Foreword: In the current Internet era, the homepage has become an important means of establishing the company's image and showing self-heavens, and it is especially important to configure a powerful and secure web server. In numerous Web Server products, Apache is a wide range of products, and is also a very secure program. However, like other applications, Apache also has security defects. This article will detail how to properly configure and maintain the security issues of Apache Web Server. I. Introduction of Apache Server Apache Server It is one of the most widely used web server software on Internet Online. Apache servers are derived from a Web server project of the US National Super Technology Computing Application Center (NCSA). Currently, it has occupied leadership in the Internet. The Apache server has to make it adapt to high load and large throughput Internet work. Quick, reliable, through simple API extensions, Perl / Python interpreter can be compiled into the server, and completely free, complete source code open. If you need to create a web server accessible every day, Apache may be the best choice. Second, the main security defects in the Apache server are just as our preface that Although the Apache server is the most widely used, it is very secure program. But like other applications, Apache also has security defects. After all, it is a complete source code, and the security defect of the Apache server is mainly used by the Denial of Service, the buffer overflow attack, and the attacker get root privileges for three defects and the latest malicious attackers. Deny Service "(DOS) attack. Reasonable network configuration protects the Apache server from a variety of attacks. Let's introduce the main security defects: (1) Denial of service, using the HTTP protocol, this method attacker will reject the server to the HTTP response by certain means. This will increase the sharp increase in the demand for system resources (CPU time and memory), and finally cause the Apache system to slow or even completely paralyzed. (2) Safety defects of the buffer overflow This method attacker uses some defects written to make the program deviate from the normal process. The program uses a static allocated memory to save request data, and an attacker can send a long request to overflow the buffer. For example, some PERL write a gateway script that handles the user request. Once the buffer overflows, the attacker can perform its malicious instructions or make the system downtime. (3) The security defects that are attacked to get root privileges This security defect is mainly because the Apache server typically runs with root privileges (parent processes), and attackers will receive root privileges, which in turn controls the entire Apache system. (4) A malicious attacker conducts the "Denial Service" (DOS) attack, this latest vulnerability found on June 17, it is mainly in the CHUnk Encoding of Apache, which is a definition of HTTP protocol Accept the function of the data submitted by the web user. Effective attacks can be valid for running on FreeBSD 4.5, OpenBSD 3.0 / 3.1, NetBSD 1.5.2 platform. All said maximum and latest security versions are critical to strengthening security of Apache web servers. of. Please contact the Apache server administrator to go to http://www.apache.org/dist/httpd/ to download the patch to make sure its web server is safe! Third, proper maintenance and configuration Apache server Although the developer of the Apache server is very paying great attention to safety, there is inevitable security hazard due to its huge projects of the Apache server. It is important to properly maintain and configure the Apache web server.
Some questions we should pay attention to: (1) Apache Server Profile Apache Web Server mainly has three profiles, located in the / usr / local / apache / conf directory. These three files are: httpd.con -----> Main configuration file srm.conf ------> Fill in the resource file access.conf ---> Settings the file access: Configuration can be referred to : Http://httpd.apache.org/docs/mod/core.html (2) Apache server log file We can use the log format instruction to control the information of the log file. Using the logformat "% a% L" instruction, you can record the IP address and hostname of the HTTP request browser to the log file. For security considerations, we should know at least those Web users who should fail, adding the logformat "% 401u" instruction to the http.conf file to achieve this. This instruction has many other parameters, and the user can refer to the Apache documentation. In addition, the Apache's error log file is also very important for system administrators. In the error log file, the server is included, the stop, and the CGI implementation failure. For more information, please see the Apache Log Series 1-5. (3) Directory secure authentication of the Apache Server is allowed to use .htaccess to make directory security protection, you want to read this protected directory, you need to type the correct user account and password. This can be used as a directory that is stored in the web page or as a member area. Place a file in the protected directory, file name "Authtype" Basic "Authorfile" /VAR/TMP/XXXX.PW "-----> put password to the website Require Valid-User Apache / bin directory, build password file% ./htpasswd -c /var/tmp/xxx.pw username1 -----> The first set of parameters should be used "-c"% ./htpasswd / var / tmp / XXX.PW username2 can protect the content within the directory and enter the user who is legally used. Note: The module attached to Apache is adopted. You can also use it in httpd.conf: options indexes Followsymlinks allowOverride Authconfig ORDER ALLOW, DENY Allow from all (4) Apache Server Access Control We have to see the third file in three configuration files, namely Access.conf file It contains some instruction control to allow any user to access the Apache directory. You should set the Deny from ALL to the initialization instruction, and then open access to the Allow from instruction. ORDER DENY, ALOW
Deny from all
Allow from SafeChina.net
Settings Allow access from a domain, IP address, or IP segment. (5) APACHE server password protection problem We use the .htaccess file gives an access to a certain directory to a user. System administrators need to use AccessFileName instructions to open directory access control in httpd.conf or SRM.conf files. Such as: Authname PrivateFiles Authty Basic Authorfile / Path / To / Httpd / Users Require Phoenix # httpswd -c / path / to / httpd / users phoenix 4. Web and file servers for the Apache server We store the web server files on the Apache server For users to access, and set the / home / ftp / pub directory to file storage area, access it with http://download.your.com/pub/. Set Apache in the firewall, which is accessed by firewall proxy. (1) Setting Apache Server The Apache server uses the default configuration. The main directory is / home / httpd / html, the host domain is phoenix.your.com, and alias is www.your.com, and set the SRM.conf plus a row of aliases as follows: Alias / Pub / Home / FTP / PUB / Changing the default application type is defined as follows: DefaultType Application / OcTet-stream
Finally add one definition in /etc/httpd/conf/access.conf
Options indexes
ALLOWOVERRIDE AUTHCONFIG
ORDER ALOW, DENY
ALLOW FROM ALL
Note: Options indexes allows you to list a list of directory / files in the case where you can't find the index.html file.
Allowoverride Authconfig allows for basic username and password verification. In this case,
Need to put it in / home / ftp / pub directory .htaccess, the content is as follows:
[root @ Shopu Pub] # more .htaccess
Authname Branch Office Public Software Download Area
Authtype Basic
Authiserfile /etc/.usrpasswd
Require Valid-User
Use the # htpasswd -c /etc/.usrpasswd user1 to create different usernames and passwords that allow access / PUB subsequent file services.
(2) Configure reverse proxy technology on the firewall.
Add NameVirtualHost xxx.xxx.xxx.xxx in /etc/httpd/conf/httpd.conf
# Xxx.xxx.xxx.xxx -----> Is the external area of the firewall in the internet permanent IP address
Servername www.your.com
ErrorLog / Var / log / httpd / error_log
Transferlog / VAR / log / httpd / access_log
ReWriteEngine on
ProxyRequests OFF
Usecanonicalname OFF
ReWriterule ^ / (. *) $ http: //xxx.xxx.xx.x/$1 Apache server IP address.
ServerName http://download.your.com/pub/
ErrorLog / VAR / log / httpd / download / error_log
Transferlog / VAR / log / httpd / download / access_log
ReWriteEngine on
ProxyRequests OFF
Usecanonicalname offrewriterule ^ / (. *) $ http: //xxx.xxx.xx.x/$$ IP address of the Apache server.
Set DNS on the firewall to let Download.Your.com and www.your.com all point to the external network address of the firewall xxx.xxx.xxx.xxx. Access the homepage with http://www.your.com, access the public file download area with http://download.your.com/pub/. Note: You will also need to create directory / var / log / httpd / download / on the Apache server host, otherwise it will be wrong. In addition, you can also set the property of /Home/httpd/html/index.html on the firewall host to block access, which is the anti-outside user access to the Apache server on the firewall http://www.your.com in. Summary: Apache Server is a very good, very great server, as long as you correctly configure and maintain the Apache server, you will feel the benefits of Apache Server, and I hope that you can achieve the theory and practice double harvest through reading this article. the goal of. Thank you.
