Web Server Configuration Security

Source: Internet
Author: User
Tags jboss strong password apache tomcat

Common Web Server:apache Httpd, Nginx, Lighthttp. Web Server Security: Whether it is secure + provides security features that are available.

Apache Security

Apache's vulnerability is mostly caused by Apache's module, which has few core high-risk vulnerabilities. There are few high-risk vulnerabilities to the default boot module, and most high-risk vulnerabilities are concentrated on a module that is not installed or enabled by default.

The first thing to check Apache security is to check the module installation, which should minimize unnecessary module and, for the module to be used, check if there is a known security vulnerability to its corresponding version.

Once you have customized the Apache installation package, you need to create a separate user/group for Apache, and then specify that the Apache process will run as a separate user. Disable running with high privilege! Users running Apache should not have a shell.

To protect Apache logs, such as sending to a remote syslog server in real time, to prevent the attacker from deleting traces after they invade.

Nginx Security

Nginx performance, high concurrency. There are more high-risk loopholes in the official website Http://nginx.org/en/security_advisories.html announced the security problems identified. Keep a close eye on vulnerability information and update to a secure version in a timely manner.

Nginx configuration flexibility, in the fight against DDOS and CC attacks can also play a role in mitigating, in the Nginx configuration can also do some simple conditional judgment, such as the client user_agent have what characteristics, or from a specific referer, IP and other conditions, customized special Response actions, such as returning an error number or redirection.

JBoss Remote Command execution

JBoss is a popular Web container in the Java EE environment and can cause remote command execution if improperly configured.

JBoss is installed by a management daemon at default, Jmx-console. This background gives the administrator some advanced features, including configuration MBeans. Access to the/jmx-console via the 8080 port allows access to the admin interface, which is not certified by default when the installation is accessed by Jmx-console .

In Jmx-console, there are several ways to execute commands remotely:

Load a war package remotely via Deploymentscanner: The default Deploymentscanner checks if the URL is file:/[jbosshome]/server/default/deploy/, but through Addurl () method to add a remote war package.

The war package can also be deployed through BSH (Bean Shell) Deployment: BSH can execute a one-time script or create a service.

For security purposes, when doing security hardening, you should remove the jmx-console background: delete Jmx-console.war and Web-console.war. If you have to use Jmx-console on your business, you should use a strong password, and the port running Jmx-console should not be open to the Internet.

Tomcat Remote Command execution

Apache Tomcat, like JBoss, runs on port 8080 by default. The Tomcat Manager provides a similar operation to Jmx-console, where an administrator can deploy a war package in Tomcat Manager (requires Manager privileges, which are defined in configuration file tomcat-users.xml)

Although Tomcat has a background password authentication, it is still recommended to delete the background, so as not to be compromised after the security risks.

HTTP Parameter Pollution

When a request is made to the server by a GET or POST, two identical parameters are submitted, for example:/?a=value1&a=value2. In some server-side environments, only the first or last parameter is taken, whereas in other environments, such as. NET, it becomes a=value1,value2. This feature is useful when bypassing logical judgments on some server side.

Web Server Configuration Security

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.