys do not work and cannot penetrate into the system. Some anti-virus programs can discover and kill the SSL worm, but the worm may generate variants to escape the pursuit of anti-virus software. Restarting Apache can kill such viruses, but it does not make any sense to prevent future infections.

　6.3.2 hide and disguise Apache versions

Generally, software vulnerability information is related to a specific version. Therefore, the version number is the most valuable to hackers.

By default, the System Displays all Apache modules (http return headers ). If the directory is listed, the domain name information (file list body) is displayed. the Apache version number can be removed by modifying the configuration file/etc/httpd. conf. Find the ServerSignature keyword and set it:

ServerSignature Off

ServerTokens Prod

Then restart the Apache server.

By analyzing the types of Web servers, We can roughly predict the types of operating systems. For example, in Windows, IIS is used to provide HTTP services, while in Linux, Apache is the most common.

There is no information protection mechanism in the default Apache configuration and directory browsing is allowed. You can obtain information similar to "Apache/1.3.27 Server at apache.linuxforum.net Port 80" or "Apache/2.0.49 (Unix) PHP/4.3.8" through directory browsing.

You can hide Apache Information by modifying the ServerTokens parameter in the configuration file. However, Apache running in Red Hat Linux is a compiled program, prompting that the information is compiled in the program. To hide the information, you need to modify the Apache source code, and then re-compile and install the program, to replace the prompt content.

Take Apache 2.0.50 as an example. Edit the ap_release.h file and change "# define AP_SERVER_BASEPRODUCT \" Apache \ "to" # define AP_SERVER_BASEPRODUCT \ "Microsoft-IIS/5.0 \"". Edit the OS/unix/OS. h file and change "# define PLATFORM \" Unix \ "to" # define PLATFORM \ "Win32 \"". After modification, recompile and install Apache.

After installing Apache, modify the httpd. conf configuration file, change "ServerTokens Full" to "ServerTokens Prod", change "ServerSignature On" to "ServerSignature Off", and then save the disk and exit. After restarting Apache, run a tool to scan and find that the operating system is Windows.

　　6.3.3. Establish a secure directory structure

The Apache server contains the following four main directories.

-ServerRoot: stores configuration files (conf sub-Directories), binary files, and other server configuration files.

-DocumentRoot: saves the content of the Web site, including HTML files and images.

-ScripAlias: Save the CGI script.

-Customlog and Errorlog: Save the access log and Error Log.

We recommend that you set such a directory structure. The above four main directories are independent of each other and there is no parent-child logical relationship.

Prompt that the ServerRoot directory should be configured to be accessible only by root users; DocumentRoot should be accessible to users who manage Web site content and to Apache users and Apache user groups on the Apache server; the ScriptAlias directory should be accessible only by CGI developers and Apache users; only root users can access the log directory.

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] Next page