SECURING APACHE: STEP-BY-STEP

xiaoxiao2021-03-06  64

This article shows in a step-by-step fashion, how to install and configure the Apache 1.3.x Web server in order to mitigate or avoid successful break-in when new vulnerabilities in this software are found. Functionality Before we start securing Apache, we must specify what functionality we expect from the server Variety of Apache's use makes it difficult to write a universal procedure to secure the server in every case That's why in this article we'll base on the following functionality..:

The Web server will be accessible from the Internet; and, Only static HTML pages will be served the server will support name-based virtual hosting mechanism specified Web pages can be accessible only from selected IP addresses or users (basic authentication) the server will log All the Web Requests (Including Information About Web Browsers)

It is worth emphasizing that the above model does not support PHP, JSP, CGI or any other technologies that make it possible to interact with Web services. The use of such technologies may pose a large security threat, so that even a small, inconspicuous script can radically decrease the server's security level. Why? Primarily, ASP / CGI applications may contain security vulnerabilities (eg SQL injection, cross-site-scripting). secondarily, the technology itself can be dangerous (vulnerabilities in PHP, Perl modules etc. ). That's why I strongly recommend using such technologies only when an interaction with a Web site is absolutely necessary. Security Assumptions One of the most important elements of every computer project is the specification of security assumptions. This must be fulfilled before the project is implemented . The security assumptions for Our Web Server Are As Follows:

The operating system must be hardened as much as possible, both against local and remote attacks; The server must not offer any network services except HTTP: (80 / TCP); Remote access to the server must be controlled by a firewall, which should block all outbound connections, and allow inbound connections only to the 80 / TCP port of the Web server; The Apache Web server must be the only service available on the system; only absolutely necessary Apache modules should be enabled; Any diagnostic Web pages and automatic directory indexing service must be turned off; The server should disclose the least amount of information about itself (security by obscurity); The Apache server must run under a unique UID / GID, not used by any other system process; Apache's processes must have limited access To the file systems (chrooting); and, no shell programs can Be Present in the apache's chrooted environment (/ bin / sh, / bin / csh etc.).

Installing the Operating System Before installing Apache we must choose an operating system, upon which the server will run. We've got a broad choice here, because Apache can be compiled and installed on almost every operating system. The rest of the article instructs how to secure the Apache Web server on FreeBSD (4.7), however the described methods are possible to apply in case of most UNIX / Linux systems The only operating system I do not recommend using is MS Windows -. mainly because of the limited capabilities of securing the Apache. The first step in securing the Web server is hardening the operating system. A discussion of hardening the operating system is beyond the scope of this article. However, there are a lot of documents on the Net describing how to perform that. Readers are encouraged to conduct their own issue on this topic After the system is installed and hardened, we have to add a new group and regular user called "apache" like this (an example from FreeBSD): pw grou. Padd apachepw useeradd apache -c "apache server" -d / dev / null -g apache -s / sbin / nologin

By default, Apache processes run with privileges of user nobody (except the main process, which runs with root privileges) and GID of group nogroup. This might pose a significant security threat. In case of successful break-in, the intruder can obtain access to all other processes that run under the same UID / GID. Hence, the optimum solution is to run Apache under the UID / GID of a unique regular user / group, dedicated to that software. Preparing the Software The next step is to download the latest version of the Apache Web server. Some of Apache's options can be enabled only during compilation time, thus it is important to download the source code instead of the binary version. After downloading the software, we must unpack it. Then we must decide which modules should remain enabled. A short description of all modules available in the latest version of Apache 1.3.x (1.3.27) can be found at http://httpd.apache.org/docs/mod/. Apache's modules The choice of Modules Is One of the Most IMPORT Ant Steps of Securing Apache. We Should Go by The Rule: The Less The Better. To Fulfill The Functionality and Security Assumptions, The Following Modules Must Remain Enabled:

Module's nameDescriptionhttpd_coreThe core Apache features, required in every Apache installation.mod_accessProvides access control based on client hostname, IP address, or other characteristics of the client request. Because this module is needed to use "order", "allow" and "deny" directives , it should remain enabled.mod_authRequired in order to implement user authentication using text files (HTTP Basic authentication), which was specified in functionality assumptions.mod_dirRequired to search and serve directory index files: "index.html", "default.htm", etc.mod_log_configRequired to implement logging of the requests made to the server.mod_mimeRequired to set the character set, content- encoding, handler, content-language, and MIME types of documents. All other Apache's modules must be disabled. We can safely turn them Off, Mainly Because We do Not NEED THEM. by Disabling Unneeded Modules, We can Avoid Potential Break-insime new security vulnerabilities area found in one of them. IT is also worth to note that two of Apache's modules can be more dangerous than others:. mod_autoindex and mod_info The first module provides for automatic directory indexing, and is enabled by default It is very easy to use this module in order to check if Apache. runs on a server (eg http: // server_name / icons /) and to get the content of the Web server's directories, when no index files are found in them The second module, mod_info, should never be accessible from the Internet, mainly. Because IT Reveals The Apache Server '

s configuration. The next question is how to compile modules. The static method seems to be a better choice. If new vulnerabilities in Apache are found, we will probably recompile not just the vulnerable modules, but the whole software. By choosing the static method , we eliminate the need of one more module - mod_so Compiling the software First of all - if exist - any security patches must be applied Then, the server should be compiled and installed as follows:.. ./configure --prefix = / usr / local / apache --disable-module = all --server-uid = apache --Server-gid = apache --enable-module = access --enable-

Module = log_config --enable-module = DIR --Nable-module = mime --enable-module = auth

Make

SU

Umask 022

Make Install

Chown -r root: SYS / USR / LOCAL / APACHE

Chrooting the server The next step is to limit Apache processes' access to the filesystems. We can achieve that by chrooting it's main daemon (httpd). Generally, the chrooting technique means creating a new root directory structure, moving all daemon files to it, and running the proper daemon in that new environment. Thanks to that, the daemon (and all child processes) will have access only to the new directory structure. We'll start this process by creating a new root directory structure under the / chroot / HTTPD DIRECTORY: MKDIR -P / Chroot / HTTPD / DEV

MKDIR -P / Chroot / HTTPD / ETC

Mkdir -P / chroot / httpd / var / run

Mkdir -p / chroot / httpd / usr / lib

Mkdir -p / chroot / httpd / usr / libexec

Mkdir -p / chroot / httpd / usr / local / apache / bin

Mkdir -p / chroot / httpd / usr / local / apache / logs

Mkdir -p / chroot / httpd / usr / local / apache / conf

Mkdir -p / chroot / httpd / www

THE OWNER OF All Above Directories Must Be root, and the access rights should be set to the 0755. Next: / dev / null: ls -al / dev / nullcrw-rw-rw- 1 Root Wheel 2, 2 Mar 14 12:53 / dev / null

MkNod / Chroot / HTTPD / DEV / NULL C 2 2

Chown root: sys / chroot / httpd / dev / null

CHMOD 666 / Chroot / httpd / dev / null

A different method must be used to create a / chroot / httpd / dev / log device, which is also needed for the server to work properly. In case of the FreeBSD system, the following line should be added to the / etc / rc. CONF: SYSLOGD_FLAGS = "- l / chroot / httpd / dev / log"

We must restart the system or the syslogd daemon itself for the changes to take effect. In order to create a / chroot / httpd / dev / log device on other operating systems, we must take a look at the proper manuals (man syslogd). The next step is to copy the main httpd program into the new directory tree with all necessary binaries and libraries. In order to do that, we must prepare the list of all required files. We can make such list by using the following commands (their Presence Depends on Particular Operating System):

CommandAvailabilityDescript ionlddAllLists dynamiic dependencies of executable files or shared librariesktrace / ktruss / kdump * BSDEnables kernal process tracing, Displays kernal trace datasotrussSolarisTraces shared library procedure callsstrace / ltraceLinuxTraces system calls and signalsstringsAllFinds the printable strings in binary filestraceAIXRecords selected system eventstrace (freeware) HP-UX < 10.20Print system call and kernal traces of processestrussFreeBSD, Solaris, AIX 5L, SCO UnixwareTraces system calls and signalstusc (freeware) HP-UX> 11Traces the system calls a process invokes in HP-UX 11 Examples of using ldd, strings and truss commands are Shown Below: Localhost # ldd / usr / local / apache / bin / httpd / usr / local / apache / bin / httpd:

Libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280BD000)

Libc.so.4 => /usr/lib/libc.so.4 (0x280d6000)

Localhost # strings / usr / local / apache / bin / httpd | GREP LIB

/usr/libexec/ld-elf.so.1

Libcrypt.so.2

Libc.so.4

Localhost # trus / usr / local / apache / bin / httpd | grep open

(...)

Open ("/ var / run / ld-elf.so.hints", 0,00) = 3 (0x3)

Open ("/ usr / lib / libcrypt.so. 2", 0,027757775370) = 3 (0x3)

Open ("/ usr / lib / lib / lib / libc.so. 4", 0,027757775370) = 3 (0x3)

Open ("/ etc / spwd.db", 0,00) = 3 (0x3)

Open ("/ etc / group", 0,0666) = 3 (0x3)

Open ("/ usr / local / apache / conf / httpd.conf", 0,0666) = 3 (0x3)

(...)

The above commands should be applied not only to the httpd program, but also to all of the libraries and binaries required (libraries often require other libraries). In case of FreeBSD system, the following files have to be copied to the new root directory structure : cp / usr / local / apache / bin / httpd / chroot / httpd / usr / local / apache / bin / cp /var/run/ld-elf.so.hints / chroot / httpd / var / run /

Cp /usr/lib/libcrypt.so.2 / chroot / httpd / usr / lib /

Cp /usr/lib/libc.so.4 / chroot / httpd / usr / lib /

Cp /usr/libexec/ld-elf.so.1 / chroot / httpd / usr / libexec /

By Using The Truss Command We Can Also Discover That The Following Configuration Files Must Be Present in The Chrooted Environment AS Well: CP / ETC / HOSTS / Chroot / HTTPD / ETC /

Cp /etc/host.conf / chroot / httpd / etc /

Cp /etc/resolv.conf / chroot / httpd / etc /

CP / ETC / Group / Chroot / HTTPD / ETC /

Cp /etc/master.passwd / chroot / httpd / etc / passwords

Cp /usr/local/apache/conf/mime.types / chroot / httpd / usr / local / apache / conf /

Note, That from / chroot / have to remove all the lines except "nobody" and "apache". In A Similar Way, We Must Remove All The Lines Except "Apache" and "nogroup" from / chroot / httpd / etc / group. next, we have to build the password database as stock: cd / chroot / httpd / etc

PWD_MKDB -D / chroot / httpd / etc passwords

Rm -rf /chroot/httpd/etc/master.passwd

The next step is to test if the httpd server runs correctly in the new chrooted environment In order to perform that, we have to copy the default Apache configuration file and sample index.html:. Cp / usr / local / apache / conf / httpd .conf / chroot / httpd / usr / local / apache / co

NF /

Cp /usr/local/apache/htdocs/index.html.en /chroot/httpd/www/index.html

After copying the aforementioned files, we must change the DocumentRoot directive as presented below (in /chroot/httpd/usr/local/apache/conf/httpd.conf): DocumentRoot "/ www" Next, we can try to run the server: Chroot / chroot / httpd / usr / local / apache / bin / httpd

If any problems occur, I recommend analyzing Apache's log files precisely (/ chroot / httpd / usr / local / apache / logs) Alternatively, the following command can be used:. Truss chroot / chroot / httpd / usr / local / apache / bin / httpd

The truss program should show the cause of the problems. After eliminating any eventual faults, we can configure the Apache server. Configuring Apache The first step is to remove the /chroot/httpd/usr/local/apache/conf/httpd.conf file And create a new one in its place, with content similar to the folload: # ================================= ================

#Basic settings

# =====================================================

Servertype Standalone

Serverroot "/ usr / local / apache"

Pidfile /usr/local/apache/logs/httpd.pid

ScoreboardFile /usr/local/apache/logs/httpd.scoreboard

ResourceConfig / dev / null

Accessconfig / dev / null

# ===================================================== # Performance Settings

# =====================================================

TIMEOUT 300

Keepalive ON

MaxkeepaliveRequests 100

KeepaliveTimeout 15

MinSpareServers 5

MaxSpareServers 10

StartServers 5

MaxClients 150

MaxRequestSperChild 0

# =====================================================

# Apache's Modules

# =====================================================

ClearModuleList

AddModule MOD_LOG_CONFIG.C

AddModule MOD_MIME.C

AddModule MOD_DIR.C

AddModule MOD_ACCESS.C

AddModule MOD_AUTH.C

# =====================================================

# General settings

# ===================================================== Port 80

User apache

GROUP APACHE

ServerAdmin Webmaster@www.ebank.lab

Usecanonicalname OFF

Serversignature OFF

Hostnamelookups off

ServerToKens PROD

DirectoryIndex Index.html

DocumentRoot "/ www / vhosts"

# =====================================================

# Access Control

# =====================================================

Options none

ALLOWOVERRIDE NONE

ORDER DENY, ALOW

Deny from all

ORDER ALOW, DENY

ALLOW FROM ALL

ORDER ALOW, DENY

ALLOW FROM ALL

# =====================================================

# Mime encoding

# =====================================================

TypesConfig /usr/local/apache/conf/mime.types

DefaultType Text / Plain

Addencoding X-Compress Z

Addencoding X-Gzip Gz TgzaddType Application / X-Tar .tgz

# =====================================================

# Logs

# =====================================================

Loglevel Warn

Logformat "% H% L% u% T /"% r / "%> s% b /"% {referer} I / "/"% {user-agent} i / "combined

Logformat "% H% L% u% T /"% r / "%> s% B" CommON

Logformat "% {referer} i ->% u" Referer

Logformat "% {User-agent} i" Agent

ErrorLog / USR / local / apache / logs / error_log

Customlog / usr / local / apache / logs / access_log combined

# =====================================================

# Virtual Hosts

# =====================================================

Namevirtualhost *

Documentroot "/www/vhosts/www.ebank.lab"

ServerName "www.ebank.lab"

Serveralias "www.e-bank.lab"

ErrorLog logs / www.ebank.lab / error_log

Customlog logs / www.ebank.lab / access_log combined

DocumentRoot "/www/vhosts/www.test.lab"

Servername "www.test.lab" errorlog logs / www.test.lab / error_log

Customlog logs / www.test.lab / access_log combined

The above configuration includes only the commands that are necessary to fulfill the functionality and security assumptions In the configuration presented, there are two virtual hosts supported by the Web server: -. Www.ebank.lab (www.ebank.lab) - Www.test.Lab the Content of the Above Web Sites Is Physically Present in The Following Directories: - /chroot/httpd/www/vhosts/www.ebank.lab

- /chroot/httpd/www/vhosts/www.test.lab

Each Web Site Has ITS OWN Log Files, Which Are Present in The Following Directories: - /chroot/httpd/usr/local/apache/logs/www.ebank.lab

- /chRoot/httpd/usr/local/apache/logs/www.test.lab

The above directories must be created before running the Apache for the first time - otherwise the Apache will not run correctly The owner of the above directories should be root:. Sys, and the rights should be set to 0755. Compared with the default Apache configuration File, The Following Changes Have Been Made:

the number of enabled modules has been significantly reduced Apache does not disclose information about its version number (directives: ServerTokens, ServerSignature) Apache's processes (except the root process) are set to be executed with unique regular user's / group's privileges (directives: User , Group) Apache will allow access only to the directories, subdirectories and files, which are explicitly specified in the configuration file (directives: Directory, Allow); all other requests will be denied by default Apache will log more information about HTTP requests

Final Steps At The End We Should Create A Start-Up Script "Apache.sh", The Content of Which Will Be Similar To the Following: #! / Bin / shchroot = / chroot / httpd /

Httpd = / usr / local / apache / bin / httpd

Pidfile = / usr / local / apache / logs / httpd.pid

echo -n "apache"

Case "$ 1" in

START)

/ usr / sbin / chroot $ chroot $ httpd

;

STOP)

Kill `Cat $ {chroot} / $ {pidfile}`

;

*)

echo ""

Echo "USAGE:` BaseName $ 0` {Start | Stop}> & 2

EXIT 64

;

ESAC

EXIT 0

The above script should be copied to the proper directory (depends on particular UNIX system), where by default startup scripts are held. In case of FreeBSD it is the /usr/local/etc/rc.d directory. Summary The above method allows achieving a higher security level of the Apache server than the one, offered in the default installation. Thanks to enabling only the absolutely necessary Apache modules, finding a new vulnerability in one of them does not have to indicate that our server is vulnerable. Hiding the Apache's version number, turning off the directory indexing service, chrooting and restricted configuration make a successful break-in very difficult A chrooted environment has also one more important advantage -. immunity to the large number of exploits, mainly because of lack of the shell .

Relevant Links

Apache Http Server Project

Sample httpd.conf

Sample apache.sh

转载请注明原文地址:https://www.9cbs.com/read-119271.html

New Post(0)