Setting a Web server in a Linux release is a very fast process, but it may take some time to make this configuration a secure process. This article will show you how to effectively use access control and authentication policies to make your ApacheWeb server more secure. All the examples below assume that you are using Ubuntu7.10 and have made basic configuration for Apache. However, these examples will help any user running the Apache server to achieve greater security, because they still apply to other
Setting a Web server in a Linux release is a very fast process, but it may take some time to make this configuration a secure process. This article will show you how to effectively use access control and authentication policies to make your Apache Web Server more secure. All the examples below assume that you are using Ubuntu7.10 and have made basic configuration for Apache. However, these examples will help any user running the Apache server to achieve greater security, because they are still applicable to other Linux systems. The methods involved in this article should first be tested on a test server before being migrated to a actually used Web server.
I. File license and Access Control
1. users and groups
The first thing to ensure is that Apache should not run as root, because if Apache is cracked, attackers can control the root account. Let's take a look at the identity of which user and group Apache is running:
Run the following command:
# Ps auwwfx | grep apache www-data 25675 0.0 0.0 10348 508? S Jan21 0: 00 \ _/usr/sbin/apache2-k start
Www-data 25686 0.0 0.2 231816 2208? Sl Jan21 0: 00 \ _/usr/sbin/apache2-k start
Www-data 25688 0.0 0.2 231816 2200? Sl Jan21 0: 00 \ _/usr/sbin/apache2-k start
It can be seen that www-data is the user who runs Apache. However, we need to edit Apache configuration and create a new user and group:
# Groupadd www-data
# Useradd-g www-data
# Vi/etc/apache2/apache2.conf
Change User root Group root:
User www-data Group www-data
Then reload to make the change take effect:
#/Etc/init. d/apache2 reload
2. Service document permission
One of the most easily overlooked security questions is how to correctly use the chmod command. For example, an index. cgi file is created in the Apache html root directory, but the access is denied when the file is opened in the browser. To make our index. cgi File work normally, we execute chomod 777 index. cgi. During this test, is every Apache administrator considering this security? The answer is no. However, how can we make this license safe enough and allow the index. cgi script to run properly?
Apache needs to be authorized to access the index. cgi file. However, we do not want everyone to read and write index. cgi. The owner of the file should have permission to read and write the file. To do this, we need the following command:
# Chmod 755 index. cgi
It is important to add the following line to your Apache. conf file:
Options FollowSymLinks AllowOverride None