SecuringApache2.rar_Steponit!资源-CSDN文库

共2个文件

doc：1个

txt：1个

版权申诉

200 浏览量 2022-09-24 12:47:11 上传评论收藏 16KB RAR 举报

资源详情

资源评论

资源推荐

收起资源包目录

SecuringApache2.rar （2个子文件）

Securing Apache 2.doc 95KB

www.pudn.com.txt 218B

Securing Apache 2: Step-by-Step

Artur Maj 2004-06-21

When choosing a web server, Apache very often wins against its competitors because of

stability, performance, that fact that it's open source, and many other advantages. But when

deciding on which version of Apache to use, the choice is not always so simple. On the one

hand there is a very popular, stable version used by millions of users, version 1.3, and on the

other hand, there is an enhanced and re-designed version 2.0.

And even if the new version has got a lot more extensions and features, some people still

decide to use version 1.3, because in their opinion this branch is more stable and secure. As

a matter of fact, there is some truth in this statement. Since version 1.3 has been used by

millions of users for a long time, most security holes in this version are very likely to be

already discovered. At the same time version 2.0 may have many more as-yet undiscovered

vulnerabilities, just sleeping and waiting to be found.

Continuing the step-by-step fashion from the previous series (Securing Apache, Securing

PHP, and Securing MySQL), this article shows how to install and configure Apache 2.0 to

minimize the risk of unauthorized access or successful break-in, even if new security

vulnerabilities in Apache web server are found. Thus, it will be possible to enjoy the new

features of Apache 2.0 without worrying too much about its security bugs, regardless if they

are only imaginary, or are in fact real and serious threats.

Functionality requirements

In the world of security, there are a few golden principles that should always be followed. One

such principle is the rule which says that only absolutely required parts of the software should

be used. All other components should be disabled, made inaccessible or not even be installed

at all.

The logic behind this rule is very simple -- if there is software with dozens of components that

are enabled by default, finding only one security vulnerability in any one of these components

can put the whole system at risk of a successful break-in. On the other hand, if only a few

absolutely necessary components are enabled, finding a new security bug doesn't necessary

mean that the software is vulnerable -- because the discovered bug may affect components

that are not enabled, or are not installed. The probability of a successful break-in in this case

is obviously much lower than in case of the default installation.

Therefore, before starting to secure Apache 2, it is very important to know what functionality

we really expect from the web server. This will allow us to prepare the list of modules that we

will leave enabled, while the rest will be disabled during compilation time.

According to this rule, this article assumes that very basic functionality of Apache will be

used:

� Only static HTML pages will be served.

� The server must support the virtual hosting mechanism.

� Access to some web pages will be restricted to selected IP addresses or users (basic

authentication).

� The server must log all web requests (including information about web browsers).

One can note that the above functionality doesn't support CGI scripts, the SSL protocol or

other useful Apache features. This is because the main purpose of the article is to present a

general method of securing Apache 2.0, without focusing on a particular implementation. If

there is a need for additional functionality, readers can still use the presented solution as a

starting point, and enhance it by enabling additional modules, for example, mod_ssl,

mod_cgi or others.

Security assumptions

To provide as many security layers as possible, and at the same time keep this solution

portable among many different Linux/BSD systems, the following layers of security will be

used:

the network environment

� The web server should be protected by a firewall; the rules should accept incoming

requests to port 80/tcp and allow outgoing HTTP responses. Except for certain ICMP

messages (e.g. source-quench, time-exceed, parameter-problem,

destination-unreachable), all other packets should be dropped or denied.

� An intrusion detection (or prevention) system should be used; Apache's log files

should also be monitored.

the operating system

� The operating system should be hardened as much as possible; all unnecessary

components should be removed from the system.

� If supported, the operating system should not allow executing programs on the

stack.

� All unnecessary network services should be disabled.

� The number of SUID/SGID files should be minimized.

the Apache web server

� Only absolutely necessary Apache modules should be enabled; the rest should be

disabled during compilation time.

� All diagnostic web pages and the automatic directory indexing service must be turned

off.

� The server should disclose the least amount of information about itself as possible --

security through obscurity. Although this is not a real security layer, applying it will at

least make the attacks a little bit more difficult to perform.

� The web server must run under a dedicated UID/GID, not one used by any other

system process.

� Apache's processes must have limited access to the file systems (chrooting).

� In the Apache chrooted environment there cannot be any shell program present

(/bin/sh, /bin/csh etc.) -- it makes the process of executing exploits much more

difficult to perform.

Installing the operating system

First and foremost, we must choose an operating system upon which the web server will run.

The rest of article presents how to secure Apache on FreeBSD (5.1), however readers are free

to use their favorite Unix, BSD, Linux or Linux-like operating system.

With regards to our security assumptions, after installing the operating system it must be

hardened against both remote and local attacks. Regardless of the chosen UNIX/Linux/BSD

distribution, it is very important to install only the core operating system, remove any

redundant packages and apply up-to-date patches to the kernel and all installed software.

It is also recommended to periodically synchronize the local clock against a trusted time

server, using the Network Time Protocol (NTP), and to send log files to a remote, dedicated

log server.

After the system is prepared, we can start installing Apache 2.0. The first step is to add a new

group and regular user called apache. An example from FreeBSD has been shown below:

pw groupadd apache

pw useradd apache -c "Apache Server" -d /dev/null -g apache -s

/sbin/nologin

The Apache child processes will run with the privileges of the group and user apache. Since

the above account will be dedicated to the Apache web server, this will provide separation of

privileges and avoid potential security problems when several different processes are being

run under the same account, e.g. user nobody.

Downloading the software

Next, the latest version of Apache 2.0 software should be downloaded from the Apache

website, and then unpacked. Since we want to disable unnecessary modules during

compilation time, it is very important to download the source code, not binaries. It is also

important to test the downloaded software against a PGP signature, to make sure that the

downloaded version is complete and unmodified.

lynx http://httpd.apache.org/download.cgi

<download: httpd-2.0.xx.tar.gz, httpd-2.0.xx.tar.gz.asc, KEYS>

gpg --import KEYS

gpg httpd-2.0.49.tar.gz.asc

gpg: Good signature from "Sander Striker <striker@apache.org>"

tar zxvf httpd-2.0.49.tar.gz

cd ./httpd-2.0.49/

Choosing Apache's modules

After the Apache source code is unpacked, we must choose which modules will remain

enabled, and which will be removed. A short description of all modules available in Apache

2.0 can be found at http://httpd.apache.org/docs-2.0/mod/.

To fulfill the functionality and security requirements assumed at the beginning of this article,

we will compile only the following modules:

Module's

name

Description

core

The core Apache features, required in every Apache installation.

http_core

The core http support, required in every Apache 2.0 installation.

prefork

Multi-Processing Module (MPM) that implements a non-threaded,

pre-forking web server. Can be replaced by other multiprocessing module,

e.g. worker , threadpool etc. The MPM module is required in every Apache

2.0 installation.

mod_access

Provides access control based on client hostname, IP address, or other

characteristics of the client request. Because this module is needed to use

"order", "allow" and "deny" directives, it should remain enabled.

mod_auth

Required in order to implement user authentication using text files (HTTP

Basic Authentication), which was specified in functionality assumptions.

mod_dir

Required to search and serve directory index files: "index.html",

"default.htm", etc.

mod_log_config

Required to implement logging of the requests made to the server.

mod_mime

Required to set the character set, content- encoding, handler,

content-language, and MIME types of documents.

Since we want to enable only the minimal number of modules, we will compile all the modules

statically. Thanks to that, we will eliminate possibility of occurring vulnerabilities in one more

module -- mod_so.

Compiling and installing the software

In this step we will configure, compile, and install the Apache web server as follows:

评论收藏

内容反馈

版权申诉

小波思基

粉丝: 70
资源: 1万+

SecuringApache2.rar_Step on it!

评论0

最新资源

SecuringApache2.rar_Step on it!

评论0

Template for Step-Step Next Sequence.rar

J2ME_Step_by_Step.rar_step by step

Microsoft.Press.Microsoft.Silverlight.4.Step.by.Step.Jun.2010.rar

XIAOCHE.rar_Half Step

《Step7 Step by Step》（光盘）.part04.rar

Dasm.rar_Step function_dasm.rar_单步_反汇编_调试器

Microsoft.SQL.Server.2008_Step_by_Step

sql_2.rar_step by step

PLSQL2.rar_step by step

《Step7 Step by Step》（光盘）.part05.rar

Microsoft Visual C# 2008 Step by Step.rar

SSAS-2008-Step-by-Step.rar_SSAS_step by step

《Step7 Step by Step》（光盘）.part03.rar

Study ARM Step by Step.rar

STEP7_Network_Configuration_Step.rar_STEP7_step 7 network

accerelated_step_size.rar_step size

step7_sheet.rar_STEP7_step7学习

simul_abu3.rar_step by step

LCD.rar_step by step

Step.rar_OpenGL_C++_

《Step7 Step by Step》（光盘）.part02.rar

05 Step Trap.rar

STEP 7 Step by Step 学习视频3.rar

qishi.rar_Step Up I

sql_1.rar_step by step

capitulo3.rar_step by step

exract_frames.rar_step by step

PLSQL1.rar_step by step

Step 7.rar_STEP7

最新资源