Routine maintenance of apache

Routine maintenance of apache-Linux Enterprise Application-Linux server application information. For details, refer to the following section. I. Main defects of Apache
1: HTTP Denial of Service
2: Buffer Overflow
3: attackers obtain root privileges.
4: Protection of configuration files
5. Server Access Control
6: password protection
7: Apache Log File
8: security-related commands
9: Server-Side security des (SSI) Security
10: Other security tools
11: Conclusion

Summary


This article will discuss the security of Apache WEB Server installation and configuration on the UNIX platform. We assume that the system administrator who has read this article has selected the relevant modules for his site, and can configure, create, and troubleshoot the faults. The main purpose of this article is to help you resume a secure Apache web icon_razz.gif server.

Among the many Web Server products, Apache is the most widely used product and a very secure program. However, Apache also has security defects like other applications. This article mainly discusses three security defects, including denial of service (DoS) attacks using HTTP protocol, 3 buffer overflow attacks, and root permissions obtained by attackers. Note: reasonable configuration can protect Apache from multiple attacks, but DoS attacks at the network layer are not prevented by adjusting Apache configuration. This article involves DoS attacks using HTTP (Application Layer) protocol.

I. Main defects of Apache

1: HTTP Denial of Service

Attackers use some methods to make the server refuse to respond to HTTP requests. This will increase Apache's demand for system resources (CPU time and memory), resulting in system slowdown or even complete paralysis.

2: Buffer Overflow

Attackers can exploit some defects in programming to make the program deviate from the normal process. The program uses the static allocated memory to store request data. attackers can send an ultra-long request to overflow the buffer. For example, some Perl gateway scripts for processing user requests. Once the buffer zone overflows, attackers can execute malicious commands or shut down the system.

3: attackers obtain root privileges.

Apache generally runs with the root permission (parent process). Attackers can use it to obtain the root permission and then control the entire system.
Obtain the latest Apache
Using the most secure version is crucial to enhancing the security of Apache Web servers.
You can get the latest Apache version from the official Apache website http://www.apache.org.

4: Protection of configuration files

The Apache Web server has three major configuration files, which are generally located in the/usr/local/apache/conf directory. These three files are: httpd. con, srm. conf, and access. conf. These files are the control center of Apache, so you need to understand the three configuration files. The httpd. conf file is the main configuration file. srm. conf allows you to add a resource file. access. conf sets the access permission for the file. The configuration of these files can refer to http://httpd.apache.org/docs/mod/core.html

5. Server Access Control

The access. conf file contains commands to control which users are allowed to access the Apache directory. Deny from all should be used as the initialization command, and then the access permission should be opened using the allow from command. You can allow access from a domain, IP address, or IP address segment. For example:

Order deny, allow
Deny from all
Allow from sans.org


6: password protection

You can use the. htaccess file to grant the access permission of a directory to a user. The system administrator needs to use the AccessFileName command in the httpd. conf or srm. conf file to open the access control of the directory. The following is an example. htaccess file:

AuthName PrivateFiles
AuthType Basic
AuthUserFile/path/to/httpd/users
Require foo <--- a valid user name

Then, use the following command to add a user:

# Htpasswd-c/path/to/httpd/users foo


7: Apache Log File

The system administrator can use log format commands to control the information of log files. Use the LogFormat "% a % l" command to record the IP address and Host Name of the browser sending an HTTP request to the log file. For security reasons, you should add the LogFormat "% 401u" command in the http. conf file to at least those WEB users who failed verification. This command has many other parameters. You can refer to the Apache documentation. In addition, the Apache error log file is also very important to the system administrator. The error log file contains the server startup, stop, CGI execution failure, and other information.

8: security-related commands

Some security-related commands can be used in the Apache configuration file. For detailed usage of these commands, see http://httpd.apache.org/docs/mod/directives.html.

Run the following command to reduce the threat of denial of service:

LimitRequestbody: Numeric parameter that controls the size of HTTP requests.
LimitRequestFields: Numeric parameter that controls the number of request headers.
KeepAlive: sets the connection lifetime.
KeepAliveTimeout: specifies the time to wait for a request.

Use the following command to help you scream for the danger of buffer overflow:

LimitRequestFieldSize: limit the size of each request header.
LimitRequestLine: limit the size of each request line.

Security threats of CGI (ommon Gateway Interface, universal Gateway Interface)


CGI security is very important. Attackers can exploit CGI defects to obtain system information, execute system commands, and occupy system resources. If a CGI program uses static memory allocation, it may provide an opportunity for buffer overflow attacks. To reduce this risk, programmers should use dynamic memory allocation in CGI code. In addition to the CGI compiler, the system administrator can encapsulate CGI (for example, suEXEC or CGI Wrap) to enhance CGI security. In this way, the CGI program runs with an independent user permission. Even if a buffer overflow occurs, it only affects the user's directory/file.

Perl is a very powerful scripting language. It is mainly used for text processing. programmers can also use system calls through perl scripts. If the program is not well written, it will open the door for attackers to break into the server. Therefore, be careful when using perl scripts to avoid such vulnerabilities. In a perl script, before processing request data, it is best to call a special check routine to check the input validity. In addition, make sure that Apache does not run with the root permission. Perl scripts are restricted to running under a specific directory.

9: Server-Side security des (SSI) Security

With SSI, programmers can create common routines and include them in their code as needed. SSI also allows conditional execution of external programs, which attackers may exploit to allow the server to execute their malicious programs. Use the IncludesNoEXEC command in the access. conf file to disable the SSI File Execution function. However, this command will cause the server to not execute CGI scripts or programs.

10: Other security tools

Using TCP Wrappers and Tripwire can provide additional protection for your system. You can use TCP Wrappers to control the access permissions of Telnet or FTP. Tripwire is a data integrity detection tool that helps system administrators monitor whether the system has been changed. You can compile specific policies in the Tripwire configuration file, monitors whether the configuration files, data, and CGI files of the Web server are modified.

11: Conclusion


Apache is an excellent web server. Although Apache developers pay great attention to its security, it is inevitable that there will be security risks due to the huge size of Apache. Pay attention to the following issues during Apache installation and maintenance:

1: Check whether the permissions of files and directories are appropriate.
2: whether the settings of httpd. conf, srm. conf, and access. conf are appropriate
3: enables the server log file to record as detailed information as possible.
4: Use a password to protect some directories that require special protection (. htaccess ).
5: encapsulate CGI scripts or programs.
6: If CGI is written in Perl, check its security in detail.
7: Check SSI commands
8: use TCP Wrappers and Tripwire.