Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to configure apache safely under Linux". In daily operation, I believe many people have doubts about how to configure apache safely under Linux. Xiaobian consulted all kinds of information and sorted out simple and easy to use operation methods. I hope to help you answer the doubts of "how to configure apache safely under Linux"! Next, please follow the small series to learn together!

Apache has flexible settings, and all Apache security features are carefully designed, planned, and configured. Apache security configuration includes many layers, such as runtime environment, authentication and authorization settings.

Apache has flexible settings.

All Apache security features are designed, planned, and configured carefully. Apache security configuration includes many layers, such as runtime environment, authentication and authorization settings. An example of Apache installation configuration and operation is as follows:

1 Modify the version information of apache so that external visitors see apache information that is disguised or incorrect. This can ensure apache security as much as possible. 2 Establish a secure apache directory structure. ServerRoot DocumentScriptAlias Customlog Errorlogs are placed in a separate directory environment. The above main directories are independent of each other and there is no parent-child logical relationship. ServerRoot directory can only be accessed by users with administrative rights;DocumentRoot can be accessed by users who manage Web site content and Apache users and Apache user groups who use Apache servers; only users of admin group can access log directory. Set independent permissions for each directory 4. The existence of default access is prohibited, and access permissions are only enabled for specified directories. 5 Change the default path of apache and create a separate path to provide storage for apache files 6 Protect Apache servers from DoS attacks by using tools such as the Apache DoS Evasive Manuvers Module. Its tools can quickly reject duplicate requests for the same URL from the same address. 7 Run as Nobody Normally Apache is installed and run by Root. If an Apache Server process has root privileges, it poses a significant security threat to the system, and you should ensure that Apache Server processes run with the lowest possible privileges. Run Apache as Nobody for relative security purposes by modifying the following options in the httpd.conf file. 2. Permission of ServerRoot directory

To ensure that all configurations are appropriate and secure, access to the Apache home directory needs to be tightly controlled so that non-root users cannot modify the contents of the directory. Apache's home directory corresponds to the Apache Server configuration file httpd.conf in the Server Root control entry, should be:

Server Root /usr/local/apache3, SSI configuration

Add the Includes NO EXEC option to the Access.conf or httpd.conf configuration file where the Options directive is located to disable execution in Apache Server. Avoid users directly executing the Apache server in the executive program, resulting in the server system open.

Options Includes Noexec4, Prevent users from modifying system settings

Set the following settings in the Apache server configuration file to prevent users from creating and modifying.htaccess files and from overriding definable system security features.

AllowOveride NoneOptions NoneAllow from all

Then configure the specific directory appropriately.

5, change the Apache server does save access characteristics

Apache's default settings provide only a certain level of security, and clients will retrieve files if the server can find them through normal mapping rules, such as http://localhost/~root/, which will allow users access to the entire file system. Add the following to the server file:

order deny,ellowDeny from all

Default access to the file system will be disabled.

Security considerations for CGI scripts

CGI scripts are a series of programs that can be run through a Web server. To ensure the security of the system, it is important to ensure that CGI authors are trusted. For CGI, it is best to limit it to a specific directory, such as cgi-bin, for ease of management; in addition, it should be ensured that the files under the CGI directory are not writable to avoid some fraudulent programs residing or mixing; if users can be provided with a safe CGI program module as a reference, it may reduce many unnecessary troubles and security risks; remove all non-business application scripts under the CGI directory to prevent abnormal information leakage. These common measures can give Apache Server a basic security environment, obviously in the specific implementation of further refinement decomposition, to develop a security configuration scheme in line with the actual application. Apache Server host-based access control Apache Server security configuration by default is Deny All Access. Assuming that Apache Server contents are stored in/usr/local/apache/share, the following instructions implement this setup:

Deny from allAllow Override None

it is prohibited to change authentication and access control methods under any directory. Similarly, you can use the special commands Deny and Allow to specify which users can access and which users cannot access, providing some flexibility. When Deny and Allow are used together, use the command Order to determine the order in which Deny and Allow are used, as follows:

1. Deny access to the server to users of certain types of addresses (Deny)

For example: Deny from allDeny from test.cnn.comDeny from 204.168.190.13Deny from 10.10.10.0/255.255.0.0

2. Allow users of certain types of addresses to access the server (Allow)

For example: Allow from all Allow from test.cnn. com Allow from 204.168.190.13 Allow from 10.10.10.0/255.255.0.0

Deny and Allow commands can be followed by multiple variables.

3. Simple configuration example:

Order Allow, DenyAllow from allDeny from www.test.com

It means that you want all people to access the Apache server, but you don't want any access from www.test.com.

Order Deny, AllowDeny from allAllow from test.cnn.com

A visitor who doesn't want everyone to visit, but wants to give test.cnn.com access. Apache Server user authentication and authorization In summary, user authentication is to verify the authenticity of the user's identity, such as whether the user account is in the database and whether the password corresponding to the user account is correct; user authorization means verifying whether a valid user is permitted to access a specific resource. In Apache, almost all security modules actually balance these two aspects. From a security perspective, user authentication and authorization is equivalent to selective access control. There are three steps to establishing user authentication authority:

1. Establish a user database

The username and password list needs to exist in a file (mod_auth module) or database (mod_auth_dbm module). For security reasons, this file cannot be stored in the root of the document. For example, the users file stored in/usr/local/etc/httpd has a format similar to the UNIX password file format, but the password is stored in encrypted form. The application httpasswd can be used to add or change programs: httpasswd-c /usr/local/etc/httpd/users martin -c indicates the addition of a new user, martin is the newly added user name, and the password is entered twice during program execution. The username and password are added to the users file. The resulting user files have the following form:

martin:WrU808BHQai36jane:iABCQFQs40E8Mart:FadHN3W753sSU

The first field is the user name and the second field is the user password.

2. Configure the server's protection domain

In order for the Apache server to utilize the username and password information in the user file, a protected realm needs to be set up. A domain is actually a part of a site (such as a directory, documents, etc.) or the entire site is accessible only to some users. The domain of the protected layer is specified by AuthName in the. httaccess file or section in httpd.conf ( acces.conf ) in the relevant directory. In the.htaccess file, the authorized access and specified domain protection for valid users of user files are specified as follows:

AuthName "restricted stuff"Authtype BasicAuthUserFile /usr/local/etc/httpd/usersRequire valid-user

AuthName indicates the domain name of the protected domain. The valid-user parameter means that all users in the user file are available. Once a user enters a valid user/password, other resources in the same domain can be accessed using the same user/password, and the same user/password can also be shared between two different regions.

Tell the server which users have access to the resource

If you want to grant access to a resource to a group of customers, you can list their names after Require. The best way to do this is to use group files. Groups operate similar to the standard UNIX concept of groups, in that any user can belong to one or more groups. This allows you to assign certain permissions to groups in the configuration file using Require. For example:

Require group staffRequire group staff adminRequire user adminuser

Specifies access rights for a group, groups, or a user.

At this point, on the "Linux how to configure apache security" learning is over, I hope to solve everyone's doubts. Theory and practice can better match to help everyone learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.