Web Server Configuration Security

Common Web Server:apache Httpd, Nginx, Lighthttp. Web Server Security: Whether it is secure + provides security features that are available.

Apache Security

Apache's vulnerability is mostly caused by Apache's module, which has few core high-risk vulnerabilities. There are few high-risk vulnerabilities to the default boot module, and most high-risk vulnerabilities are concentrated on a module that is not installed or enabled by default.

The first thing to check Apache security is to check the module installation, which should minimize unnecessary module and, for the module to be used, check if there is a known security vulnerability to its corresponding version.

Once you have customized the Apache installation package, you need to create a separate user/group for Apache, and then specify that the Apache process will run as a separate user. Disable running with high privilege! Users running Apache should not have a shell.

To protect Apache logs, such as sending to a remote syslog server in real time, to prevent the attacker from deleting traces after they invade.

Nginx Security

Nginx performance, high concurrency. There are more high-risk loopholes in the official website Http://nginx.org/en/security_advisories.html announced the security problems identified. Keep a close eye on vulnerability information and update to a secure version in a timely manner.

Nginx configuration flexibility, in the fight against DDOS and CC attacks can also play a role in mitigating, in the Nginx configuration can also do some simple conditional judgment, such as the client user_agent have what characteristics, or from a specific referer, IP and other conditions, customized special Response actions, such as returning an error number or redirection.

JBoss Remote Command execution

JBoss is a popular Web container in the Java EE environment and can cause remote command execution if improperly configured.

JBoss is installed by a management daemon at default, Jmx-console. This background gives the administrator some advanced features, including configuration MBeans. Access to the/jmx-console via the 8080 port allows access to the admin interface, which is not certified by default when the installation is accessed by Jmx-console .

In Jmx-console, there are several ways to execute commands remotely:

Load a war package remotely via Deploymentscanner: The default Deploymentscanner checks if the URL is file:/[jbosshome]/server/default/deploy/, but through Addurl () method to add a remote war package.

The war package can also be deployed through BSH (Bean Shell) Deployment: BSH can execute a one-time script or create a service.

For security purposes, when doing security hardening, you should remove the jmx-console background: delete Jmx-console.war and Web-console.war. If you have to use Jmx-console on your business, you should use a strong password, and the port running Jmx-console should not be open to the Internet.

Tomcat Remote Command execution

Apache Tomcat, like JBoss, runs on port 8080 by default. The Tomcat Manager provides a similar operation to Jmx-console, where an administrator can deploy a war package in Tomcat Manager (requires Manager privileges, which are defined in configuration file tomcat-users.xml)

Although Tomcat has a background password authentication, it is still recommended to delete the background, so as not to be compromised after the security risks.

HTTP Parameter Pollution

When a request is made to the server by a GET or POST, two identical parameters are submitted, for example:/?a=value1&a=value2. In some server-side environments, only the first or last parameter is taken, whereas in other environments, such as. NET, it becomes a=value1,value2. This feature is useful when bypassing logical judgments on some server side.

Web Server Configuration Security