Major security defects of Apache servers

As we mentioned in the preface, although the Apache server is the most widely used, it is designed to be a very secure program. However, Apache also has security defects like other applications. After all, it is the full source code. The security defect of Apache server is mainly the denial of service (denial of service) attacks using HTTP), buffer overflow attacks, root permissions granted by attackers, and the latest malicious attackers initiate DoS attacks. Reasonable network configuration can protect Apache servers from multiple attacks. Let's introduce the main security defects:
(1) security defects of denial of service attacks using HTTP
In this way, attackers can use some methods to make the server refuse to respond to HTTP requests. This will increase Apache's demand for system resources (CPU time and memory), resulting in a slowdown or even complete paralysis of the Apache system.
(2) security defects of Buffer Overflow
In this method, attackers use some defects in programming to make the program deviate from the normal process. The program uses the static allocated memory to store request data. attackers can send an ultra-long request to overflow the buffer.
(3) security defects caused by attackers to gain root privileges
This security defect is mainly caused by the fact that Apache servers generally run with the root permission (parent process), through which attackers can obtain the root permission to control the entire Apache system.
(4) security defects caused by DoS attacks by malicious attackers
This latest vulnerability found in June 17 mainly exists in Apache's chunk encoding, which is an HTTP protocol-Defined Function for receiving data submitted by web users. All said that the use of the highest and latest Security versions is essential to enhance the security of Apache Web servers.
Ask the majority of Apache server administrators to go to http://www.apache.org/dist/httpd/download the patch program to ensure the security of their webserver!

Correctly maintain and configure the Apache server

Although Apache server developers pay great attention to security, due to the huge project of Apache server, there will inevitably be security risks. It is important to correctly maintain and configure the Apache WEB server. Notes:

(1) Apache server configuration file
The Apache Web server has three configuration files, which are located in the/usr/local/apache/conf directory. The three files are:

Httpd. conf -----> main configuration file
Srm. conf ------> Add Resource file
Access. conf ---> set Object access Permissions

Note: Specific configuration can refer to: http://httpd.apache.org/docs/mod/core.html

(2) Directory Security Authentication for Apache servers
In Apache Server,. htaccess is allowed for Directory Security protection. to read the protected directory, you must first enter the correct user account and password. This can be used as a directory for specialized management of web page storage or as a Member area. Put an archive in the protected directory named. htaccss
AuthName "member Zone"
AuthType "Basic"
AuthUserFile "/var/tmp/xxx. pw "-----> put the password outside the website require valid-user to the apache/bin directory and create the password file %. /htpasswd-c/var/tmp/xxx. pw username1 -----> the parameter "-c" %/htpasswd/var/tmp/xxx must be used for the first file creation. pw username2 can protect contents in the directory and use valid users to access the directory.

Note: The modules attached to Apache are used.

You can also add the following to httpd. conf:
Options indexes followsymlinks
Allowoverride authconfig
Order allow, deny
Allow from all

(3) Apache server access control

We need to look at the third file in the three configuration files, namely the access. conf file, which contains instructions to control which users are allowed to access the Apache directory. Set deny from all as the initialization command, and then use the allow from command to open the access permission.

　　
　　
Order deny, allow
Deny from all
Allow from safechina.net
　　
　　
Allows access from a domain, IP address, or IP address segment.

(4) password protection for Apache servers

We then use the. htaccess file to grant the access permission of a directory to a user. The system administrator needs to use the AccessFileName command in the httpd. conf or rm. conf file to open the access control of the directory. For example:

AuthName PrivateFiles
AuthType Basic
AuthUserFile/path/to/httpd/users
Require Phoenix
# Htpasswd-c/path/to/httpd/users Phoenix

Configure the WEB and file servers of the Apache server

We store WEB server files on the Apache server for user access, and set the/home/ftp/pub directory as the file storage area. Use http://download.your.com/pub/to prepare the file. Set apache reverse proxy technology on the firewall for access by the firewall proxy.
　
(1) Apache server settings

The default configuration is used for the apache server. The main directory is/home/httpd/html, the host domain name is Phoenix.your.com, And the alias is in www.your.com. The definition of setting srm. conf and adding an alias is as follows:

Alias/pub/home/ftp/pub/

The definition of changing the default application type is as follows:
DefaultType application/octet-stream

Add a definition in/etc/httpd/conf/access. conf.
Options Indexes
AllowOverride AuthConfig
Order allow, deny
Allow from all

Note: Options indexesallows you to list directories and files without finding the index.html file. AllowOverride AuthConfig allows you to perform basic user name and password verification. In this case, put. htaccess in the/home/ftp/pub directory. The content is as follows:
[Root @ pub] # more. htaccess
AuthName Branch Office Public Software Download Area
AuthType Basic
AuthUserFile/etc/. usrpasswd
Require valid-user
Use # htpasswd-c/etc/. usrpasswd user1 to create different external usernames and passwords that allow access to file services in/pub.
　
(2) Configure reverse proxy technology on the firewall.
　
Add NameVirtualHost xxx. xxx # xxx. xxx -----> to/etc/httpd/conf/httpd. conf, which is the permanent IP address of the firewall on the Internet.
Servername www.your.com
Errorlog/var/log/httpd/error_log
Transferlog/var/log/httpd/access_log
Rewriteengine on
Proxyrequests off
Usecanonicalname off
Rewriterule ^/(. *) $ http://xxx.xxx.xx.x/#1 IP address of the Apache server.

Servername http://download.your.com/pub/
Errorlog/var/log/httpd/download/error_log
Transferlog/var/log/httpd/download/access_log
Rewriteengine on
Proxyrequests off
Usecanonicalname off
Rewriterule ^/(. *) $ http://xxx.xxx.xx.x/1121 the IP address of the Apache server.

Set the DNS on the firewall so that both download.your.com and www.your.com point to the firewall's external network address xxx.
Visit the home page with a http://www.your.com and use the Download Area of the public file http://download.your.com/pub.

Note: you also need to create the directory/var/log/httpd/download/on the apache server host; otherwise, an error will occur. In addition, you can set the/home/httpd/html/index.html attribute on the firewall host to 750 to block access, this is the http://www.your.com that prevents external users from accessing the Apache server on the firewall.

Conclusion: Apache Server is a very good Server. As long as you correctly configure and maintain the Apache Server,
You will feel the benefits of Apache Server, and hope that you can achieve the goal of both theoretical and practical success by reading this article.

Verify your Apache source path

Do not search for a suitable Apache version on Google. If you need to download the latest version of Apache, you 'd better download it through an authoritative image site. However, this may also cause problems. In fact, hackers have intruded into the official website of apache.org. Therefore, it is particularly important to use PGP-like tools to verify Apache's digital signature.

Update Apache Patches

If you have installed Apache, you must promptly update the Security Patch. If no updates are made in time, your system will be vulnerable to high-risk viruses on the Internet. Fortunately, there are several simple ways to update Apache patches. Refer to our article on keeping Apache patches updated