Secure configuration and maintenance of Apache WEB Server

apache|server|web| Security Preface: In the current internet age, the home page has become a corporate image and display the world of an important means, the configuration of a strong and secure Web server is particularly important. Apache is one of the most widely used products in many Web server products, and it is also a very safe design program. However, like other applications, Apache also has a security flaw. This article describes in detail how to properly configure and maintain the security issues for Apache WEB server.

Introduction of Apache Server

Apache server It is one of the most widely used Web server software on the Internet. The Apache server originates from a Web server project in the U.S. National Super Technology Computing Application Center (NCSA). Has now taken a leading position in the Internet. The Apache server has to be carefully configured to accommodate high load, high-volume Internet work. Fast, reliable, and with simple API extensions, the Perl/python interpreter can be compiled into a server, completely free, and fully open to source code. If you need to create a Web server that has millions of people per day, Apache may be the best choice.

Two, the main security flaw of Apache server

As we said in our foreword, although the Apache server is the most widely used, it is designed to be a very secure program. But like other applications, Apache also has a security flaw. After all, it's a complete source, and the Apache server's security flaw is primarily a denial-of-service attack using the HTTP protocol (Denial of service), a buffer overflow attack, and a "denial of Service" (DoS) attack by an attacker who obtains root privilege three flaws and the latest malicious attacker. Attack. A reasonable network configuration protects the Apache server from multiple attacks. Let's introduce the major security flaws:

(1) Denial of Service attack using HTTP protocol?? Security flaws in (Denial of service)

This approach allows an attacker to deny the HTTP response to the server by some means. This will increase Apache demand for system resources (CPU time and memory), eventually causing the Apache system to become slow or even completely paralyzed.

(2) Security flaw in buffer overflow

This method exploits some defects written by the program and causes the program to deviate from the normal flow. The program uses statically allocated memory to hold the request data, and an attacker can send an extra long request to overflow the buffer. Like some Perl-written gateway script that handles user requests. Once the buffer overflows, an attacker can execute its malicious instructions or cause the system to go down.

(3) The security flaw that the attacker obtains root permission

The main reason for this security flaw is that the Apache server is typically run as root (the parent process), through which the attacker obtains root privileges and thus controls the entire Apache system.

(4) The security flaw of the malicious attacker's denial of service (DoS) attack

This latest vulnerability, discovered on June 17, is primarily in the Apache Chunk encoding, an HTTP protocol-defined feature that accepts data submitted by web users. The hacker program can be used to effectively attack the Apache server running in FreeBSD 4.5, OpenBSD 3.0/3.1, NetBSD 1.5.2 platform.

All said that using the highest and latest security versions is critical to enhancing the security of the Apache Web server. Please the vast number of Apache server administrators to http://www.apache.org/dist/httpd/download patches to ensure that their Web server security!

Third, correctly maintain and configure the Apache server

Although the Apache server's developers are very focused on security, because of the Apache server its huge project, there will inevitably be security risks. It is important to properly maintain and configure the Apache Web server. Some of the issues we should be aware of:

(1) Apache Server configuration file

The Apache Web server has three main configuration files, located in the/usr/local/apache/conf directory. These three documents are:

Httpd.con-----> main configuration files
srm.conf------> Fill in the Resource file
access.conf---> Set access rights for files

Note: Specific configuration can refer to: http://httpd.apache.org/docs/mod/core.html

(2) log file for Apache server

We can use log format instructions to control the log file information. The IP address and hostname of the HTTP request browser can be logged to the log file using the Logformat "%a%l" directive. For security reasons, we should know in the log that at least those web users who failed the validation should add the Logformat "%401u" directive in the http.conf file to achieve this. There are many other parameters to this directive, and the user can refer to the Apache documentation. In addition, Apache error log files are also important for system administrators, and error log files include information such as Server startup, shutdown, and CGI execution failures. For more, see Apache Log series 1-5.

(3) The Directory security authentication of Apache server

In Apache server is allowed to use the. htaccess directory security, to read this protected directory needs to first type the correct user account and password. This can be done as a special management of Web pages stored in the directory or as a member area.

Place a file in the protected directory named. Htaccss

AuthName "Member zone"
AuthType "Basic"
AuthUserFile "/VAR/TMP/XXX.PW"-----> put password outside the site
Require Valid-user to apache/bin directory, build password file

%./HTPASSWD-C/VAR/TMP/XXX.PW username1-----> The first document to be built with the parameter "-C"

%./HTPASSWD/VAR/TMP/XXX.PW UserName2

This will protect the contents of the directory, access to the legitimate users.

Note: The module containing Apache is used. You can also add in httpd.conf:

Options Indexes FollowSymLinks
AllowOverride authconfig
Order Allow,deny
Allow from all

(4) Apache Server access control

We'll look at the third file in three profiles, the access.conf file, which contains instructions to control what users are allowed to access the Apache directory. You should set the deny from all as an initialization instruction, and then use the Allow from command to open access rights.

<directory/usr/local/http/docs/private>
<limit>
Order Deny,allow
Deny from all
Allow from Safechina.net
</limit>
</directory>

Setting allows access from a domain, IP address, or IP segment.

(5) The password protection problem of Apache server

We then use the. htaccess file to assign access rights to a directory to a user. The system administrator needs to open the access control of the directory using the ACCESSFILENAME directive in the httpd.conf or srm.conf file. Such as:

AuthName Privatefiles
AuthType Basic
Authuserfile/path/to/httpd/users
Require Phoenix

# htpasswd-c/path/to/httpd/users Phoenix

Four, set up the Apache server Web and file server

We store the Web server files on the Apache server for users to access, and set the/home/ftp/pub directory as the file storage area, accessed with http://download.XXXX.com/pub/. Set up Apache reverse proxy technology on the firewall, which is accessed by the firewalls proxy.

(1) Apache server settings

The Apache server uses the default configuration. The home directory is/home/httpd/html, the host domain name is Phoenix.XXXX.com, and the alias is in Www.XXXX.com, and the set srm.conf plus one line alias is defined as follows:
alias/pub/home/ftp/pub/

Changing the default application type definition is as follows:

DefaultType Application/octet-stream

Finally, add a definition to the/etc/httpd/conf/access.conf

Options Indexes
AllowOverride authconfig
Order Allow,deny
Allow from all

Note: The Options indexes allows lists of directories/files to be listed without the index.html file being found. AllowOverride authconfig allows for basic user name and password authentication. In this case, you need to put the. htaccess in the/home/ftp/pub directory, which reads as follows:

[Root@shopu pub]# more. htaccess
AuthName Branch Office public Software Download Area
AuthType Basic
authuserfile/etc/.usrpasswd
Require Valid-user

Use the # htpasswd-c/ETC/.USRPASSWD user1 to create separate external user names and passwords that allow access to file services under/pub.

(2) The reverse proxy technology is configured on the fireproof wall.

Add Namevirtualhost xxx.xxx.xxx.xxx to/etc/httpd/conf/httpd.conf
# xxx.xxx.xxx.xxx-----> is a permanent IP address outside the firewall on the Internet
ServerName www.XXXX.com
Errorlog/var/log/httpd/error_log
Transferlog/var/log/httpd/access_log
Rewriteengine on
Proxyrequests off
Usecanonicalname off
Rewriterule ^/(. *) $ http://xxx.xxx.xx.x/$1 IP address of the Apache server.

ServerName http://download.XXXX.com/pub/
Errorlog/var/log/httpd/download/error_log
Transferlog/var/log/httpd/download/access_log
Rewriteengine on
Proxyrequests off
Usecanonicalname off
rewriterule^/(. *) $http://xxx.xxx.xx.x/$1 The IP address of the Apache server.

Set up DNS on the firewall, let download. Both xxxx.com and www.XXXX.com point to the external network address xxx.xxx.xxx.xxx of the firewall. Use http://www.XXXX.com to access the home page and use http://download.XXXX.com/pub/to access the download area of the public files.

Note: There is also a need to create a directory/var/log/httpd/download/on the Apache server host, otherwise there will be an error. Alternatively, you can set the properties of the/home/httpd/html/index.html on the firewall host to 750来 block access, which is the http://www.XXXX.com that prevents external users from accessing the Apache server on the firewall.

Summary: Apache server is a very good, very good server, as long as you correctly configure and maintain a good Apache server, you will feel the benefits of Apache server.