Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Web server security policy     - The method of Linux into the rescue mode (Linux)

- Install the latest Pinta graphics editing software on Ubuntu 14.04 (Linux)

- Linux (CentOS) directory file management and file system file compression packing (Linux)

- Export error: ORA-04063: package body dmsys dbms dm model exp has error (Database)

- Analysis of Java reflection mechanism (Programming)

- C ++ pointer two third memory model (Programming)

- CentOS How to mount the hard drive (Linux)

- expdp reported ORA-39181 Export Processing Method (Database)

- Java class loading order (Programming)

- Tune in high resolution to 1280x800 in Fedora 14 (Linux)

- Linux kernel source code analysis (Linux)

- Installation GitLab appears ruby_block supervise_redis_sleep action run (Linux)

- IOS distributed management using GitHub project development (Linux)

- Depth Java Singleton (Programming)

- How to Install Cantata MPD 1.3.3 for Ubuntu and Derived Version Users (Linux)

- imp / exp Oracle Database import and export commands (Database)

- Analysis JavaBean (Programming)

- How to use the Docker Machine cluster deployment Swarm (Server)

- Web cache basics: terminology, HTTP headers, and caching policies (Server)

- a virtual machine created migrated to host RHEL6.4 on Ubuntu 14.04 (Linux)

 
         
  Web server security policy
     
  Add Date : 2017-01-08      
         
         
         
  Chapter checklist
   Introduction to Apache Web server software

  Apache server security issues facing

   Configuring a secure Apache server

Introduction to Apache 6.1 Web server software

With the continuous improvement of network technology popularization and application of Web technology, Web services have become an important form of services on the Internet. Existing client / server model is being replaced by browser / server mode gradually. This chapter will focus on the major threats facing the Web, combined with the most used in the Linux Apache server, we introduce you tips Web server security configuration.

6.1.1 Apache development history

Apache comes from NCSA (University of Illinois, Urbana-Champaign) developed httpd. In mid-1994, many Web directors to develop their own capabilities and additional correction code. Web executives gathered by a small group of private e-mail together to achieve their change (in "patches", ie patch form). At the end of February 1995, eight core contributors to the establishment of the original Apache tissue (taken from A PAtCHE), 1995 Nian 4 Yue, Apache 0.6.2 announcement.

In May 1995 to July, a new server architecture has been developed (program named Shambhala), it contains a modular structure and API. The server architecture is based on the memory configuration of the storage pool and the default processing mode to adjust branch development. The development group in July this server architecture to convert to the new server and new characteristics of Apache 0.7.x, in August launched Apache 0.8.8. Within a year, Apache server than the NCSA's httpd to become the number one server on the Internet.

Apache's strengths is a great market share: Apache today's Internet flagship first number, the competitors far behind. In particular, Apache market share showed a few to make each other unmatched advantages:

1. originated in the HTTP protocol - reducing the user to join the agreement to support the threshold of a new application software;

2. Give UNIX / Linux to bring life --Apache go, UNIX / Linux to go;

3. support vendor support for Apache provides tools / modules continue to grow.

In particular, IBM announced that it will Apache as part of its WebSphere Application Server, announcing the sensation of being a business newspaper called open source software is a breakthrough.

6.1.2 Market situation

Statistics show that the most popular Web server is OSS / FS. For example, Apache is now ranked first in the Web server market share than in the second position of the IIS was up more than doubled.

1. Internet Web server statistics
Netcraft statistics (http://www.netcraft.com/survey) displayed on the Web server, since April 1996, Apache has become the most widely used Web server in the field of software. Previously, the most widely used Web server is the NCSA Web server (which is Apache's predecessor, also OSS / FS). It is between August 1995 to March 1996 the share of the first to occupy the position of the Web server market. Since 2000, Netcraft just try counting only those "active" Web site. Because many Web sites after being created is not being used (for example, although registered the domain name but do not use), this site belongs to "non-active" site, it is clear that this statistical approach to better reflect the actual situation. When the active site statistical data in June 2006, is Apache occupy 61.25% of market share, IIS accounted for 29.71%, while Sun's share of 1.53%, 0.62% is the share of Zeus. Figure 6-1 reflects the September 1995 to June 2006, changes in the Web server market share (link http://news.netcraft.com/archives/web_server_survey.html).

2. Business Statistics
Another independent investigation E-soft (http://www.securityspace.com/s_survey) also showed that the Apache Web server dominant in the field. As of July 1, 2006 the investigation of the Web server had broken down, investigated a total of 8 676 467 Web servers, obtain commercial sites (.com) Apache used ranked first, the market share of 70.60 percent, followed down is IIS (23.93%). Link http://www.securityspace.com/s_survey/data/200606/domain.html, shown in Figure 6-2.

3. Server security realm
Netcraft reports, Apache has surpassed Microsoft as the preferred developer of SSL server, there are 44.0% of link encryption sites use Apache as a server, 43.8% use Microsoft products. As the first SSL protocol developers, Netscape has the most original market. But Netscape's market share will soon be overtaken by Microsoft With IIS, IIS always have in a few years 40% to 50% of the market. The first version of Apache does not support SSL, because the US export restrictions on encryption algorithms, so the encrypted portion of the open source project development must be placed outside the United States, and must be separately published. So many independent projects provided SSL support for Apache, including Apache-SSL and mod_ssl. But then some of the commercial version of the SSL module, for example, c2net of Stronghold more popular. The second version of Apache, mod_ssl module include it as a default, Apache started to become a popular SSL server. About Netcraft SSL survey since 1996 began tracking Internet growing support for SSL Web server used by the server software, operating systems and authentication algorithm (http://news.netcraft.com/archives/2006/04/26/apache_now_the_leader_ in_ssl_servers.html).

E-soft but also specifically for secure server (SSL / TLS-in Web server, such as e-commerce sites) were investigated, even in these areas, Apache's market share also has 52.07%, while in the same field, IIS share It is 39.66%. Because Apache Stronghold is issued after the repackaged product, so Apache actual market share in this area should be more (link http://www.securityspace.com/s_survey/sdata/200606/index.html).

Clearly, the market share of various Web servers are often in flux, the latest we can see the above links. In fact, in the latest data, Apache is still far ahead.

6.1.3 Apache works

Web system is a client / server type, so there should be a server and a client in two parts. Common server programs are Apache; common client browser (such as IE, Netscape, Mozilla). We can enter the Uniform Resource Locator (URL) in your browser's address bar to access the Web page. Web is the most basic concept of hypertext (Hypertext). It makes text is no longer a traditional page-up text, but you can jump in the reading process from one page to another location on the page. Web pages for writing language called HTML, i.e. HTML. WWW service to comply with the HTTP protocol, the default TCP / IP port 80, the communication process outlined client and server are as follows:

(1) the client (browser) and the Web server to establish a TCP connection after the connection is established, the access request (eg get) to the Web server. According to the HTTP protocol, the request contains a series of information such as IP address, URL and other type of browser and client requests.

(2) Web server receives a request, the contents of the page required by the client back to the client. If an error occurs, it returns an error code.

(3) Disconnect with the remote Web server.

Here is a client sends a packet to the Web server requests the content:

GET /engineer/ideal/list.htm HTTP / 1.1

Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg,

application / vnd.ms-powerpoint, application / vnd.ms-excel, application / msword, * / *

Referer: http://www.linuxar.com.cn/engineer/ideal/

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: www.linuxar.com.cn

Connection: Keep-Alive

We can see from the code, at the client's request contains a lot of useful information, such as client type. Web page content Web server will send the request back to the client. HTTP / 1.1 Description: HTTP / 1.1 (hypertext link protocol version 1.1) is the latest version of the HTTP protocol. HTTP protocol is running the Web application protocol on TCP / IP protocol suite. HTTP / 1.1 provides faster than the previous version of the site access speed, while for network resources optimized to reduce network traffic. HTTP / 1.1 developed by the Internet Engineering Task Force. Now most of the server and website support HTTP / 1.1 protocol.

Here are some HTTP / 1.1 to accelerate web access speed reasons.

(1) conventional HTTP protocol when accessing each application will be created and the steps revocation links. HTTP / 1.1 persistent connection established when you first visit the site, or send multiple requests bulk through pipes into the output buffer. TCP protocol allows multiple data requests from the IP packet layer, or reply to a centralized command TCP segment. Thus reducing the time required to establish the link again, and because there is no necessary link application packet, also reduces network traffic. Since the command through the pipeline, greatly improving the efficiency of the TCP segment. In short, network traffic is reduced, the performance improved.

(2) When the support of HTTP / 1.1 web browser is found in the uncompressed page after page will be compressed for transmission, so you can save more traffic space, but because the Web page image files typically have been compressed, therefore, kind of image compression multi-page less effective. In addition to performance and long-lasting links to other improved, HTTP / 1.1 also allows multiple domain names share the same IP address. This simplifies the handling capacity of the network server for virtual hosting the number of management.

Features 6.1.4 Apache server

Apache main features are as follows.

(1) support the HTTP / 1.1 protocol. Web server Apache is one of the first to use HTTP / 1.1 protocol, which is fully compatible with HTTP / 1.1 protocol and backward compatibility with HTTP / 1.0 protocol. Apache has done the necessary preparations for the entire content of the new agreement to offer.

(2) support the Common Gateway Interface (CGI). Apache with mod_cgi modules to support CGI, it complies with CGI / 1.1 standard and provides extended features, such as customized environment variable and hard to find in other Web server debugging support.

(3) support for HTTP authentication. Apache Web-based support for basic authentication, digest It also supports message authentication based ready. Apache by using the standard password file DBM SQL call, or a call to an external authentication program to achieve basic authentication.

(4) Integration of the Perl language. Perl has become the basic standard CGI scripting. Apache Perl is certainly one of the factors making this popular CGI programming language, Apache are now more than ever to support Perl, you can be loaded into memory by using its mod_perl module Perl-based CGI scripts, and as needed repeated use of the script. This eliminates the explanatory language often associated with start-up cost together.

(5) Integrated proxy Proxy server. Apache as a forward proxy server can also be used as back to the proxy server.

(6) Status of the server and customizable log. Apache itself in terms of the state of logging and monitoring the server to provide you with a lot of flexibility, you can monitor the server through a Web browser state, but also according to their need to customize the log.

(7) allows customers to restrict access based on a host name or IP address.

(8) Support CGI scripts, such as Perl, PHP and so on.

(9) allows users to Web directories. Apache allow a user on the host to use a specific directory to store the user's own home page. It can be accessed via the following URL address, such as user zhang, http: // hostname ~ / zhang.

(10) supports virtual hosts. That is by using a different name on a host machine to provide multiple HTTP services. Apache support includes hosting services based on IP, three types of names and Port.

(11) supports dynamic shared objects. Apache modules can be loaded dynamically at run-time, which means that these modules can be loaded into the server process space, thus reducing the system memory overhead.

(12) supported by the server that contains the command SSI. Apache provides extended server contains the command functions provide greater flexibility for Web site developers.

(13) support Secure Socket Layer (SSL).

(14) a user session tracking capability. Track the user through the use of HTTP cookies, called mod_usertrack Apache module can browse the Apache Web site user.

(15) support FastCGI. Apache uses mod_fcgi FastCGI module to achieve the environment and FastCGI applications run faster.

(16) supports the Java Servlets. Apache's mod_jserv module supports Java Servlets the features that make Java application server running Apache.

(17) supports multi-process. When the load increases, the server will quickly generate a child process to handle, thereby improving system responsiveness.

6.2 Apache server security issues facing

To protect Web servers against malicious attacks and sabotage, the first step is to understand the security risks and identify it faces. Ago, Web sites provide only a static page, so very little security risk. The only way to enter this type of malicious vandals Web site is to obtain illegal access.

In recent years, the majority of Web servers no longer provide static HTML pages, which provide dynamic content, many Web sites combined with valuable customer service or e-commerce applications together (this is where the risk is usually inadvertently) .

6.2.1 HTTP denial of service

An attacker by some means to make the server refused to HTTP response. This makes the Apache system resources (CPU time and memory) surge in demand, eventually causing system slow down or even completely paralyzed. Apache server is the biggest drawback is that its popularity makes it a target of public criticism. Apache server all the time is not threatened DoS attacks. It includes the following forms.

1. Packet flooding attacks
A method of interrupting server or local network is packet flooding attacks, which usually use the Internet Control Message Protocol (ICMP) packets or UDP packets. In its simplest form, these attacks are so overloaded server or network, which means that the hacker network speed must be faster than the speed of the network objectives. Use UDP packet advantage is that there will be no return package to the computer hacker. The advantage of using ICMP packets allow a hacker attacks are more varied, sent defective packages will confuse and lock the network victims. Popular trend is to deceive hackers target server, allowed to believe is under attack from the flood itself.

2. Disk attack
This is a more brutal attack, which not only affect the target computer communications, but also the destruction of their hardware. Use fake user requests a write command to attack the target computer's hard disk, allowed to exceed the limit, and forced to close. This is not just damage the victim will suffer misfortune, because the information will be temporarily unreachable, or even lost.

3. The route is unreachable
Typically, DoS attacks focus on the router, an attacker would first get control and manipulate the target machine. When an attacker can change the router's routing table entry time, it will cause the entire network is unreachable. This attack is very insidious, because it began when often baffling. After all, your server will soon fail, and when the entire network is not reachable, there are still many reasons to detailed trial.

4. Distributed Denial of Service Attack
Most threatening attacks distributed denial of service attack (DDoS). While many bastion host is infected, and together to launch a denial of service attack on your server, you will be scarred. Reproduction sexual assault is the worst, because the program will not attack spread through human intervention. Apache server is particularly vulnerable, whether it is a distributed denial of service attack or hide the source of attacks. why? Because the Apache servers everywhere. On the World Wide Web distributed numerous Apache server, so the Apache custom virus (especially SSL worm) lurking on many hosts; bandwidth is now very abundant, so there is a lot of space for hackers manipulated. Worms exploit vulnerabilities in the server code, installs itself via SSL handshake on the Apache server. Hackers use buffer overflow to a fake key installed on the server (for systems running versions of OpenSSL 0.9.6e below the server). An attacker to execute malicious code on infected hosts, in many of these effects of the virus, the next step is to launch a specific target vast distributed denial of service attack. By this worm spread to a large number of hosts, a large-scale attack to be carried out point to point on the target computer or network has brought irreparable damage.

6.2.2 Buffer Overflow

An attacker who exploited CGI programming some of the defects make the program a departure from normal procedure. Uses statically allocated memory to hold the requested data, an attacker can send a long request to overrun the buffer. For example, some written in Perl gateway script processing user requests. Once the buffer overflow, an attacker can perform its malicious instructions.

6.2.3 attacker to gain root privileges

If Apache is running as root, the vulnerability of some program logic system defects or buffer overflow, attackers will have easy access to root privileges on Linux server administrator locally. In some remote cases, the attacker will use some of the flawed system daemon as root to get root privileges, or the use of defective service process vulnerabilities to get ordinary user privileges for remote login server, and then control whole system.

6.3 Configuring a secure Apache server

Reasonable network configuration to protect Apache server from many attacks.

Qin patch 6.3.1

On http://www.apache.org/ latest changelog are written: bug fix, the word security bug fix. So, Linux network administrators often focus on defect-related websites, time to upgrade the system or add patches. Using the highest security and the latest version of the Apache Web server to strengthen the security is crucial. Upgrade your OpenSSL to 0.9.6e or later, forged key will not play any role, can not penetrate into the system. Some anti-virus programs can detect and kill SSL worm, but the worm may have variants, anti-virus software in order to escape the hunt. Restart Apache can kill this virus, but to prevent future infection does not make any sense.

6.3.2 version of Apache hide and disguise

Typically, vulnerability information and specific versions of the software are related, therefore, the version number of the hacker is the most valuable.

By default, the system will Apache module version are displayed (http return head). If you include a directory, then the domain name will display information (text file list) to remove the Apache version number is to modify the configuration file /etc/httpd.conf. Find keywords ServerSignature, set it to:

ServerSignature Off

ServerTokens Prod

Then restart the Apache server.

By analyzing the type of Web server, generally we can infer the type of operating system, for example, Windows uses IIS to provide HTTP services, and Linux, the most common is Apache.

The default Apache configuration where there is no information protection mechanism, and allow directory browsing. Browse through the directory, you can usually get a similar "Apache / 1.3.27 Server at apache.linuxforum.net Port 80" or "Apache / 2.0.49 (Unix) PHP / 4.3.8" information.

By modifying the configuration file ServerTokens parameters Apache related information can be hidden. However, Apache Red Hat Linux running a compiled program, prompt information is compiled in a program to hide this information need to modify the Apache source code, then recompile the installer to replace the contents inside tip.

In Apache 2.0.50, for example, edit ap_release.h file, modify the "#define AP_SERVER_BASEPRODUCT \" Apache \ "" to "#define AP_SERVER_BASEPRODUCT \" Microsoft-IIS / 5.0 \ "". Edit os / unix / os.h file, modify the "#define PLATFORM \" Unix \ "" to "#define PLATFORM \" Win32 \ "". After modification, recompile, install Apache.

Apache After installation is complete, modify the httpd.conf configuration file, "ServerTokens Full" to "ServerTokens Prod"; the "ServerSignature On" to "ServerSignature Off", then save and exit. After restarting Apache, scan tool, findings suggest that information has been shown in the operating system for Windows.

6.3.3 establish a secure directory structure

Apache server includes the following four main directory.

- ServerRoot: Save the configuration file (conf subdirectory), binary files, and other server configuration file.

- DocumentRoot: save the contents of Web sites, including the like HTML files and images.

- ScripAlias: Save CGI scripts.

- Customlog and Errorlog: save the access and error logs.

It recommended to set such a directory structure, these four major independent directory and there is no logical relationship between father and son.


This directory structure is relatively safe, because it is independent of each directory, a directory permissions error does not affect the other directories.


.3.4 For Apache using specialized users and user groups

In accordance with the principle of least privilege required to Apache allocate an appropriate authority, to allow it to complete the Web service.

We must ensure that Apache uses a specialized users and user groups, do not use a predefined system account, such as nobody nogroup users and user groups.

Because only the root user can run Apache, DocumentRoot should be able to manage Web site content Apache and Apache user group to access a user to access and use the Apache server. So, if you want to "cao" user posted Web site content, and can run Apache httpd server, usually it can be:

groupadd webteam

usermod -G webteam cao

chown -R httpd.webteam / www / html

chmod -R 2570 / www / htdocs

Only root user access log directory, recommend access to this directory:

chown -R root.root / etc / logs

chmod -R 700 / etc / logs

Access Policy 6.3.5 Web directory

For access to the Web directory to use a relatively conservative way to visit, do not allow users to view any directory index list.

1. Prohibit the use of Contents Index
Apache server when a user receives access to a directory, looks Directorylndex directive specifies the directory index files By default, this file is index.html. If the file does not exist, Apache will create a dynamic list for the user to display the contents of the directory. Usually such settings will expose Web site structure, we need to modify the configuration file to suppress the dynamic directory index.

Modify the configuration file httpd.conf:
Options -Indexes FollowSymLinks

Options directive tells the Apache prohibit the use of directory index. FollowSymLinks not allowed to use symbolic links.

2. Prohibition default access
A good security policy to prohibit the presence of access by default, only open access to the specified directory, if allowed access to / var / www / html directory, use the following settings:

Order deny, allow

Allow from all

3. Prevent users from overloading
To disable the user directory configuration file (.htaccess) overloaded (modification), it can be set:

AllowOverride None

6.3.6 Apache server access control method

The Apache access.conf file is responsible for setting file permissions, can access control of Internet domain names and IP addresses. It contains instructions to control what users are allowed to access the Apache directory. Should deny from all set to the initialization command, then use the instructions allow from open access. If you allow 192.168.1.1 to 192.168.1.254 host access, it can be set:

order deny, allow

deny from all

allow from pair 192.168.1.0/255.255.255.0

6.3.7 Management Apache server access log

1. Related Profile Description
A good network administrator will pay close attention to Linux server system log, these logs can provide clues aborted access. Apache can record all access requests, the same error will request records. Apache configuration files, and log files associated configuration need to be concerned with two:
$ CustomLog / www / logs / access_log common # records of Web sites every incoming request #

$ ErrorLog / www / logs / error_log # recording error status request #

CustomLog used to indicate the location of the Apache access log stored (here stored in / www / logs / access_log) and the format (this is common); ErrorLog used to indicate the Apache error log information storage location. For non-virtual host configuration servers, just look CustomLog configuration can be modified directly in the httpd.conf. For Web server with multiple virtual servers, the need to separate the access log for each virtual server for access statistics and analysis for each virtual server, so the need for separate log in the virtual server configuration.

2. Web server logs Round Robin
Web server logs polling better in three ways: The first method is to use the Linux system log file itself round robin logrotate; The second method is to use the built-in Apache logs Round Robin program rotatelogs; third is to use development is relatively mature in the Apache logs Round Robin tools cronolog the FAQ. For large Web servers, often using load balancing technology to enhance service capabilities of the Web site, so there are multiple back-end servers provide Web services, greatly facilitate the planning and expansion of distribution services. If you have multiple servers, you need to log consolidation, unified statistical analysis. Therefore, in order to ensure the accuracy of statistics, in strict accordance with the daily needs time to automatically generate logs.

(1) using logrotate to achieve log Round Robin

First discuss the use of Linux system's own log files logrotate round robin method. logrotate Linux system is a log Round Robin with the program itself, and is dedicated to various system log (syslog, mail) Round Robin program. The program is run by a program service crond 4:02 am every day to run. In /etc/cron.daily logrotate file catalog can be seen:

#! / Bin / sh /

$ Usr / sbin / logrotate /etc/logrotate.conf

Every morning crond will start logrotate script /etc/cron.daily directory to log Round Robin. In the / etc / logrorate conf can be seen in the following:

# See "man logrotate" for details

# Rotate log files weekly

weekly

# Keep 4 weeks worth of backlogs

rotate 4

# Create new (empty) log files after rotating old ones

create

# Uncomment this if you want your log files compressed

#compress

# RPM packages drop log rotation information into this directory

include /etc/logrotate.d

# No packages own wtmp - we'll rotate them here

/ Var / log / wtmp {

    monthly

    create 0664 root utmp

    rotate 1

}

# System-specific logs may be also be configured here.

Logrotate can be seen from the configuration file, in addition to wtmp, configuration requires rolling logs are stored in the directory /etc/logroate.d. So only you need to create a configuration file named apache in the directory to indicate how Round Robin logrotate log files to Web servers. The advantage of this method is that no other third-party tools can log Round Robin. But for heavy duty server and use the Web server load balancing technology, this method is not very practical, because it is to issue a "-HUP" command to restart the corresponding service process to achieve truncate archive log, it will affect continuity of service.

(2) achieve with rotatelogs log Round Robin

Apache provides not directly written to the log file, but sent to another program capacity through the pipe. This will greatly enhance the ability to log processing. This program can be obtained through the pipeline is any program, such as log analysis, compressed logs. To achieve write logs to operate the pipeline, just content to log files configuration section replaced by "| program name" can be, for example:

# Compressed logs

$ CustomLog "| / usr / bin / gzip -c >> /var/log/access_log.gz" common

So that you can use Apache comes round robin tool rotatelogs to the log file Round Robin. rotatelogs substantially by time or to control the size of the log.

$ CustomLog "| / www / bin / rotatelogs / www / logs / secfocus / access_log 86400" common

Content expressed above, Apache access log is sent to the program rotatelogs; rotatelogs write logs / www / logs / secfocus / access_log, and every 86400 seconds (1 day) to log a round robin. After polling a file called / www / logs / secfocus / access_log.nnn, where nnn is the time to start recording the log. Therefore, in order to align the log by day you need to start the service at 00:00 am, so that polling day was just the complete log log a day, to provide access to statistical analysis program for processing. If it is 00:00 to generate a new log, the log is obtained Round Robin access_log.0000.

(3) with cronolog achieve log Round Robin

First you need to download and install cronolog, you can download the latest version of the http://www.cronolog.org cronolog. After the download is complete, unzip the installation. This completes the cronolog configuration and installation, by default, cronolog installed in / usr / local / sbin. Modifying the Apache log configuration commands are as follows:

$ CustomLog "| / usr / local / sbin / cronolog / www / logs / secfocus /% w / access_log" combined

Here% w represented by date save the log to a different directory, this approach will save a log of the week. For log analysis, the required daily log files copy (or move, if you do not want to save a log of the week) to a fixed position, in order to facilitate statistical analysis of the log file (using crontab -e). Add regular tasks as follows:

$ 5 0 * * * / bin / mv / www / logs / secfocus / `date -v-1d + \% w` / access_log

/ Www / logs / secfocus / access_log_yesterday

Then use the log statistical analysis procedures, the document access_log_yesterday processing. In this case, when each server definition or move the log files can not be used access_log_yesterday, while the number should be put on the server (such as server IP address and other information) to be distinguished. Then run the site mirroring and backup services rsyncd on each server, and then install each server configuration file is downloaded daily to merge on the server to access specialized statistical analysis by rsyncd. Consolidate multiple server log files (such as log1, log2, log3), and output to log_all method is:

$ Sort -m -t "" -k 4 -o log_all log1 log2 log3

-m indication merge optimization algorithm; -k 4 represents sorted according to the time; -o that will sort the results stored in the specified file.

3. Apache log analysis using php MyVisites
Principle (1) Apache log analysis

The server logs record the Web server receives the request and handle runtime error and other original information. By log statistics, analysis and synthesis, can effectively control the health of servers, detecting and eliminating errors, understanding of customer access distribution, to better enhance system maintenance and management. Web access mechanism is very simple

1) the client (browser) and the Web server to establish a TCP connection after the connection is established, the access request (eg get) to the Web server. According to the HTTP protocol, the request contains the IP address of the client, a series of information browser type, the request URL and the like.

2) Web server receives a request, the contents of the page required by the client back to the client. If an error occurs, it returns an error code.

3) server access and error information to a log file.

There are more uses log in the actual Web server, are typical for traffic safety statistics and analysis website. Find the attacker's Web server in the Web log clues is not very easy thing, because many log entries, which requires analysis of the source IP address of the visitor and the requested page, a visitor attempts to guess, he is carrying site mirroring or CGI vulnerability scanning, and then do targeted for deficiencies. Users are more concerned about the performance of the Web server, but for business websites, it can not only care about the user's requirements, not to focus exclusively on reducing latency and improving user access on the number of concurrent access. But also concerned about access to the user's geographic distribution, time distribution, and a page of hits. By analyzing the user groups and their access behavior, contribute to the Web page to make improvement targeted to help businesses improve site quality and better services for users. Logs can help you complete traffic analysis, statistics are given these concerns content. Case of direct read log files apply only to locate a specific content, more time, we must rely on dedicated log analysis tools. More well-known tools AWStats, Webalizer phpMyVisites and the like, which are open source software. They can not only carry out a simple analysis based on access time and IP address of the source, you can also find the relationship between their own websites and search engines.

phpMyVisites has the following features:

- PhpMyVisites is a use PHP / MySQL technology development, using Gnu GPL Release site traffic statistics on open source software, so it has a high operating efficiency. In clocked at 800MHz on the machine, per second analysis of 100 000 records, analyze a log file size of 400M only 25 seconds.

- Can support multiple languages, can be localized work themselves.

- Support for multiple platforms, such as UNIX, Linux, Windows and MacOS, etc.

Also with respect to an excellent open source log analysis tool Webalizer, phpMyVisites advantages:

- Friendly interface, you can directly call the appropriate language interface based on the browser (Simplified Chinese version).

- Based on PHP, and solves the problem of cross-platform, the system itself can run on GNU / Linux or on Windows (after install PHP); analysis of direct support Apache log format (combined) and IIS format (modification required) . Webalizer although there are Windows platform version, but is now a lack of maintenance; phpMyVisites can complete the full realization of their own site with a different Web server systems, such as GNU / Linux / Apache and Windows / IIS server unified statistics.

- More efficient, phpMyVisites project statistics Webalizer output than a lot of rich, speed can still reach about 1/2 of Webalizer, for the amount of one million a day visit the site, this speed is adequate.

- Configure / customize convenient, flexible system provides enough but the default configuration is also very reasonable rules, and modify and extend the widget will be more; easy to use, do not look at people dizzy Log log analysis reports provide a histogram, image vivid.

- Provide powerful IP library support, access the user's understanding of the region.

(2) Installation phpMyVisites

phpMyVisites's official website is http://www.phpmyvisites.net/, the latest version is 2.1.

1) phpMyVisites software downloads.

#cd var / www / html

wegt http://www.phpmyvisites.net/index.php?part=download&lg=en

#unzip phpmyvisites_2_1.zip "create a directory"

#mv phpmyvisites_2 phpmy2

2) establishment of a database for the phpmy2.

# Mysql -u root -p

Enter password: xxxxxxxxx

Your Mysql connection id is 3 to server version: 4.11

Type 'help;' or '\ h' for help Type '\ c' to clear the buffer..

Mysql> create database phpmy2; "for the establishment of a database phpbb2"

Query OK, 1 row affected (0.01 sec)

Mysql> grant all privileges on phpmyv2 * to phpmy2 @ localhost identified by '76543981';. "Bblog authority be established to bblog account, and set a password."

mysql> quit

Bye

3) to start the installation phpMyVisites.

It should be noted before installation is, MySQL server name is localhost, this is the MySQL server name, not the Linux server name. MySQL database name is phpmy2, MySQL account is phpmy2, and the password is above the set value.

#cd / var / www / html / phpmy2 "into the default directory Apache server"

#chmod 777 install # conferred installation files and directories can execute permissions #

4) Network Setup settings.

A total of nine network installation steps.

1) "Welcome!": Welcome to set the language.

Network installation is very simple, open the Linux Firefox (Firefox) in the address bar enter "http: // hostname / phpmy2 / install / install.php", the first is the language setting, select "Simplified Chinese" can

2) "System Requirements": The system detected.

The system automatically detects MySQL, PHP, GD library is set up, all of the options represented by green.

3) "Database Setup": MySQL database settings.

Part 3 of the most critical, as shown in Figure 6-6.

4) "Table Creation": database table setting.

Select the default settings.

5) "General Setup": General settings.

The main setting for the administrator password and administrator email

6) "Create Config File": generate a configuration file.

Select the default settings.

7) "Add First Website": page display settings.

Please set depending on preference.

8) "Display Javascript code": javascript code sets.

Select the default settings.

9) "Finished!": End of the installation.

After a successful test system for security reasons you mention, delete the installation file (file modification to prevent others from using these information systems).

// Rm -rf install; // rm -rf install.Php

10) Administrator login page.

Use the mouse to click the link Figure 6-8 page "Go to phpMyVisites", then use administrator privileges and password to log home can be.

phpMyVisites can analyze the following information:

- Access Statistics

- Period summary

- Statistical summary of icons

- Graph to show long term statistics summary views of icons of a certain period of time visitors

- Views illustrating the server per hour

- Access icons of visitors per hour

- Frequency

- Statistics

- New vs Returning visits

- Graph to show New vs Returning visits

- Graph to show number of visits per visitor

- Browse Pages

- Page View

- Time by page

- Illustrated each page views

- Access Track

- Entrance Page

- Exit Pages

- Single Pages visits

- Visit Source

- world map

- Countries Summary

- Internet Service Provider

Password protection 6.3.8 Apache server

.htaccess file is a settings file on the Apache server. It is a text file, you can use any text editor to write. .htaccess files provide a method to change the configuration for the directory, that is by placing files (.htaccess file) containing one or more instructions in a particular document directory, and to act in this directory and all subdirectories. Filename (eg index.html) .htaccess features include password settings page, set the file when an error occurs, change the home page is prohibited to read the file name, file redirects, MIME plus category, is prohibited under the directory file column Wait. Note, .htaccess is a complete file name, not a ***. Htaccess or another format (of course there are other administrators to set their names, but generally use .htaccess). Also, upload .htaccess file, you must use the ASCII mode and use the chmod command to change the permissions to 644 (RW__R__R__). Every place .htaccess directory and its subdirectories will be .htaccess affected. For example, in / abc / directory placed a. Htaccess file, so all files / abc / and / abc / def / within it will be affected, but it is not /index.html impact, which is important of.

1. Establish .htpasswd file
First create a file in the directory access control settings (such as htdocs), the file name can set their own server are generally set to .htpasswd, the file can not be read by the HTTP. .htpasswd file Each line represents a user, the user name and encrypted password with a colon ":" separator.

2. .htaccess file for protection
.htaccess File contents are as follows:

authtype basic

authuserfile /usr/home/***/htdocs/.abcname1

authgroupfile /usr/home/***/htdocs/.abcname2

authname information

< Limit get post>

require valid-user

< / Limit>

Wherein the second and third rows can be changed in the *** individual FTP login. .abcname1 and .abcname2 can be any file name, such as .htpasswd, .htpass, but can not be .htaccess. Upload the .htaccess to password protect directories to be (eg htdocs) in.

.htaccess final document "require" to tell the server which users can enter. require valid-user means that as long as the .htpasswd any one can enter. You can also specify a list of someone or a few people can use "require user username" or "require user username1 username2 username3". You can also specify a group of people by using "require group groupname".

3. Add new user licenses
Into the htdocs directory, at the command line, enter the following command to generate .abcname1 file.

echo> .abcname1

/ Var / www / bin / htpasswd .abcname1 abc

abc pledged to increase the user name. After you enter this command, the system prompts the user password, the user name so that it goes into effect. After changing a user name to increase again as when the user runs the second command line. If the user name exists, you are prompted to change the password.

4. Established to allow access to the group
Setting method is to create a group named .htgroup text file, as follows:

groupname1: username1 username2 username3

groupname2: username1 username3 username4

Plus "AuthGroupFile /absolute/path/.htgroup" in .htaccess. Upload all files in ASCII mode, all files in the directory will be protected.

5. Prohibition to read the file
If something such as a password, stored in a file, then people need to know the corresponding location of the file, you can glance, this is too unsafe. In fact, you can not change other settings, do not move the file to other places can solve this problem, simply add the following lines to the .htaccess file:

< Files filename.ext>

order allow, deny

deny from all

< / Files>

If the system is installed Apache 1.3 or later, but also support regular expression of filesmatch.

< Filesmatch "\ .tmp">

order allow, deny

deny from all

< / Filesmatch>

files and filesmatch represent only apply to meet the requirements of some files. "Order deny, allow" represents first identify prohibited (deny), and then go to licensed (allow). If they reverse the order of "order allow, deny" it means first find out permission, and then went prohibited. "Deny from all" indicates that all IP addresses are not licensed. In contrast, "allow from all" represents all allowed. It can be set as follows:

order allow, deny

allow from all

deny from 111.222

deny from 111.222 to 111.222 refers banned all beginning IP address (eg 111.222.0.1). In addition to setting the IP address, you can also set hostname (such as ***. Com). "Files" and "filesmatch" uses a lot, not only can set deny, individual files can also set a password, such as:

< Files 123>

require user 123

< / Files>

< Files abc>

require user abc

< / Files>

Overall, through .htaccess to protect the site more convenient and secure. Because it is not the use of procedures to implement password protection, it is possible to obtain the password by guessing method. Use .htaccess file to implement password protection is generally very difficult to break. Said program has a feature that it uses plain text files to store authentication information, which makes the efficiency of query information is limited. And because HTTP is stateless, so each time content is requested, it must be verified, even if a user requested does not exist as well. Of course, this site is relatively small for a user who is not a problem, so the above program applies to the number of users is relatively small site. For a very large number of users for the site, you should use the program with the data module. Because by default, Apache at compile time does not include the database module, you need to compile and install your own Apache server.

In addition, Before compiling, you should delete the existing installation. The method is to use the following command to query the installed packages:

rpm -qa | grep httpd

Then use the rpm -e command to delete.

Here's to perform the configuration process: http://www.apache.org/dist/httpd/ from the site to download the latest Apache, then this section uses the latest version 2.2.45. Copy the downloaded file to the / tmp directory, run the following command:

tar zxvf httpd-2.2.45.tar.gz

After switching to the directory where you unzipped the httpd-2.2.45. Run the following command:

./configure -enable-module = auth_db

This is the statement at compile time to be included in the database module, this process takes some time.

6.3.9 CGI and SSI risk reduction

CGI scripting vulnerability has become the primary Web server security risks, usually programming CGI scripts generated a lot of loopholes. Control CGI script vulnerabilities in addition to the need to pay attention in the preparation of the validity check of the input data, the system calls used with caution and other factors, the first to use the owner's UID CGI program to run these programs. These CGI programs even if there are some loopholes, then the harm is limited to being able to access the UID file. In other words, this can only harm the user's files, without affecting the whole system a fatal impact.

By installing and using suEXEC applications may provide control support for the Apache server CGI program (from Apache l.3 later version, suEXEC has been used as part of the Apache server), it can be seen as a suEXEC wrapper in Apache received after CGI program call request, the call will be responsible for completing the request to suEXEC specific call, and returns the results obtained from suEXEC.

suEXEC can solve some security issues, but also reduce the performance of the service, because it can only run on the CGI version of PHP, CGI version is slower than the speed of the module version. The reason is that the module version uses threads, and the CGI version of the process. In the context switch between different threads and access common storage area is clearly better than between different processes much faster.

SuEXEC is recommended in the safety performance requirements are relatively high, for even at the expense of the cost of speed. In addition, you can try another software CGIWrap, its safety performance than suEXEC. The official website for the ftp://ftp.cc.umr.edu/pub/cgi/cgiwrap.

Reduce the risk of SSI scripts, if you run an external program with the exec SSI command, etc., will be the risk of a similar CGI scripts exist, you should be able to use the Option order prohibiting its use in addition to internal debug program.

Options IncludesNOEXEC

Let Apache 6.3.10 server running in "jail" in

The so-called "prison" refers to a software change can be seen running through the root of the chroot mechanism is about to run a software restriction in the specified directory, the software can only ensure the directory and its subdirectories have the action, in order to ensure the security of the entire server. So even if they are damaged or invasion, suffered damage is not great.

The software chroot of a problem is that the software is running all programs, configuration files and libraries are required must be installed into the chroot directory, this directory is usually called chroot jail (chroot "jail"). If you want to run Apache in "jail", and in fact can not see the real file system directory, you need to create the directory beforehand, and copy httpd to it. Meanwhile, httpd required library files, you can use the LDD (Library Dependency Display) command, LDD role is to display an executable program must use shared libraries. This means that you need to create lib directory in "jail" and copy the files to the library. This work is done by hand very troublesome, then you can use the package to help simplify the process of jail chroot "jail" created. jail official website is: http: //www.jmcresearch.com/, the latest version is 1.9a.

Previously, daemon UNIX / Linux root privileges are based on the start. At the time, this seems to be a matter of course, because of the server software such as Apache needs to bind to (less than 1024) on the "well known" port to listen for HTTP requests, and this is the only root privileges. However, with the attacker's activities have become increasingly frequent, particularly the surge in the number of buffer overflow vulnerabilities, so that the server security is the greater threat. Once a network service vulnerabilities, an attacker can access and control the entire system. Therefore, in order to reduce the negative impact of such attacks, and now the server software is usually designed to root permission to start, and then the server process voluntarily give up root privileges, then a system of low-privilege account to run the process. The advantage of this approach is that once the service be exploited by attackers exploits due process privilege is, access to the attacker obtained is based on the low-privileged, causing damage to the system than ever before to reduce a lot.

Some attackers will try to find other loopholes in the system to enhance the authority, until it reaches the root privileges. Because security is much lower than the local remote security, so an attacker can elevate permissions it is likely to find something in the system. Even if not found locally vulnerability, an attacker may also make additional damage, such as deleting files, altered home pages, etc.

To further improve system security, Linux kernel introduced chroot mechanism. chroot is the kernel of a system call, the software by calling the library function chroot, to change a process can see the root directory. For example, Apache software is installed in / usr / local / httpd / directory to the root user (or another account with the same permissions) start Apache, the parent process with root privileges will derive a number to nobody permission to run a sub-process, in particular depending on your personal settings. Parent process from listening on port 80 TCP data stream, according to an internal algorithm then this request is assigned to a child process to deal with. Then the parent directory inherits Apache child processes which that / usr / local / httpd /. However, once the directory permissions errors, Apache child process can access the attacked / usr / local, / usr, / tmp, or even the entire file system, because the root of the Apache process which is still the root of the entire file system. If you can use the Apache chroot restrictions in / usr / local / httpd /, then Apache can access the file is / usr / local / httpd file or subdirectory under /. Create a chroot "jail" role is to process the file system permissions to restrict certain tree subtree.

1. Compile and install jail
Http://www.jmcresearch.com/projects/jail/ on the site can download the latest version of the jail, which is the jail chroot project team development. This package contains the help automatically create chroot "jail" C program, Perl programs and Bash scripts.

First jail.tar.gz placed in any directory, then execute the command:

#tar xzvf jail.tar.gz && cd jail / src

Modify the makefile according to actual situation of individuals, especially the installation path (the default installation path is / usr / local), architecture (jail supports Linux, FreeBSD, IRIX and Solaris), and compiler options. Last Run:

#make && make install

Create a chroot "jail" for the jail.

Now create a directory for chroot "jail" to / var / chroot / Case. Run the following command to create the environment for chroot "jail":

# / Usr / local / bin / mkjailenv / var / chroot

Such "jail" to built. jail package provides several Perl script as its core commands, including mkjailenv, addjailuser and addjailsw. addjailsw copies the binary executable file and other related files from the real file system (including the library file, supporting files, and device files) to the "jail" in.

2. To jail "jail" Add Software
The next step for the "jail" to add some software to make it up and running. Execute the following command to install some basic software, including ls, cat, cp and other programs and libraries like ld-linux.so.2 file.

# / Usr / local / bin / addjailsw / var / chroot

In fact only a basic software is not enough, also need to add some really useful things to come. In Apache server software, for example:

#addjailsw / var / chroot / -P / usr / local / httpd / bin / httpd

addjailsw

A component of Jail (version 1.9 for linux)

http://www.jmcresearch.com/projects/jail/

Juan M. Casillas < juanm.casillas@jmcresearch.com>

Guessing / usr / local / httpd / bin / httpd args (0)

Warning: file /var/chroot//lib/libssl.so.4 exists Overwritting it.

Warning: file /var/chroot//lib/libcrypto.so.4 exists Overwritting it.

Warning:. File /var/chroot//lib/libresolv.so.2 exists Overwritting it

......

Done.

Do not care about those alarms, because jail would call the library file LDD check httpd used. Almost all based on a shared library binary executable files which are required for several library files. Next, copy the relevant files to the Apache "jail" in:

#cp -a / usr / local / httpd / / var / chroot / usr / local /

Apache can copy files sequentially according to individual circumstances need to "jail" in.

3. "Imprisoned" User
Sometimes you need to create a new user chroot "jail", such as Apache nobody asked to create a user as a subprocess users. Given there may be other processes that use nobody, you can also use another user --httpd. First you need to create httpd user in real systems:

#useradd -d / var / chroot -s / usr / local / bin / jail httpd

Then execute the following command to create httpd user chroot "jail" in:

# / Usr / local / bin / addjailuser / var / chroot / usr / local / httpd / usr / sbin / httpd httpd

Then modify /var/chroot/usr/local/httpd/conf/httpd.conf, User nobody will replace User httpd. Because after chroot Apache httpd will start the process of identity, only root has the right to bind Apache low port (usually 80), and therefore also need to modify the port value that must be greater than 1024 (assumed to be 8080). This change to apply to all of Apache's configuration file, including the virtual host configuration. As for the other set of Apache, and as in the real file system can be configured.

Next you need to copy some other files. Start Apache, the most common way is to call apachectl, this is a Bash script. Look at this file, you will find the following line:

HTTPD = '/ usr / local / httpd / bin / httpd'

LYNX = "lynx -dump"

ULIMIT_MAX_FILES = "ulimit -S -n` ulimit -H -n` "

ARGV = "- h"

$ HTTPD -k $ ARGV

$ HTTPD -k start -DSSL

$ HTTPD -t

$ LYNX $ STATUSURL | awk '/ process $ / {print; exit} {print}'

Wherein ulimit, lynx and awk are supporting the program. Also note that the program with different parameters, may use different libraries, therefore, in order to allow Apache complete run, use the following command to track all possible file:

/// Usr / local / bin / addjailsw / var / chroot -P httpd "-k start -DSSL"

Replace the parameters in quotation marks above parameters to complete all the work.

Finally, let Apache successfully up and running:

// Su - httpd &

Open a browser to test, plus the port number 8080 Remember when accessing the Web server.

6.3.11 Reinforcement Apache with SSL

Web server with SSL capabilities, to improve the safety performance of the site. SSL protocol work between Linux TCP / IP protocol and the HTTP protocol, the relationship shown in Figure 6-12.

SSL uses encryption to protect the flow of information between the browser and the Web server's. SSL is not only used to encrypt the data stream transmitted over the Internet, but also provides both authentication. So that you can safely shop online without fear of someone stealing credit card information. This feature allows SSL applies to those local exchange important information, such as e-commerce and Web-based e-mail.

SSL uses public key encryption technology, the server at the end of the connection to the client sends the public key used to encrypt information, and encrypted information that only the server with a special key to unlock its own holdings. Clients use the public key to encrypt data, and sent to the server's own key to uniquely identify themselves between the two systems to prevent someone posing as a server or client spoofing. Encrypted HTTP connection port number 443 instead of port number 80 to distinguish them from ordinary non-encrypted HTTP. It will automatically use port 443 instead of port 80 when the client uses encrypted HTTP connection, which makes it easier for the server responds accordingly. SSL authentication and encryption process is as follows:

1) users to use the browser to access the Web site server, issue the SSL handshake;

2) Web server issued a response, and produce a server certificate (public key), the display system Web site server identity;

3) the browser to validate the server certificate, and generates a random session key, the key length reaches 128;

4) Web browser with the server's public key to encrypt the session key;

5) the results of the browser session encryption key to send Web server;

6) Web server using its own private key to decrypt the session key derived true;

7) Now the browser and the Web server have the same session key, the two sides can safely use this session key to encrypt the contents of communication;

8) secure communication channel is successfully established.

Apache servers typically have two choices when using SSL, that is the main server or virtual Web site.

If you are using RHEL 3.0 ~ 4.0, you can use the command "rpm -qa | grep mod_ssl" check, if not installed, the system can log in as root, enter the command "system-config-packages". Use GUI package management tool for web server, click on "Details", then check "mod_ssl", prompted to insert the appropriate CD-ROM to complete the installation work

The following generation SSL certificates, use the following command to generate and .csr .key file:

# Openssl genrsa -out server.key 1024

Generating RSA private key, 1024 bit long modulus

++++++ ......

........ ++++++

e is 65537 (0x10001)

# Chmod 600 server.key

# Openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', The field will be left blank.

-----

Country Name (2 letter code) [GB]: CN

State or Province Name (full name) [Berkshire]: China

Locality Name (eg, city) [Newbury]: beijing City

Organization Name (eg, company) [My Company Ltd]: x41

Organizational Unit Name (eg, section) []: x41

Common Name (eg, your name or your server's hostname) []: localhost

Email Address []: goodcjh@2911.net

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: goodcjh

An optional company name []: goodcjh

The following will demonstrate how their own signing key:

openssl x509 -req -days 365 -in server.csr -signkey www. server.key -out server.crt

Once complete, you should will have three files: server.csr, server.key, server.crt. Copy them to the ca store directory / etc / httpd / conf / ca, then modify the Apache configuration file httpd.conf, add the following two lines:

SSLCertificateFile /etc/httpd/conf/ca/server.crt

SSLCertificateKeyFile /etc/httpd/conf/ca/server.key

Restart Apache:

apachectl stop

apachectl startssl

Apache server using a browser to access the home page, enter "https: // localhost", appears on-screen instructions, shown in Figure 6-14.

Click the "OK" button to enter the encryption display Apache home, pay attention to the browser's location bar and the lower right corner flag

If you use Linux distribution does not include mod_ssl software, you can use the command to add APT. Debian GNU / Linux is the APT (Advanced Package Tool) founder. Its intention is to use the tools to solve the dependency problem when installing software. It works roughly as follows: APT users to install client tools, RPM package information server search APT repository (repositories) on, and analyze dependencies between packages, and then download and install it. APT In addition to allowing you to easily and quickly install the RPM software, you can also use it to update your system. While APT is based on the Debian package management tool, but has been a Brazilian company Conectiva ported to RPM-based systems. Therefore, based on the RPM package management platforms, such as Red Hat, TurboLinux, SUSE, Mandrake and other Linux distributions, APT is a very good software management tools.

Before running APT need to confirm that the Apache server is already available WWW service, and / var partition if there is enough space.

# Wget http://ftp.freshrpms.net/pub/freshrpms/Fedora/linux/3/apt/apt-0.5.15cnc6- 1.1.fc3.fr.i386.rpm

# Wget http://ftp.freshrpms.net/pub/freshrpms/fedora/linux/3/apt/apt-devel-0.5. 15cnc6-1.1.fc3.fr.i386.rpm

# Rpm -ivh apt-devel-0.5.15cnc6-1.1.fc3.fr.i386.rpm

# Rpm -ivh apt-0.5.15cnc6-1.1.fc3.fr.i386.rpm

Freshrpms.net then need to add a public key GPG-KEY, and then create a / gpg folder, GPG-KEY stored there for future management in the / etc / apt.

# Rpm --import http://ftp.freshrpms.net/pub/freshrpms/RPM-GPG-KEY

Install a graphical interface, freshrpms.net site provides a graphical interface to apt-rpm Synaptic, a graphical interface for APT is more convenient, you can directly use APT to install Synaptic:
# Apt-get install synaptic

After a few lines to prompt Synaptic installed, enter the X Window, Synaptic will appear inside the "System Settings" menu.

Table 6-1 APT main command system
Command

Description

apt-get update

Apt-get update a local database, pkglist file it with the server synchronization. Before upgrade this command consistent with the server and are generally required to perform

apt-get check

Verify the integrity of the local system

apt-get dist-upgrade

Install all basic packages, upgrade all packages and install new packages, if necessary

apt-get remove package_name

Remove the package will also remove packages that depend on it

apt-get install package_name

Install a package and related packages

apt-get source package_name

source rpm package download

apt-get clean

Delete saved in the cache directory (/ var / cache / apt / archives) are downloaded package

apt-get upgrade package_name

Upgrade the specified package and upgrade its dependent packages

apt-cdrom add

Automatic installation disc and establish a list

apt-cache depends package_name

Dependent relationship display package

apt-cache package_name

On the web search the specified package

apt-config dump

Displays the current configuration information

Wherein the user is using the most apt-get command.

# Apt-get install openssl

# Apt-get install libapache-mod-ssl

# Apache-modconf apache enable mod_ssl

Then generate certification documents. Similar methods above.

# Cd /etc/apache/ssl.key/

# Openssl genrsa -out server.key 1024

# Chmod 600 server.key

# Openssl genrsa -des3 -out server.key 1 024

# Cd ../ssl.csr/

# Openssl req -new -key ../ssl.key/server.key -out server.csr

# Cd ../ssl.crt/

# Openssl req new -x509 -nodes -sha1 -days 365 -key /ssl.key/server.key -out server.crt

If you are using virtual hosts, but also to modify the Apache configuration file:

Listen *: 443

< VirtualHost *: 443>

ServerName secure.example.org

DocumentRoot / home / username / public_html /

User username

Group groupname

DirectoryIndex index.php index.html index.htm

SSLEngine On

SSLCertificateKeyFile /etc/apache/ssl.key/server.key

SSLCertificateFile /etc/apache/ssl.crt/server.crt

SSLCACertificateFile /etc/apache/ssl.crt/ca.crt

< / VirtualHost>

6.3.12 Apache server against DoS

Apache server to denial of service attack prevention, mainly through software Apache DoS Evasive Maneuvers Module to achieve. It is a mod_access alternative software that can fight against DoS attacks. The software can be quickly rejected repeated requests from the same address on the same URL, a hash table for each child process through the internal inquiry to achieve. To the website http: // online / download software securityfocus.com/data/tools/dospatch.tar.gz..

At the same time you can use the Linux system powerful command means to prevent Dos attack.

netstat -an | grep -i "Server IP Address: 80" | awk '{print $ 6}' | sort | uniq -c | sort -n

This command will automatically count each state the number of TCP connections, if syn_recv high, then it can not be ruled out based on the TCP protocol denial of service attack possible. So we need to open tcp_syncookies:

echo 1> / proc / sys / net / ipv4 / tcp_syncookies

If there is no / proc / sys / net / ipv4 / tcp_syncookies, explained kernel does not support syncookies, need to recompile the kernel, while reducing the number of SYN retry.

echo "1"> / proc / sys / net / ipv4 / tcp_syn_retries

echo "1"> / proc / sys / net / ipv4 / tcp_synack_retries

While increasing syn_backlog, to ensure that the user's access:

echo "2048"> / proc / sys / net / ipv4 / tcp_max_syn_backlog

Apache 6.3.13 use LDAP for authentication

Create a test page.

# #mkdir / Var / www / html / ldap

#echo "LDAP Auth Test Page"> /var/www/html/ldap/index.html

 Install mod_authz_ldap module.

Let the Apache server can access data on an LDAP server, you must use mod_authz_ldap module as a certified interface between Apache and LDAP server, you must install mod_authz_ldap module.

# Rpm -ivh mod_authz_ldap * .rpm

 Modify /etc/httpd/conf.d/auth_mysql.conf.

If you previously installed mod_auth_mysql authentication module, the module must be mod_auth_mysql disabled.

#LoadModule Mysql_auth_module modules / mod_auth_mysql.so

 Modify /etc/httpd/conf.d/authz_ldap.conf.

# < IfModule mod_authz_ldap.c>

# < Location / private>

# AuthzLDAPEngine on

# AuthzLDAPServer localhost

# AuthzLDAPUserBase ou = People, dc = example, dc = com

# AuthzLDAPUserKey uid

# AuthzLDAPUserScope base

# AuthType basic

# AuthName "ldap@example.com"

# Require valid-user

# < / Location>

< / IfModule>

Modify the following text:

# LoadModule authz_ldap_module modules / mod_authz_ldap.so

< IfModule mod_authz_ldap.c>

< Directory / var / www / html / ldap>

AuthzLDAPServer localhost

AuthzLDAPUserBase ou = People, dc = example, dc = com

AuthzLDAPUserKey uid

AuthzLDAPUserScope base

AuthType basic

AuthName "ldap@example.com"

require valid-user

< / Directory>

< / IfModule>

 Restart the Apache server.

# #service Httpd restart

Stop httpd: [OK]

Start httpd: [OK]

6.3.14 other security tools

AIDE use tcp_wrappers and can provide additional protection for the system. Use tcp_wrappers can enter a controlled access. AIDE is a data integrity check tool that can help system administrators monitor whether the system was changed, you can prepare specific policy configuration file in AIDE, monitor Web server's configuration files, and CGI whether the data file has been modified. Further Selinux can also protect Apache server (Chapter 16 will introduce). If you are more familiar with the directory service, you can use an LDAP server to Apache server access authentication.

In the Apache configuration file, some security-related commands can be used. These detailed usage instructions can refer to http: // httpd apache.org/docs/mod/directives.html..

Use the following instructions can help you reduce the threat of denial of service attacks.

- LimitRequestbody: digital parameters control the size of HTTP requests.

- LimitRequestFields: digital parameters control the number of request header.

- KeepAlive: set the lifetime of the connection.

- KeepAliveTimeout: limit the time waiting for the request.

Use the following instructions can help you reduce the risk of buffer overflow.

- LimitRequestFieldSize: limit the size of each request header.

- LimitRequestLine: limit the size of each request line.

In fact, most Web sites are malicious vandals because the application or script vulnerabilities. Web security experts believe, to run a script or application on a Web server is the biggest risk factor. Because CGI scripts typically generate dynamic content, they often cause great damage. For most Web servers, you should first consider how to strengthen the security configuration.

6.4 Summary

Apache installation and maintenance needed attention to the following security issues.

- Check the file and directory permissions is appropriate.

- Httpd.conf settings are appropriate.

- Make the server log file to record as much information.

- Password-protect certain directories need special protection (.htaccess).

- A CGI script or program packages.

- Check the SSI directives.

- Use other security tools, tcp_wrappers and Tripwire.
     
         
         
         
  More:      
 
- Four IDS intrusion detection tool under Linux environment (Linux)
- RHEL6 install Python and other packages from source (Linux)
- Row-level security and application-level solutions for the new features of PostgreSQL9.5 (Database)
- Protect your files, modify the Linux value Umask (Linux)
- How to manage and use Logical Volume Management LVM in Ubuntu (Linux)
- Linux ACL permissions (Linux)
- HomeKit User Interface Guidelines (Linux)
- Teamviewer not start in Linux (Linux)
- High-performance JavaScript DOM programming (Programming)
- Nginx configuration support f4v video format player (Server)
- How to use the Linux terminal Git commands (Linux)
- Oracle Data Pump Example (Database)
- shell script: MySQL monitoring service is normal (Database)
- CentOS install Java 1.8 (Linux)
- Linux beginners to develop the seven habits (Linux)
- MySQL master-slave database configuration and error handling Raiders (Database)
- Different between Linux file path and the windows (Linux)
- Linux System Getting Started Learning: Using the Linux command line detected DVD burner name and write speeds (Linux)
- Linux System Getting Started Learning: The Linux ac command (Linux)
- How to limit network bandwidth usage in Linux (Linux)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.