20 ways to Secure your Apache Configuration
来源:互联网 发布:数据库保护分为 编辑:程序博客网 时间:2024/05/22 11:50
1 make sure you've installed latest security patches
2 Hide the Apache Version number, and other sensitive information.
There are two directives that you need to add, or edit in your httpd.conf
file:
ServerSignature Off
ServerTokens Prod
The ServerSignature
appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.
The ServerTokens
directive is used to determine what Apache will put in the Server
HTTP response header. By setting it to Prod
it sets the HTTP response header as follows:
Server: Apache
3Make sure apache is running under its own user account and group
Several apache installations have it run as the user nobody
. So suppose both Apache, and your mail server were running as nobody
an attack through Apache may allow the mail server to also be compromised, and vise versa.
User apache
Group apache
4Ensure that files outside the web root are not served
We don't want apache to be able to access any files out side of its web root. So assuming all your web sites are placed under one directory (we will call this /web
), you would set it up as follows:
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /web>
Order Allow,Deny
Allow from all
</Directory>
Note that because we setOptions None
andAllowOverride None
this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.
5 Turn off directory browsing
You can do this with an
Options
directive inside aDirectory
tag. SetOptions
to eitherNone
or-Indexes
Options -Indexes6 Turn off server side includes
This is also done with the
Options
directive inside aDirectory
tag. SetOptions
to eitherNone
or-Includes
Options -Includes7 Turn off CGI execution
If you're not using CGI turn it off with the
Options
directive inside aDirectory
tag. SetOptions
to eitherNone
or-ExecCGI
Options -ExecCGI8 Don't allow apache to follow symbolic links
This can again can be done using the
Options
directive inside aDirectory
tag. SetOptions
to eitherNone
or-FollowSymLinks
Options -FollowSymLinks9 Turning off multiple Options
If you want to turn off all
Options
simply use:Options NoneIf you only want to turn off some separate each option with a space in your
Options
directive:Options -ExecCGI -FollowSymLinks -Indexes10 Turn off support for .htaccess files
This is done in a
Directory
tag but with theAllowOverride
directive. Set it toNone
.AllowOverride NoneIf you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than
.htaccess
. For example we could change it to.httpdoverride
, and block all files that start with.ht
from being downloaded as follows:AccessFileName .httpdoverride
<Files ~ "^/.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>11 Run mod_security
mod_security is a super handy Apache module written by Ivan Ristic, the author of Apache Security from O'Reilly press.
You can do the following with mod_security:
- Simple filtering
- Regular Expression based filtering
- URL Encoding Validation
- Unicode Encoding Validation
- Auditing
- Null byte attack prevention
- Upload memory limits
- Server identity masking
- Built in Chroot support
- And more
12 Disable any unnecessary modules
Apache typically comes with several modules installed. Go through the apache module documentation and learn what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.
Look for lines in your
httpd.conf
that containLoadModule
. To disable the module you can typically just add a#
at the beginning of the line. To search for modules run:grep LoadModule httpd.confHere are some modules that are typically enabled but often not needed:
mod_imap
,mod_include
,mod_info
,mod_userdir
,mod_status
,mod_cgi
,mod_autoindex
.13 Make sure only root has read access to apache's config and binaries
This can be done assuming your apache installation is located at
/usr/local/apache
as follows:chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache14 Lower the Timeout value
By default the
Timeout
directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.Timeout 4515 Limiting large requests
Apache has several directives that allow you to limit the size of a request, this can also be useful for mitigating the effects of a denial of service attack.
A good place to start is the
LimitRequestBody
directive. This directive is set to unlimited by default. If you are allowing file uploads of no larger than 1MB, you could set this setting to something like:LimitRequestBody 1048576If you're not allowing file uploads you can set it even smaller.
Some other directives to look at are
LimitRequestFields
,LimitRequestFieldSize
andLimitRequestLine
. These directives are set to a reasonable defaults for most servers, but you may want to tweak them to best fit your needs. See the documentation for more info.16 Limiting the size of an XML Body
If you're running
mod_dav
(typically used with subversion) then you may want to limit the max size of an XML request body. TheLimitXMLRequestBody
directive is only available on Apache 2, and its default value is 1 million bytes (approx 1mb). Many tutorials will have you set this value to 0 which means files of any size may be uploaded, which may be necessary if you're using WebDAV to upload large files, but if you're simply using it for source control, you can probably get away with setting an upper bound, such as 10mb:LimitXMLRequestBody 1048576017 Limiting Concurrency
Apache has several configuration settings that can be used to adjust handling of concurrent requests. The
MaxClients
is the maximum number of child processes that will be created to serve requests. This may be set too high if your server doesn't have enough memory to handle a large number of concurrent requests.Other directives such as
MaxSpareServers
,MaxRequestsPerChild
, and on Apache2ThreadsPerChild
,ServerLimit
, andMaxSpareThreads
are important to adjust to match your operating system, and hardware.18 Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 176.16 network:
Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16Or by IP:
Order Deny,Allow
Deny from all
Allow from 127.0.0.119 Adjusting KeepAlive settings
According to the Apache documentation using HTTP Keep Alive's can improve client performance by as much as 50%, so be careful before changing these settings, you will be trading performance for a slight denial of service mitigation.
KeepAlive's are turned on by default and you should leave them on, but you may consider changing the
MaxKeepAliveRequests
which defaults to100
, and theKeepAliveTimeout
which defaults to15
. Analyze your log files to determine the appropriate values.20 Run Apache in a Chroot environment
chroot
allows you to run a program in its own isolated jail. This prevents a break in on one service from being able to effect anything else on the server.It can be fairly tricky to set this up using
chroot
due to library dependencies. I mentioned above that themod_security
module has built in chroot support. It makes the process as simple as adding amod_security
directive to your configuration:SecChrootDir /chroot/apache
- 20 ways to Secure your Apache Configuration
- Secure Apache Configuration
- WAYS TO UPDATE YOUR DEVICE
- 20 Ways To Train Your Brain For Peak Performance
- Three ways to get your MAC address
- 5 ways to optimize your design
- QTP: Ways to Launch your application
- 10 ways to Improve Your Programming Productivity
- 101 Ways to Promote Your Web Site
- 9 Ways to Gain Your Visitors Respect
- Three ways to get your MAC address
- Ways to Make Your IT Staff Unpoachable
- 12 Effective Ways To Improve Your Programming
- 10 ways to improve your programming skills
- 9 Ways to Instantly Strengthen Your Brain
- How to update Docker image to maintain your containers secure
- Your Ways
- Add your own board to Nuttx configuration
- malloc的源码剖析源
- 数据库隔离级别
- 寻找江华(江苏盐湖人,喜欢delphi)
- 搭建Ruby on Rails开发环境(http://dev.yesky.com/327/2600827.shtml)
- 西行漫记1(印度)--理发
- 20 ways to Secure your Apache Configuration
- CString 类成员函数的说明1
- sql server 2000与sqlcece2.0 数据同步 环境搭建
- CString类成员函数的说明(2)
- C++ tutorial
- SQL2000的jdbc驱动问题【转】
- 关于编程之道的说明
- 针对VS2005 grid 完善 checkbox combox 可编辑等GRID DEMO
- TDD may be a happy approach for Us