【Abstract】 As a network management personnel, the Web server is attacked. Once the attack is attacked, all the information of the website may be unrecognizable until the entire web system is full of embarrassment. Therefore, it is especially important to choose a Web server software that has good security performance. As the most popular Web server software on the Internet, Apache's security has experienced time and market dual inspection. I have achieved amazing success. Understand the characteristics of Apache Server and make reasonable configurations will be issues that every site management maintenance or developer must pay attention.
1. The function of the Apache Server Apache Serve is the NCSA's httpd, which has become the most popular server in 1995. Because of a powerful function and flexible settings and platform transplantation, Apache Server has achieved extensive trust. The main features of Apache Server are:
1. Support the latest HTTP1.1 protocol (RFC2616). 2, extremely configurable and scalable, take full use of third-party models. 3. Provide all source code and unrestricted licensing (license). 4, widely used in Windows 2000 / NT / 9X, NetWare 5.x, OS / 2, and UNIX families extremely operating system, more than 17 species of supported platforms. 5. Powerful features cover the needs of users, including: DBM database support in authentication; error and problem-specific response directory-oriented directory-oriented directory; unrestricted flexible URL alias mechanism and redirection (virtual hosts) Multi-hosted host) supports multiple domain homepages to coexist a host; super log file function; use the analysis of site; expand maintenance, etc.
Because of these powerful advantages, Apache Server fully demonstrates efficient, stable and rich features compared to other web servers. Apache Server has been used for more than 6 million Internet sites.
Second, the security characteristics of the Apache server
As the most popular web server, Apache Server provides better security features to cope with possible security threats and information leakage.
1. Adopting the security policy of selective access control and mandatory access control
From an Apache or Web perspective, selective access control DAC (Discretionary Access Control) is still based on username and password, and mandatory access control Mac (Mandatory Access Control) is based on the IP address of the client that issues a request. Domain number is defined. For DAC mode, if the user has an opportunity to correct, from the newly entered the correct password; if the user can't pass the MAC level, then the user will be prohibited from doing further operations, unless the server makes security policy adjustments, otherwise any user Work hard will not help.
2, Apache security module
One advantage of Apache is its flexible module structure, its design ideas are also expanded around the Modules concept. The security module is an extremely important part of Apache Server. These security modules are responsible for providing access control and authentication, authorization, etc. of Apache Server.
The MOD_ACCESS module can control access to the Apache server based on the visitor's IP address (or domain name, host name, etc.), called the host's access control.
The Mod_Auth module is used to control the authentication authorization of the user and group. The user name and password are stored in a plain text file. MOD_AUTH_DB and MOD_AUTH_DBM modules exist user information (such as name, group belongings, etc.) in a small database of Berkeley-DB and DBM, respectively, facilitates management and improve application efficiency. The MOD_AUTH_DIGEST module uses the MD5 digital signature to perform the user's authentication, but it needs the client's support.
The function of the MOD_AUTH_ANON module is similar, but it allows an anonymous login to enter the user input as a password.
SSL (Secure Socket LAGER), is provided by Apache, providing an Internet security transaction service, such as an electronic commerce. The leakage of sensitive information is prevented by encrypting the communication word stream. However, this support of Apache is to be implemented in an extension of Apache, equivalent to an external module, providing secure online transaction support by combining a third party program.
Third, the security configuration of Apache servers
In the previous content, Apache has flexible settings. All apache's security features have to be carefully configured by careful design and planning. The security configuration of the Apache server includes many levels, running environments, authentication and authorization settings, and electronic trading links such as establishing secure.
1, Apache installation configuration and operation
(1) Apache is installed and running by ROOT in the event of Nobody users. If the Apache Server process has root user privilege, it will threaten the security of the system, ensuring that the Apache Server process is running at the most likely low permission user. By modifying the following options in the httpd.conf file, running apache with Nobody users to achieve relatively safe purposes.
User Nobody Group # -1
(2) Permissions of ServerRoot catalog
In order to ensure that all configurations are appropriate and secure, you need to strictly control access to the Apache home directory, so that non-super users cannot modify the content in this directory. Apache's primary directory corresponds to the server root control item of the Apache Server configuration file httpd.conf,
Server root / usr / local / apache
(3) SSI configuration
In the configuration file access.conf or httpd.conf, the OptionsNoexec option is added to disable the execution functionality in Apache Server. Avoid users directly executing executives in the Apache server, causing the disclosure of server systems.
(4) Prevent users from modifying system settings
Do the following settings in the configuration file of the Apache server, prevent users from establishing, modifying .htaccess files, preventing users from being able to be more defined system security features.
The specific directory is then appropriately configured separately.
(5) Apache server indetenance of accessibility
Apache's default settings can only guarantee a certain degree of security if the server can find files through normal mapping rules, then the client will get the file, such as http: // local host / ~ root / will allow users to access the entire file system . Add to the server file:
The default access to the file system will be prohibited.
(6) Safety considerations for CGI scripts
The CGI script is a series of programs that can run through the web server. In order to ensure the security of the system, ensure that the author of the CGI is credible. For CGI, it is best to limit it in a specific directory, such as CGI-BIN, easy to manage; it should ensure that the files in the CGI directory are unwritable, avoiding some spoofing programs to reside or mixed Among them; if a module that provides a good security CGI program can be provided as a reference, it may reduce many unnecessary troubles and security hazards; remove all non-business applications in the CGI directory to prevent anomalous information leakage.
These common initiatives can give Apache Server a basic safe operating environment, apparently to further refine decomposition in specific implementation, and formulate safety configurations that meet practical applications.
Fourth, Apache Server Based on host access control
Apache Server default security configuration is to refuse everything. Assume that the Apache Server content is stored in the / usr / local / apache / share directory, the following instructions will implement this setting:
It is prohibited from changing the authentication and access control methods in any directory.
Similarly, you can use unique command deny, allow specifying some users to access, which users cannot access, providing certain flexibility. When Deny, Allow is used together, use the command order to determine the order of Deny and Allow.
1. Reject the user's access to the server (DENY) for a class of addresses
Such as: deny from all deny from test.cn.com deny from 204.168.190.13 deny from 10.10.10.0/255.255.0.0
2. Allows users of the user to access the server (allow)
Such as: allow from all allow from test.cn.com allow from 204.168.190.13 allow from 10.10.10.0/255.255.0.0 Deny and Allow instructions After entering multiple variables.
3, instance:
ORDER ALOW, DENY Allow from All deny from www. ***. Com
Then you want all people to access the Apache server, but do not want any access from www. ***. CoM.
Order deny, allow deny from all allow from test.cn.com
Then, do not want everyone to access, but want to visit the Test.cnn.com website.
For advanced settings for access control, please read the UNIX system management books.
5. User certification and authorization of Apache Sever
Summary, user authentication is the authenticity of the user's identity, if the user account is in the database, and the password corresponding to the user account is correct; the user authorization means that the valid user is licensed to access specific resources. In Apache, almost all security modules actually take into account these two aspects. From a secure perspective, the user's authentication and authorization are equivalent to selective access control. Establishing users' authentication authorization requires three steps:
(1) Establish a user library
The user name and password list need to exist in the file (MOD_AUTH module) or database (MOD_AUTH_DBM module). Based on security, the file cannot be stored in the root directory of the text. For example, store the User file under / usr / local / etc / httpd, which is similar to the UNIX password file format, but the password is stored in encrypted form. Applications HTPASSWD can be used to add or change programs:
htpasswd -c / usr / local / etc / httpd / users martin
-c indicates that the new user, Martin is the newly added username, and the input port will answer during the program execution. The user name and password are added to the Users file. The resulting user file has the following form:
Martin: WRU808BHQAI36 JANE: IABCQFQS40E8M Art: fadhn3w753ssu
The first domain is the username, the second domain is the user password.
(2) Configure the protection domain of the server
To enable the Apache server to use the username and password information in the user file, you need to set the protection domain (Realm). A domain is actually part of the site (such as a directory, document, etc.) or the entire site only for some users to access. In the Authname "Restricted Stuff" Authtype Basic Authorfile / USR / local / etc / httpd / users required valid-user Among them, Authname pointed out the domain name of the domain. The Valid-User parameter means that all users in the User file are available. Once the user enters a valid user / password, other resources in the same domain can be accessed using the same user / password, which can also make two different regions to share the same user / password. (3) Tell the server which users have access to resources If you want to grant a resource access to a group of customers, you can column of their names after Require. The best way is to use the group file. The concept of the group's operations and the standard UNIX group is similar, and any one of the users can belong to one and several groups. This allows you to give some permissions using the Require to use the request file. Such as: Require Group Staff Require Group Staff Admin Require User Adminuser Specify a group, several groups, or access rights for a user. It should be pointed out that when a large number of user account is required, the Apache server uses the user file database to greatly reduce efficiency. In this case, it is best to use a database format account, such as a DBM database format. You can also utilize DB format (MOD_AUTH_DB) data files, or directly utilize databases such as: MSQL (MOD_AUTH_MSQL), or DBI-compatible database (MOD_AUTH_DBI). 6. Use DBM user authentication in Apache The DBM file is a simple and standard method for speeding up the read efficiency. Each record stored in the file consists of two parts: keys and values. Due to the format of the DBM, the information related to the keys is very effective. In web user authentication, the keys here will be the username, and the value associated with the key will be the user's encrypted password information. Find usernames and passwords from the DBM file, which is much more effective than finding it from a plain text file. This approach greatly enhances user authentication efficiency for sites with many users. (1) Add DBM module in the Apache server Under the default condition, Apache does not use the DBM file to complete user authentication, so it is necessary to add an optional DBM authentication module when compiling. Reconfigure the Apache server file and remove the comment line #Module DBM_AUTH_MODULE MOD_AUTH_DBM.O "#" Before and recompile. However, before compiling, you need to point out the location of the Apache DBM function. (2) Creating a DBM user file (assuming file name Users) Apache provides a "dbmmanage" program for creating and managing DBM files. among them: Dbmmanage / usr / local / etc / httpd / usersdbm create DBM file Dbmmanage / usr / local / etc / httpd / users adduser martin hamster new user Dbmmanage / usr / local / etc / httpd / usersdbm delete martin delete users Dbmmanage / usr / Local / etc / httpd / usersdbm View Displays all users in DBM With the DBM database file, you have to replace directory access control, replacing the authUserfile section in the apache configuration file (access.conf): Authorfile / usr / local / etc / usersdbm tells Apache's current user file is the DBM format. The above content is the author of the author in the long-term website management. Due to the relationship between the space, only a rough description is long, and it is far from expressing the safety use of the Apache server. Safety is relatively, strict defense is absolute. Only by timely understanding the latest security information, master the latest security technology, tools, according to the actual situation, to develop security policies to effectively and effectively resist a variety of online "aggressors".
