Precautions for Apache Web Server Security Settings

Source: Internet
Author: User
Tags password protection root access least privilege

Comments: Attackers use some methods to make the server refuse to respond to http, which causes Apache to greatly increase the demand for system resources (CPU time and memory), resulting in system slowdown or even complete paralysis of HTTP DoS attacks.
Attackers use some means to make the server refuse to respond to http, which causes Apache to greatly increase the demand for system resources (CPU time and memory), resulting in system slowdown or even complete paralysis, the biggest drawback of Apache server is that its universality makes Apache server a target. Apache server is threatened by DoS attacks all the time, mainly including the following types
1. Packet flood attacks
A Method to interrupt the server or local network is packet flood attacks. It usually uses internet Control Packet Protocol (ICMP, which belongs to the network layer protocol) packet or udp packet. In the simplest form, these attacks overload the server or network load, which means that the attacker's network speed must be faster than the target host's network speed, the advantage of using udp packets is that no packet is returned to the hacker's computer (udp efficiency is 17 times higher than tcp). The advantage of using ICMP packets is that attackers can make attacks richer and more varied, sending defective packets will mess up and lock the victim's network. The current popular trend is that attackers fool servers to believe they are being attacked by their own floods.
2. Disk attacks
This is a very immoral attack. It not only affects computer communication, but also damages its hardware. Forged user requests use write commands to attack the hard disk of the target computer, so that it exceeds the limit, and force close, the ending is miserable.
3. Route inaccessibility
Usually DoS attacks are concentrated on routers. Attackers obtain control and manipulate the target machine first. When attackers can change route table entries, the entire network cannot communicate. This attack is very sinister and concealed, there are many reasons why the network administrator needs to resolve the problem.
4. Distributed Denial of Service Attack
This is also the most threatening DDoS attack. The name is easy to understand. in simple words, it is group Europe. Many clients have a single server at the same time, and you will find that you will be scarred, apache servers are particularly vulnerable to DDos attacks or hidden source attacks, because Apache is everywhere, especially the virus specially designed for Apache (specially selected SSL worm), lurking on many hosts, attackers can use viruses to manipulate a large number of infected machines, launch a massive DDoS attack on a specific target, spread worms to a large number of hosts, and launch large-scale point-to-point attacks, unless you do not provide services, you can hardly prevent such attacks. Such attacks are usually targeted on large websites.
5. Buffer Overflow
This type of attack is common. Attackers use CGI programs to write defective programs that deviate from normal processes. The program uses static memory allocation, so that attackers can send a very long request to overflow the buffer zone. For example, some perl gateway scripts for processing user requests. Once the buffer overflow occurs, attackers can execute malicious commands.
6. Illegal root access
If Apache runs with the root permission, some program logic defects or buffer overflow vulnerabilities on the system may make it easy for attackers to obtain administrator privileges on the linux server on the local system, in some remote cases, attackers may exploit some defective system daemon processes executed as root to obtain root permissions, or exploit the vulnerability of defective service processes to obtain common user permissions, remote login to control the entire system.
These are the attack methods that the service will encounter. Next we will discuss how to build a secure Apache server. If you can follow these suggestions, you will get a relatively secure apache server.
I. Frequent Patching
You must believe that this is the most useful method. Buffer overflow and other vulnerabilities must be prevented using this method. Be diligent and believe that there is no harm to you. In http: the latest changelog on www.apache.org has the following words: bug fix and security bug fix. As a responsible administrator, you must pay attention to related vulnerabilities and promptly upgrade the system to add patches. using the latest security version is critical to strengthening apache.
Ii. Hiding and disguising Apache versions
Disrupting the steps of the attacker may cause trouble to the attacker. I believe the Administrator is willing to see it. the vulnerability information and version of the software are related. It is a good choice to confuse attackers when collecting your service software information. Besides, the version number is as important as GPS Positioning for attackers, by default, the System Displays all apache version modules (http return headers). If a directory is listed, Domain Name Information (file list body) is displayed ), to remove the Apache version, modify the configuration file, find the keyword, and change it to the following:
ServerSignature off
By analyzing the web server type, ServerTokens prod can roughly predict the operating system type. Windows use iis and linux are generally apache. By default, there is no information protection mechanism in Apache configuration and directory browsing is allowed, you can similar to "apache/1.37 Server at apache.linuxforum.net Port 80" or "apache/2.0.49 (unix) PHP/4.3.8" through directory browsing, by modifying the ServerTokens parameter in the configuration file, you can hide Apache-related information. If not, you may be prompted that the information has been compiled in the program. To hide the source code that requires apache Modification, then re-compile the program to replace the content:
Edit the ap_release.h file and modify
"# Define AP_SERVER_BASEPRODUCT" "Apache """
Is
"# Define AP_SERVER_BASEPRODUCT" "Microsoft-IIS/5.0 ""
Edit OS/unix/OS. h file and modify
"# Define PLATFORM" "Unix """
Is
"# Define PLATFORM" 'win32"
After the modification is complete, recompile and install apache. After modifying the configuration file to the previous one, start apache again and use a tool to scan, I found that the prompt information has already been displayed as a windows operating system. By the way, I am not very particular about this forum. This is the wrong message returned from the forum. I felt a bit sweaty, apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 mod_ssl/2.2.8 OpenSSL/0.9.8g Server at forum.ubuntu.org.cn Port 80 indicates that malicious users have a lot of useful information, but it is quite dangerous to be told where the door is.
3. Establish a secure directory structure. The apache server has four directory structures.
ServerRoot # Save the configuration file, binary file, and other server configuration files
DocumentRoot # Save website content, including HTML files and Images
ScripAlias # Save the CGI script
Customlog # Save logs
Errorlog # Save the Error Log
The recommended directory structure is that the preceding four directories are independent of each other and there is no parent-child logical relationship.
Note:
The ServerRoot directory can only be accessed by the root user
The DocumentRoot directory should be accessible to users who manage the content of the web site and apache users and groups who use the apache server.
The ScripAlias directory should be accessible only to CGI developers and apache users.
Customlog and Errorlog can only be accessed by the root user.
The following is an example of a secure directory structure:
+ -------/Etc/
|
| + ----/Http (ServerRoot)
| + ----/Logs (Customlog and Errorlog)
|
+ ------- Var/www
|
| + ---/Cgi-bin (ScripAlias)
| + ---/Html (DocumentRoot)
Such a directory structure is relatively safe, because directories are independent, a directory permission error does not affect other directories
4. Use special users and groups for apache
According to the principle of least privilege, you need to assign an appropriate permission to apache to complete the web service.
Note: the principle of least privilege is one of the most basic principles in system security. It limits the minimum permissions required for users to access the system and data to ensure that users can complete tasks, at the same time, it also ensures the loss caused by theft or abnormal operations.
Make sure that apache uses a dedicated user and group, and do not use the account predefined by the system, such as the nobody user and the nogroup group, because only the root user can run apache, documentRoot should be accessible to users who manage web site content and apache users and groups who use apache servers. For example, if you want "test" users to publish content on the web site, you can run the apache server as httpd. You can set it as follows:
Groupadd webteam
Usermod-G webteam test
Chown-R httpd. webteam/www/html
Chmod-R 2570/www/htdocs
Only the root user can access logs. We recommend this permission.
Chown-R root. root/etc/logs
Chown-R 700/etc/logs 5: web Directory Access Policy
For web directories that can be accessed, you must use a relatively conservative approach, rather than asking users to view any Directory Index list.
Disable directory indexing:
If the file does not exist, apache will create a dynamic list to display the contents of the directory to the user, which will expose the web site structure. Therefore, you need to modify the configuration file to prohibit the display of dynamic directory indexes, modify httpd. conf
Options-Indexes FollowSymLinks
The Options command instructs apache not to use directory indexes. FollowSymLinks indicates that symbolic connections are not allowed.
Disable default access:
You must disable the default access to the specified directory by using the following security policy:
Order deny, allow
Allow from all
Disable User overloading:
In order to prevent users from overloading (modifying) the directory configuration file (htaccess), you can set
AllowOverride None 6: apache server access control
Apache's access. conf file is responsible for setting file access permissions to control access to Internet domain names and IP addresses. For example, you can set access to hosts from 192.168.1.1 to 192.168.1.254.
Order deny, allow
Deny from all
Allow from pair 192.168.1.0/255.255.255.0 7: password protection for apache servers
. The htaccess file is a configuration file on apache, which is a text file ,. the htaccess file provides a way to change the configuration of directories by placing one or more commands in a specific document directory (. to apply to this directory and sub-directory.
.Htaccess's function is to set the webpage password, set the current file when an error occurs, change the name of the initial file (for example, index.html), prohibit reading the file name, redirect the file, add the MIME category, and prohibit files under the directory.
Note :. htaccess is a complete file name, not ***. htaccess or other formats, put one in the/abc directory. the/abc and Its subdirectories are all affected by the htaccess file, but/index.html is not affected.
. The establishment and use of htaccess is more complex. If you are interested, you can reply and ask questions. This is not specific here. This protection is more secure than some programs, that method can be used to obtain the password. htaccess is difficult to crack, but text verification is slow and does not affect a small number of users. However, a large number of users must use the verification with data modules, this requires that the module be enabled when the source code is compiled. It is disabled by default.
8. run apache in "prison"
"Prison" means to use the chroot mechanism to change the root directory that can be seen when a software is running. Simply put, it is restricted to the specified directory, ensure that the software can only act on the directory and subdirectory files, so as to ensure the security of the entire server, even if it is damaged or intruded, the damage is not big.
Previously, daemon on unix/linux was started with root permissions. At that time, it was a matter of course that server software such as apache had to be bound to port 80 to listen for requests, root is the only user with such permissions. With the increase in attack means and intensity, the server will be greatly threatened, you can control the entire system. the current server design is usually started as root, and then the process gives up the root permission and changes to a low-level account to run. this method will obviously reduce the harm to the system, but attackers will still find vulnerabilities to escalate permissions. Even if they cannot obtain root permissions, they can also delete files and modify the homepage.
To further improve system security, the Linux kernel introduces the chroot mechanism. chroot is a system call in the kernel. The software can call the chroot function of the function library to change the directory that a process can see, for example, install apache Software in the/usr/local/httpd directory and start apache as root. The root-authorized parent process will derive several sub-processes running with the nobody permission, and the parent process will listen to port 80, then it is handed over to a sub-process for processing. At this time, the sub-process's directory is inherited from the parent process, that is, the/usr/local/httpd directory, but once the directory permission is set incorrectly, the attacked apache sub-process can access/usr/local,/usr,/tmp or even the entire file system, because the directory of the apache process is still the directory of the entire file system, if you can use chroot to restrict apache to/usr/local/httpd/, all files accessed by apache are restricted to/usr/local/httpd, the role of chroot daemon is to restrict the process permissions under the file directory tree to ensure security.
If you manually supervise apache, it will be very cumbersome and complicated. You need to involve the library files. Here, you can use the jail package to simplify jail's official website: if you are interested, it is a little difficult to go here and do not write down the specific creation process.
9. Prevent Dos attacks on apache servers
Apache services often encounter Dos attacks. The main prevention measures are implemented through the software, apahce Dos Evasive Maneuvers Module, which is a software alternative to mod_access and can defend against DoS attacks, this software can quickly reject repeated requests from the same address to the same URL. by querying a hash table of each sub-process, you can download the software at: http: // online/.securityfocus.com/tools/
10. Reduce CGI and SSI risks
The CGI Script Vulnerability has become the top security risk for WEB servers. It is usually caused by many vulnerabilities in programming CGI scripts. Besides the CGI control vulnerability, pay attention to the legal check of input data during compilation, in addition to the careful use of system calls and other factors, the CGI program owner's ID is used to run these programs. Even if the program is compromised by the vulnerability, only files accessible by this ID are allowed, it will not cause fatal harm to the entire system, so you need to use CGI programs with caution.
Apache version 1.3 integrates the suEXEC program to provide control support for CGI programs for apache. It can regard suEXEC as a package. After Apache receives a call request from the CGI program, send this request to suEXEC to complete the specific call and return the result from suEXEC. suEXEC can solve some security problems, but may affect the speed. If the security requirement is high, we recommend that you use suEXEC. In addition, there is a software CGIWrap, which is highly secure with suEXEC.
Reduce the Risk of SSI scripts. If you run external programs using commands such as exec, there will also be risks similar to CGI scripts. In addition to internal program debugging, you should use:
Disable the option command:
Option IncludesNOEXEC 11: use ssl to reinforce Apache
Servers with SSL functions can improve the security performance of sensitive website pages. SSL can encrypt data streams transmitted over the Internet between SSL and TCP/IP and HTTP, identity Authentication is provided for online shopping without having to worry about stealing credit card information. It is important in e-commerce and web-based email. SSL applications are relatively troublesome. If necessary, you can post or view information.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.