CentOS Web Server Security Configuration Guide

In this chapter we will introduce the CentOS http://www.aliyun.com/zixun/aggregation/17117.html ">web server security settings, which is also a number of the most important security settings for Web services, As the administrator of the server we should develop good system maintenance habits, regular patching, for directory permissions settings should have a very clear understanding of the user and user group management should also develop good habits, if you are just see this article, you can first understand the "CentOS System Security Configuration Guide" Part.

For CentOS installation and initialization settings, you can view the following articles:

CentOS 6.0 schematic Installation Tutorial: Preparing for installation

Http://www.ithov.com/linux/114733.shtml

CentOS 6.0 schematic Installation Tutorial: CD installation

Http://www.ithov.com/linux/114734.shtml

CentOS 6.0 schematic Installation tutorial: Post-Setup initialization settings

Http://www.ithov.com/linux/114735.shtml

CentOS 6.0 schematic Installation Tutorial: Basic configuration after installation

Http://www.ithov.com/linux/114739.shtml

If you are familiar with the installation of the CentOS Linux system, you can skip over the content and go to the following content to learn.

1. Diligent patching

The words "fix" and "Security Bug" are written in the changelog of www.apache.org. Therefore, the Linux administrator should always pay attention to the relevant site defects, timely upgrade the system or patching. Using the highest and latest versions of the security is critical to securing your Apache servers. Upgrade your OpenSSL to play 0.9.6e or higher, and a forged key will not work or penetrate the system. Some anti-virus programs can detect and kill the SSL virus, but the worm could produce variants that could escape the hunt for anti-virus software. Restarting Apache can kill such a virus, but it has no positive effect on preventing future infections.

Hide and disguise Apache version

Typically, software vulnerabilities are related to specific versions, so the version number is the most valuable thing for hackers.

By default, the system displays the Apache version module (in the HTTP return header). If the list is listed, the Domain name information (the body of the file list) is displayed, and the way to remove the Apache version number is to modify the configuration file http.conf. Find the keyword: serversignature and set it to:

Serversignature off

Servertokens PROD

Then reboot the server.

By analyzing the type of Web server, you can roughly infer the type of operating system, for example, Windows uses IIS, and the most common is Apache under Linux.

There is no information protection mechanism in the default Apache configuration and directory browsing is allowed. With directory browsing, you can usually get information such as "apache/1.3.27 Server at apache.linuxforum.net Port 80" or "apache/2.0.49 (Unix) php/4.38".

By modifying the Servertokens parameters of the configuration file, you can hide the relevant information about Apache. However, Red Hat Linux running Apache is a compiled program, the message is compiled in the program, to hide this information needs to change the Apache source code, and then recompile the installer, to replace the contents of the hint.

Take the Apache 2.0.50 as an example, edit the Ap_release.h file, and modify the "#define Ap_server_baseproduct\ Apache" to "#define Ap_server_baseproduct\" Micosoft-iis 6.0 "\". After the modification, recompile, install Apache.

After the Apache installation, modify the httpd.conf configuration file, change the "Servertokens full" to "Servertokens prod" and "Serversignature on" to "serversignature off" And then save to exit. When you restart the server, you will find that the operating system shown in the prompt is Windows.