Follow September statistics Of Netcraft, Apache is the most used web server on the Internet (64.52% of the market share). However, to configure an Apache web server for security is not a simple matter and anyone can do it. The & quot; Security for Apache web server & quot; The Securing Apache: Step-by-Step ) will help to build a web server with high security security easier.
Apache security: step by step
(Artur Maj)
Welcome to the fans who are interested in Apache security.
I decided to translate this article and added the & quot; Comments and Extensions & quot; For important paragraphs in the article, hopefully some help you apply these issues in the real environment. Please see the first part.
This document is a step-by-step guide how to install and modify the Apache 1.3.x web server for the purpose of handling and preventing intruders when weaknesses of this program are discovered.
Function
Before starting to secure Apache security, we have to determine what essential functions of the server will be used. Apache's versatility makes it difficult to implement a generic model with the goal of enhancing server security in every case possible. This is why the document is based on the following functions:
- Web server accessible from the Internet; and,
Only static HTML pages will be served
- Domain name server support for virtual service mechanism
- Assigned web pages can only be accessed from clusters of IP addresses or users (basic declarations).
- The server will report all requests (including information about web browsers)
It is worth emphasizing here that the above model does not support PHP, JSP, CGI, or any other technology that can provide interactive opportunities to Web services. Applying for these technologies can lead to significant security threats, even a small, confidential script that can minimize the level of server security. Why? First of all, ASP / CGI applications may contain security vulnerabilities (for example, SQL injection, cross-site-scripting). Next, they themselves can be dangerous (weaknesses in PHP, Perl modules, etc.). That's why I strongly suggest using those technologies only if the need to interact with a web site is absolutely necessary.
Written and expanded:
Strengthening the security of a web server involves many tricks in varying degrees. The author prefers the & quot; minimum & quot; to minimize vulnerabilities that may be present on a web server. Theoretically speaking, this principle leads to more rigorous application and tuning of security. However, the operation and working needs of a web server can not be stopped under the & quot; minimum & quot; and imposed within static HTML pages limits. Designing a web-based program with multitasking and multi-tasking is one of the top requirements. A site dedicated solely to static HTML pages not only limits the functionality of these sites, but also bogs down the practical side and the economic value and cost of construction and maintenance. for website. The optimal solution is probably the balance between the knowledge of secure web server and the ability to design the web scientifically and solidly in terms of features, operation and face to minimize design errors. program.
One of the limitations, or rather, of the common pattern in web design is the blending of workflows. In other words, designers and programmers do not invest enough time to research, analyze and apply rational design patterns to their projects that often go straight to the implementation. Steps & quot; go straight & quot; There is often a lack of maturity in the design phase, resulting in limited functionality and openness to critical security flaws. In fact, the difference between making a web site run and making a web site run, performing well, being scalable, and ensuring that the message is different is one thing. Habits & quot; stir fry & quot; Working commands for an operating system or interacting commands to the database directly from a bare html page, embedding the commands into php, jsp, asp ... are very common. This is a good example of what is called & quot; Run but lack of performance, lack of scalability, and openness to critical security bugs. "
Because the article framework does not fit into the design of web applications, you should study more about these designs at the following URLs depending on the technology you are using:
http://www.object-arts.com/Educatio...erviews/MVC.htm
http://www.enode.com/x/markup/tutorial/mvc.html
http://www.phppatterns.com/index.ph...cleview/19/1/1/
http://www.dmbcllc.com/asp_mvc.aspx
http://www.jdance.com/jsparchitecture.shtm
http://www.redbooks.ibm.com/abstracts/sg245755.html
http://www.redbooks.ibm.com/abstracts/sg245754.html
You can use google to search for more documentation on MVC with the keyword: & quot; MVC Pattern & quot; Or refer to some specialized materials from major websites like http://java.sun.com or http://www.ibm.com
Prudential security
One of the most important factors for every computing project is the authentication of security props. This must be satisfied before the work is done. The security of our web server is as follows:
- the operating system must be as tight as possible, including the prevention of attacks from outside and inside;
- server is not provided any other services except HTTP: (80 / TCP);
Remote access to the server must be controlled by the firewall; this device blocks all incoming connections and allows for connectors to the gateway to port 80 / TCP of the web server;
- Apache web server is the only service available on the system;
- only the absolutely necessary modules are allowed to operate;
- Web pages used for the task of analyzing and automating the index should be disabled;
- server should minimize the disclosure of information of the server itself (confidentiality through hidden)
- The Apache server must run on a separate UID / GID (private, group), not using any other process of the system;
- Apache processes must have a certain limit to the directory system (chrooting); and,
- There are not any shell programs available in the chrooted environment (/ bin / sh, / bin / csh, etc).
Written and expanded:
Once again, the author promotes the & quot; minimum & quot; However, the difference in the & quot; minimum & quot; This is part of the environment rather than a reduction in the performance of the Apache web server.
The consolidation step by allowing only port 80 / TCP on the server running Apache is the basic operation that needs to be done because if attacked, hackers have only one port to attack and for defense, the focus is only on the attacker. one port. Furthermore, with the firewall's control mechanism as suggested by the author, security will certainly be enhanced. Here the author does not specifically mention what kind of firewall should be used because the selection process, tuning a firewall accordingly depends on many complex factors. To extend this detail, I believe the presence of a stateful firewall capable of controlling the IP layer and controlling the content at the application tier is the best. If financial conditions permit, a stateful firewall such as CheckPoint FW-1 or Cisco PIX can play this important role. If financial conditions do not allow it, integration of some open source programs to achieve similar capabilities is possible, but it will take longer and more time to adjust and test if not. have extensive experience in this field.
Install the operating system
Before installing Apache, we had to select an operating system, which is the Apache environment that would work. We have a lot of options here as Apache can be compiled and installed on most operating systems. The remainder of this tutorial demonstrates how to secure your Apache server under FreeBSD (4.7), but the methods described here are applicable to most UNIX / LINUX operating systems. The only operating system I do not recommend is MS Windows - the main reason is that the operating system is limited to the ability to secure Apache.
The first step in securing a Web server is to consolidate the operating system. Discussions on operating system enhancements go beyond the scope of this document. However, there are many documents on the Net describing how to do that. Readers are encouraged to explore issues related to this area.
Once the system is installed and fully functional, we need to add a group and a regular user called & quot; apache & quot; Similar to this (an example from FreeBDS):
pw groupadd apache
p useradd apache -c & quot; Apache Server & quot; -d / dev / null -g apache -s / sbin / nologin
By default, Apache processes run under the rights of the nobody user (except that the main process must run with root privileges) and the GID is in the nogroup group. This can lead to serious security threats. In case of successful intrusion, hackers can gain access to other processes running the same UID / GID. Therefore, the optimal solution is for Apache running with UID / GID from a separate group, dedicated to the software only.
Written and expanded:
For those of you familiar with 1 AzSoft_watermark_big.png AzSoft_watermark_small.png cong-nghe?p=1 des.txt en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label:Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com nix, it's no wonder the UID / GID concept is "file permission". However, this should extend slightly to those who are unfamiliar with UID / GID. Apache's own group and user have two details to note:
-d / dev / null: Do not allow an Apache user to have the $ HOME directory but other normal users
-s / sbin / nologin: Do not let any Apache user use any shell. There are some cases where using -s / bin / true instead of nologin above, true is a non-executable command and is completely harmless.
The reason for not allowing an Apache user to have a $ HOME directory and not a & quot; shell & quot; Also, because if this Apache account was compromised, hackers would not have the opportunity to access the system at the level necessary for the uptake of sovereignty. On the 1 AzSoft_watermark_big.png AzSoft_watermark_small.png cong-nghe?p=1 des.txt en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label:Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com nix environment in general, & quot; shell & quot; is the interface between the user and the system, without the shell there is no chance of further access. If the above setting provides an $ HOME Apache user and allows a shell to be used, then there is no value in the & quot; override & quot;
Prepare software
The next step is to download the latest version of Apache from the Apache web site ( http://www.apache.org ). There are a number of usable options that are allowed to work in the compilation, so it is important to download the source code for compilation instead of loading the binary.
After downloading the software, we have to rinse. Next, we decide what modules are allowed to work. An overview of existing modules for the latest version of Apache 1.3.x (1.3.27) is available at: http://httpd.apache.org/docs/mod/
Apache modules
Selecting modules is one of the most important steps in Apache security. We should follow the law: the less the better. In order to satisfy the function and security constraints, the following modules should be allowed:
Module Name
httpd_core: Contains the core functionality of Apache, needed for any Apache.
mod_access: Provides mode based on hostname, IP address, or required properties belonging to clients. Because this module is required for the directive & quot; order & quot ;, & quot; allow & quot; and & quot; deny & quot ;, it should be allowed.
mod_auth: It is necessary to apply the user declaration problem to the use of plain text (the basic HTTP declaration), specified in the prepared function.
mod_dir: Necessary to search and serve directory records: & quot; index.html & quot ;, & quot; default.htm & quot ;, etc.
mod_log_config: It is necessary for the application to report execution requests to the server.
mod_mime: Necessary to edit group letters, content encodings, customizations, content languages, and MIME types that represent the types of documents.
All other Apache modules must be shut down. We can safely shut them down because we do not need them. By turning off unnecessary modules, we avoid the possibility of a breakthrough when new security vulnerabilities are discovered in one of these modules.
Also note that two Apache modules may be more dangerous than others: mod_autoindex and mod_info. The first module provides automatic folder sorting and this module is allowed to run by default. It is easy to use it to determine if Apache is used on a particular server (for example, http: // server_name / icons / ) and to get the contents of the directories on the Web server even though there are no indexes in these directories. The second module, mod_info, should not allow access from the main web because it reveals Apache's configuration.
The next question is how to compile the modules. Static method is considered a better choice. If the weaknesses of Apache have been discovered, perhaps we will not re-compile the faulty modules that will re-compile the entire software suite. Select static method, we suppress the need of adding another module - mod_so.
Written and expanded:
Choosing the modules for the Apache server that suits your needs is difficult and time consuming. Selecting the right module and ensuring the security is even more difficult. To determine which modules are needed and guaranteed, the selection and tracking of & quot; bug track & quot; For each module is very necessary. Currently there are over 200 large, small modules, all kinds of functions for the Apache server. You should consult the information on this website for selection work:
http://modules.apache.org/
The site has a search engine available to help you with your survey and selection of modules.
Compile software
First of all - if there are patches for security, then it should be done. Then, the server is compiled and installed as follows:
./configure --prefix = / usr / local / apache --disable-module = all -server-uid = apache --server-gid = apache --enable-module = access --enable-module = log_config - enable-module = dir --enable-module = mime --enable-module = auth
(the above command spans one line, not split into multiple lines)
make
umask 022
hãy cài đặt
chown -R root: sys / usr / local / apache
Written and expanded:
For those who are not familiar or just getting started with 1 AzSoft_watermark_big.png AzSoft_watermark_small.png cong-nghe?p=1 des.txt en_metadesc.txt en_name.txt getpageinfo.sh getpagelink.sh imglink.txt imglist.txt img.quantrimang.com label:Some Text link_original.txt link.txt log.txt meta_desc.txt name.txt news t-142619 testimg2-0.jpg testimg2-1.jpg testimg2.jpg testimg3.jpg testimg.jpg thumb tim-hieu-excel-2016-200.jpg title_vn.txt tmp02.html tmp03.html tmp2.html tmpdesc2.txt tmpdesc3.txt tmpdesc4.txt tmpdesc5.txt tmpdesc6.txt tmpdesc7.txt tmpdesc.txt tmp.html tmpresult.txt tmptrans.txt transresult.txt wm.quantrimang.com www.mailenable.com www.microsoft.com nix, the concept of compiling software is probably new and strange. However, this feeling is only the first step in the process of acquaintance. Almost all steps in the & quot; compile software & quot; Different software are similar.
Interest in the & quot; translate software & quot; In terms of security here, in addition to the opportunity to view the source code, find bugs, find holes from the source code, you also have the opportunity to set up and compile the software you need as you want. In the above statement, ./configure above illustrate the & quot; free & quot; You have the right to add or remove modules as you like. Flexibility in software compilation and sealing when using a & quot; installshield & quot; becomes obvious when compared. When you have to install a package of compiled binaries (in a given framework), you do not have many opportunities to decide or choose the one you want. This is one of the most important principles for those who care or work directly on security issues.
Change & quot; root & quot; of the server
The next step is limiting Apache processes to accessing profile systems. We can do this by & quot; chrooting & quot; The main server daemons (httpd). Overall, the & quot; chrooting & quot; This means creating a new directory source structure, moving the daemon logs into it and running the appropriate daemons in this new environment. As a result, the daemon (and the child process) will only access the new directory structure.
We start this cycle by creating a new directory inside / chroot / httpd:
mkdir -p / chroot / httpd / dev
mkdir -p / chroot / httpd / etc
mkdir -p / chroot / httpd / var / run
mkdir -p / chroot / httpd / usr / lib
mkdir -p / chroot / httpd / usr / libexec
mkdir -p / chroot / httpd / usr / local / apache / bin
mkdir -p / chroot / httpd / usr / local / apache / logs
mkdir -p / chroot / httpd / usr / local / apache / conf
mkdir -p / chroot / httpd / www
The owner of the above directories should be root and permissions should be adjusted to 0755. Next, we create a special device profile: / dev / null:
ls -al / dev / null
crw-rw-rw- 1 root wheel 2, Mar 2 12:53 / dev / null
mknod / chroot / httpd / dev / null c 2 2
chown root: sys / chroot / httpd / dev / null
chmod 666 / chroot / httpd / dev / null
Another method needed to create the device / chroot / httpd / dev / log, this device needed to make the server work properly. In the case of FreeBSD, the following line should be added to /etc/rc.conf:
syslogd_flags = & quot; -l / chroot / httpd / dev / log & quot;
