Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Linux Apache server security     - Linux SSH commands (Linux)

- Repair Raspbian Encountered a section with no Package (Linux)

- 20 open source / commercial Linux server management control panel (Server)

- Expert advice: Do not use the computer security IE browser (Linux)

- Android shutdown (reboot) process (Programming)

- Through eight skills to let you become a super Linux end-user (Linux)

- Cobbler automatic mass deployment of CentOS 6 and CentOS 7 (Linux)

- Remote installation of Net-SNMP whole process (Linux)

- Java, on the dfile.encoding Systemproperty (Programming)

- Browser caching mechanism on the analysis (Linux)

- After SSH change the default port, how to use Git (Linux)

- You really do need to know a variety of programming languages (Programming)

- Linux CentOS configuration SVN + SVN hook (Server)

- Linux VMware virtual machine after the cloning of the card can not start to solve (Linux)

- Installation and configuration of Hadoop under Linux (Server)

- Automatic Clear date directory shell script (Linux)

- Common Linux System Troubleshooting (Linux)

- MySQL 5.7 perfectly distributed transaction support (Database)

- Compiling source code Nginx module installation subs_filter (Server)

- Unity Greeter Badges: the lost session icon back to the login screen Ubuntu (Linux)

  Linux Apache server security
  Add Date : 2017-04-13      
  On the formation of secure web servers, here are some understanding and advice

Apache server go there, unix / linux just to get there, which reflect in the field of Apache WEB server excellent performance and market share
Under this environment of today's Internet, web services have become essential for business companies, most of the security problems follow from attack focus has shifted to web attacks, many web and valuable customer service and electronic commerce activities together, which is attracting important malicious reasons.
First to understand the security risks faced by the next web

HTTP denial of service attack
An attacker by some means to make http server refused to answer, which makes Apache on system resources (cup time and memory) the great increase in demand, eventually causing system slow down or even completely paralyzed, Apache server is the biggest drawback is that it makes the universality it became the target of public criticism, Apache server all the time are not subject to the threat of DoS attacks, there are several lower
1. packet flooding attacks
A method of interrupting server or local network is packet flooding attacks, which typically use internet Control Message Protocol (ICMP, part of a network layer protocol)
Udp packet or package, in its simplest form, these attacks are so overloaded server or network, which means that the attacker's network speed must be faster than the speed of the target host network, using udp packet advantage is not any packets back to the hacker's computer (udp tcp higher efficiency than 17 times), and the use of ICMP packets are the advantages of the attacker to make more attacks rich and change, send the defective package will mess up and locked the victim network, currently popular trend attacker to spoof the server into believing that being flood attacks from their own
2. Disk attack
This is an immoral attack, it not only affects computer communications, but also damage the hardware, the user requests the use of forged written order target computer hard disk, allowed to exceed the limit, and forced to close, very sad ending
3. The route is unreachable
Typically DoS attacks focus on the router, an attacker would first get control and manipulate the target machine when the attacker can change the routing table entries, it will cause the entire network can not communicate, this attack is very insidious, hidden, because network administrators need network nowhere to exclude many reasons, some of which require detailed reasons for resolution
4. Distributed Denial of Service Attack
DDoS attacks, which is the most threatening, the name is easy to understand, it simply is group in Europe, many clients at the same time a single server, you will find that you will be scarred, Apache server is particularly vulnerable to attack, whether DDos or hide the source of attacks because Apache everywhere, especially for Apache specially built virus (selected SSL worm) lurking on many hosts, an attacker can manipulate the virus through a large number of infected machines to a specific target to launch a vast DDoS attacks, the worm spread by the host to a large number of large-scale attacks can be carried out point to point, unless you do not provide the service, otherwise almost impossible to prevent such attacks, which are usually positioned on large sites.

Buffer overflows, such attacks are common, an attacker using CGI programming defect program deviates from the normal process, the program uses static memory allocation, an attacker can send a long request to overrun the buffer, such as some perl Scripting gateway handling user requests, but a buffer overflow, an attacker could execute malicious instructions

Illegally obtaining root privileges
If Apache is running as root, some programs on the system logical defects or buffer overflow vulnerability, the attacker will easily get administrator privileges on the linux server in the local system, in some remote cases, the attacker will use some to defective system daemon as root to get root privileges, or the use of defective service process vulnerabilities to get ordinary user permissions to the remote login, and then control the entire system.

These are service attacks here will encounter, below, how to create a secure Apache server
If you can follow these suggestions below, then you will get a relatively safe apache server

A: ground patch
You have to believe this is the most useful means of buffer overflow vulnerabilities must use this means of defense, diligent point I believe you no harm
At http: www.apache.org on the latest changelog are written: bug fix, the word security bug fix, and as a responsible administrator should always concern related vulnerabilities, add time to upgrade the system patches. Using the latest version of security is essential to the strengthening of apache

II: Hide and camouflage version of Apache
Disrupt the attacker's steps to bring trouble to the attacker, believed to be the administrator would like to see. Vulnerability information and versions of the software are related, in the attacker to collect information when you give confusing service software is a good choice, not to mention the version number, and GPS positioning quite as important to the attacker
By default, the system will apache module version are displayed (http return head), if listed in the directory, then the domain name will display information (text file list) to remove the Apache version number is to modify the configuration file, find keywords, modify below
ServerSignature off
ServerTokens prod

By analyzing the web server type, can generally be presumed type of operating system, win using iis, linux universal apache, the default Apache configuration where there is no information protection mechanism, and allow directory browsing through directory browsing, you can usually get a similar "apache / 1.37 Server at apache.linuxforum.net Port 80 "or" apache / 2.0.49 (unix) PHP / 4.3.8 "information
By modifying the configuration file ServerTokens parameters, the Apache information hidden, if not, it may be prompted information is compiled in a program, and to hide the need to modify the apache source code, then recompile the program to replace the contents
Edit ap_release.h file,
Modify "#define AP_SERVER_BASEPRODUCT \" Apache \ "" to
"#define AP_SERVER_BASEPRODUCT \" Microsoft-IIS / 5.0 \ "
Edit os / unix / os.h file
Modify "#define PLATFORM \" Unix \ "" to
"#define PLATFORM \ 'Win32"
After editing, recompile, install apache, modifying the configuration file for the top done, start apache again, scan tool, findings suggest that information has been displayed in the windows operating system
By the way, now this forum, it is a little less stress, this is the wrong forum return information, I looked to feel a little sweat
Apache / 2.2.8 (Ubuntu) DAV / 2 SVN / 1.4.6 mod_ssl / 2.2.8 OpenSSL / 0.9.8g Server at forum.ubuntu.org.cn Port 80
This tells malicious user a lot of useful information, although not open the door, but equal to the door to tell where or quite dangerous

Three: to establish a secure directory structure apache server directory structure consists of four
ServerRoot # Save the configuration files, binary files with other server configuration file
DocumentRoot # save web site content, including HTML files and images, etc.
ScripAlias # save CGI scripts
Customlog Errorlog # and save the log and error log
Suggested directory structure, these four directories are independent and there is no logical relationship between father and son
ServerRoot directory only access to the root user
apache user and group access DocumentRoot directory should be able to manage web site content users access and use the apache server
ScripAlias directory should only be CGI developers and apache user access
Customlog Errorlog and can only be accessed by root
Below are examples of a secure directory structure
+ ------- / Etc /
| + ---- / Http (ServerRoot)
| + ---- / Logs (Customlog and Errorlog)
+ ------- Var / www
| + --- / Cgi-bin (ScripAlias)
| + --- / Html (DocumentRoot)

This directory structure is relatively safe, because independent of the directory, a directory permissions error does not affect the other directories

Four: the use of specialized apache user and group
Accordance with the principle of least privilege, apache needs to allocate an appropriate authority, to allow it to complete the web service
Principle of least privilege is one of the most basic principles of system security, restrict user of the system and the minimum permission to access the data required to ensure that users can complete the task, but also ensure that theft or damage caused by abnormal operation

Must ensure that apache to use a dedicated user and group, do not use the system predetermined account, such as nobody user and group nogroup
Because only the root user can run apache, DocumentRoot should be able to be managed web site content users access and use apache server apache user and group access, for example, you want to "test" users to publish content on the web site, and may httpd running as apache servers, can be set
groupadd webteam
usermod -G webteam test
chown -R httpd.webteam / www / html
chmod -R 2570 / www / htdocs
Only root can access logs, recommended permission
chown -R root.root / etc / logs
chown -R 700 / etc / logs

Five: Access Policy web directory
For access to the web directory you want to use a relatively conservative way to visit, do not allow users to view any directory index list
Prohibit the use of Contents Index:
Upon receipt of apache user access to a directory, looks DirectoryIndex directive specifies the directory index file, the default is index.html, if the file does not exist, then apache will be displayed for the user to create a dynamic list of the contents of the directory, so web site structure will be exposed, and therefore need to modify the configuration file to suppress the dynamic directory index, modify httpd.conf
Options -Indexes FollowSymLinks
Options directive prohibiting the use of notification apache directory index, FollowSymLinks not allowed to use symbolic links.
Prohibition default access:
To security policy must exist to prohibit access by default, only to open up the directory specified permissions, if allowed access to / var / www / html directory, use the following settings
Order deny, allow
Allow from all
Prevent users from overloading:
To disable the user profile directory (htaccess) overloaded (modification), it can be set
AllowOverride None

Six: apache server access control
Access to apache's access.conf file is responsible for setting file, you can achieve access control of Internet domain names and ip addresses
Such as allowing access to host to, you can set so
order deny, allow
deny from all
allow from pair

Seven: apache server password protection
.htaccess file is a settings file apache on, it is a text file, .htaccess file provides for a method to change the configuration directory
Either by placing the file (.htaccess file) containing one or more instructions in a particular document directory, and to act in this directory and subdirectories.
.htaccess features include password settings page, set the file when an error occurs, change the file name of the first industry (eg, index.html), prohibits reading the file name, file redirects, MIME plus category, is prohibited under the directory files, etc.

NOTE: .htaccess is a full filename, not *** htaccess or other formats, placing a .htaccess file in the / abc directory, / abc and its subdirectories will be affected by this document, but / index.. html will not be affected

.htaccess establishment and use of more complex point, if interested friends can Replies ask here is not specifically written, this protection secure than some programs implemented by that method can obtain the password is guessing method with .htaccess tough to crack, but the text of the verification will be relatively slow, did not affect a small number of users, but you must use a large number of users with data validation modules, which need to compile the source code when opening module, the default is not open

Eight: Let apache run in "jail" in
"Jail" is meant to change a run-time software can see the root directory by chroot mechanism, simply put, it is to be restricted to the specified directory, to ensure that the software can only make a move to the directory and subdirectory files to ensure the security of the entire server, even if they are damaged or intrusion, damage is not great
Previously, daemon unix / linux root privileges are based on the start of the time, this is a matter of course, such as server software apache, you need to bind to port 80 to listen for requests up, but this is the only root user rights, along with attacks and increase strength, it would be subject to considerable threat server, but exploited a buffer overflow vulnerability, you can control the entire system. Now server designs often start with root, then the process give up root privileges to run a low-level account. In this way the system will obviously reduce the harm, but still looking for loopholes attacker elevated privileges, even if unable to obtain root privileges, you can also delete files, altered home pages
To further improve system security, linux kernel introduced chroot mechanism, chroot is the kernel of a system call, the software by calling the library function chroot to change a process that can be seen with the directory, for example, apache software installation in / usr / local / httpd directory to root start apache, the parent process with root privileges will be nobody to derive a number of privileges to run the child process, the parent process listening on port 80, and then to deal with a child, this time the child process the directory where the continued commitment of the parent process, that is / usr / local / httpd directory, but the directory permissions but a setting error, apache child process can access the attacked / usr / local, / usr, / tmp or even the entire file system, because apache process with the directory in which the directory is still with the entire file system, if you can use the apache chroot restrictions in / usr / local / httpd / down, then the file apache accessed are limited to / usr / local / under httpd, create chroot jail role is to process access restrictions in the file directory tree to ensure safety.
If they manually apache prison, will be a very cumbersome and complex work, we need to involve library, where you can use the package to simplify jail prison Realization
jail official website: http://www.jmcresearch.com interested can stroll
Here is not to write a specific process of creating a little trouble, if there is a need for security, please replies, will promptly make up

Nine: apache server Prevention Dos
Often the primary means of apache service encounter Dos attack prevention is through software, apahce Dos Evasive Maneuvers Module
To achieve, it is a mod_access instead of software, you can confront DoS attacks, the software can be quickly rejected repeated requests from the same address on the same URL, a hash table for each child process to achieve internal query
You can go to the URL: http: //online/.securityfocus.com/tools/ download software

Ten: CGI and SSI risk reduction
CGI scripting vulnerability has become WEB server the primary security risks, usually programming CGI scripts generated a lot of loopholes, control CGI vulnerabilities in addition to the preparation time to pay attention to the input data of legitimate checks, careful use of system calls and other factors, the first to use ID owner CGI programs to run these programs, even if they are limited to the vulnerability harm ID can access the file, will not bring fatal harm to the entire system, and therefore need to be careful to use CGI programs.
Version 1.3 apache integrated suEXEC program that can provide support for CGI control program for apache, can be seen as a suEXEC wrapper receiving call requests in Apache CGI program, put this request to be responsible for completing specific call suEXEC and return the results from suEXEC, suEXEC can solve some security problems, but will affect the speed
If security is demanding, it is recommended to use suEXEC, in addition to a software CGIWrap, its security is higher and suEXEC

Reduce the risk of SSI scripts, etc. If exec SSI command to run an external program, there will still be a similar risk CGI scripts, in addition to internal debugger should be used
option order prohibiting its use:
Option IncludesNOEXEC

XI: Consolidation using Apache ssl
Use server with SSL capabilities, to improve the safety performance of sensitive sites page, between SSL to work with TCP / IP protocol and HTTP protocol
SSL can encrypt the data stream transmitted over the Internet, provide authentication, online shopping without having to worry about someone stealing your credit card information, based on e-commerce and web-based e-mail is very important place.
SSL applications is still relatively trouble, there is a need, you can view information or posts, these do not write more, not enough space
- Ubuntu installed Gimp 2.6.11 (stable version) with PPA (Linux)
- XenServer Virtual Machine Installation --- first ISO image file storage expansion (Linux)
- To access an Oracle database using Instant Client (Database)
- MySQL EXPLAIN SQL output description (Database)
- Root of AVL Tree- achieve balanced search trees AVL tree (Programming)
- Ubuntu 14.04 LTS installed Hadoop 1.2.1 (distributed cluster mode) (Server)
- Linux maximum number of threads and limit the number of queries the current thread (Linux)
- Hadoop virtualization performance comparison and tuning experience (Server)
- Oracle to start to solve the error ORA-27102 (Database)
- Simple configuration shell scripts virtual machine environment experiment (Linux)
- JavaScript common array manipulation functions and usage (Programming)
- PostgreSQL Source Customization: Online global read only (Database)
- Linux command execution order control and pipeline (Linux)
- Let your PHP 7 faster the Hugepage (Linux)
- Ubuntu 14.04 Docker installation (Linux)
- Install GAMIT / GLOBK 10.50 software under Ubuntu 14.04 (Linux)
- Linux C source code (Ascii HexToBinary: Converts hexadecimal string format ASCII codes) (Programming)
- Use OpenSSL carried BASE64 encoding and decoding (Linux)
- Getting Started with Linux: Nginx Web Server How to Block Specific User Agents (UA) (Server)
- Use GNU / Linux broadcasting of television programs (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.