Proper configuration and maintenance of Apache WEB Server Security: CERNET CERNET Apache server's main security flaw
As our preface said although the Apache server is the most widely used, a very safe program is designed. But like other applications, Apache also has security defects. After all, it is a complete source code, and the security defect of the Apache server is mainly used by the Denial of Service, the buffer overflow attack, and the attacker get root privileges for three defects and the latest malicious attackers. Deny Service "(DOS) attack. Reasonable network configuration protects the Apache server from a variety of attacks. Let's introduce the main security defects:
(1) Security defects for Denial of Service using the HTTP protocol
This method attacker will reject the server to the HTTP response through some means. This will increase the sharp increase in the demand for system resources (CPU time and memory), and finally cause the Apache system to slow or even completely paralyzed.
(2) Safety defects overflowed by buffers
The method attacker uses some of the defects written to make the program deviate from the normal process. The program uses a static allocated memory to save request data, and an attacker can send a long request to overflow the buffer.
(3) Security defects from the attacker get root privileges
The security defect is mainly because the Apache server typically runs with root privileges (parent process), and attackers will receive root privileges, which in turn controls the entire Apache system.
(4) The malicious attacker conducts the security defect of "Deny Service" (DOS) attack
This latest vulnerability found on June 17, which is mainly in the CHUnk Encoding of Apache, which is a function of the HTTP protocol defined for accepting the data submitted by the web user. All use the highest and latest security versions are critical to strengthening security of the Apache web server.
Please contact the Apache server administrator to go to http://www.apache.org/dist/httpd/ to download the patch to make sure its web server is safe!
Correctly maintain and configure Apache Server
Although the developers of Apache servers are very payable, they will inevitably have security hazards due to its huge projects of Apache servers. It is important to properly maintain and configure the Apache web server. Some questions we should pay attention to:
(1) APACHE server configuration file
The Apache Web server has three configuration files, located in the / usr / local / apache / conf directory. These three files are:
httpd.conf -----> Main configuration file SRM.CONF ------> Fill in the resource file access.conf ---> Settings file access
Note: Configuration can be referring to: http://httpd.apache.org/docs/mod/core.html
(2) Directory safety certification for Apache servers
In Apache Server is allowed to use .htaccess to make directory security, you want to read this protection, you need to type the correct user account and password. This can be used as a directory that is stored in the web page or as a member area. Place a file in the protected directory, file name "Authtype" Basic "Authorfile" /VAR/TMP/XXXX.PW "-----> put password to the website Require Valid-User Apache / bin directory, build password file% ./htpasswd -c /var/tmp/xxx.pw username1 -----> First setup parameter "-c"% / htpasswd / var / tmp / xxx .pw username2 This can protect the content within the directory and enter the user who uses legal users. Note: The module attached to Apache is adopted.
You can also use in httpd.conf to join: Options INDEXES FOLLOWSYMLINKS ALLOWOVERRIDE Authconfig ORDER ALLOW, DENY Allow from ALL
(3) APACHE server access control
We have to see the third file in three configuration files, ie Access.conf files, which contain some instruction control to allow any user to access the Apache directory. You should set the Deny from ALL to the initialization instruction, and then open access to the Allow from instruction.
(4) PaCHE server password protection problem
We use the .htaccess file gives an access to a certain directory to a user. System administrators need to use AccessFileName instructions to open directory access control in httpd.conf or rm.conf files. Such as:
Authname PrivateFiles Authty Basic Authorfile / Path / To / Httpd / Users Require Phoenix # htpasswd -c / path / to / httpd / users phoenix
Set the web and file server of the Apache server
We store the web server files on the Apache server for users to access, and set the / home / ftp / pub directory as the file storage area, access it with http://download.your.com/pub/. Set Apache in the firewall, which is accessed by firewall proxy. (1) Setting of Apache Server
Apache servers use default configurations. The main directory is / home / httpd / html, the host domain name is phoenix.your.com, and alias is in www.your.com, and set the SRM.conf plus a row of aliases as follows:
Alias / Pub / Home / FTP / PUB /
Changing the default application type is defined as follows: DefaultType Application / OcTet-stream
Finally, add one definition in /etc/httpd/conf/access.conf Options Indexes Allowoverride Authconfig ORDER ALLOW, DENY Allow from ALL
Note: Options indexes allows you to list a list of directory / files in the case where you can't find the index.html file. Allowoverride Authconfig allows for basic username and password verification. In this case, you need to put it in the / home / ftp / pub directory. HTACCESS, the content is as follows: [Root @ Pub] # more .htaccess authname branch office public software download area authtype Basic AuthiSerfile /etc/.usrpasswd required Valid-User # htpasswd -c /etc/.usrpasswd User1 Create a different user name and password that allows access / PUB file services. (2) Configure reverse proxy technology on the firewall. Add namevirtualhost xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx---> is the outside of the firewall a permanent IP address on the Internet servername www.your.com errorlog / var / log / httpd / error_log transferlog / var / log / httpd / access_log rewriteengine on proxyrequests off usecanonicalname off rewriterule ^ / $ http (*.): // xxx. XXX.xx.x / $ 1 Apache server IP address.
servername http://download.your.com/pub/ errorlog / var / log / httpd / download / error_log transferlog / var / log / httpd / download / access_log rewriteengine on proxyrequests off usecanonicalname off rewriterule ^ / (. *) $ http : //xxx.xxx.xx.x/$$ The IP address of the Apache server.
Set DNS on the firewall to let Download.Your.com and www.your.com all point to the external network address of the firewall xxx.xxx.xxx.xxx. Access the homepage with http://www.your.com, access the public file download area with http://download.your.com/pub/.
Note: You will also need to create directory / var / log / httpd / download / on the Apache server host, otherwise it will be wrong. In addition, you can also set the property of /Home/httpd/html/index.html on the firewall host to block access, which is the anti-outside user access to the Apache server on the firewall http://www.your.com in.
Summary: Apache Server is a very good, very great server, as long as you correctly configure and maintain the Apache server, you will feel the benefits of Apache Server, and I hope that you can achieve the theory and practice double harvest through reading this article. the goal of. Thank you.