Author: phoenix
Homepage:
http://www.safechina.net/
E-mail: phoenix@safechina.net
Time: 27/06/2002
Foreword: In the current Internet era, the homepage has become an important means of establishing the company's image and showing self-heavens, and it is especially important to configure a powerful and secure web server. In numerous Web Server products, Apache is a wide range of products, and is also a very secure program. However, like other applications, Apache also has security defects. This article will detail how to properly configure and maintain the security issues of Apache Web Server.
First, the introduction of the Apache server
Apache Server It is one of the most widely used web server software on the Internet online. Apache servers are derived from a Web server project of the US National Super Technology Computing Application Center (NCSA). Currently, it has occupied leadership in the Internet. The Apache server has to make it adapt to high load and large throughput Internet work. Quick, reliable, through simple API extensions, Perl / Python interpreter can be compiled into the server, and completely free, complete source code open. If you need to create a web server accessible every day, Apache may be the best choice.
Second, the main security defect of Apache servers
As our preface said although the Apache server is the most widely used, a very safe program is designed. But like other applications, Apache also has security defects. After all, it is a complete source code, and the security defect of the Apache server is mainly used by the Denial of Service, the buffer overflow attack, and the attacker get root privileges for three defects and the latest malicious attackers. Deny Service "(DOS) attack. Reasonable network configuration protects the Apache server from a variety of attacks. Let's introduce the main security defects:
(1) Security defects for Denial of Service using the HTTP protocol
This method attacker will reject the server to the HTTP response through some means. This will increase the sharp increase in the demand for system resources (CPU time and memory), and finally cause the Apache system to slow or even completely paralyzed.
(2) Safety defects overflowed by buffers
The method attacker uses some of the defects written to make the program deviate from the normal process. The program uses a static allocated memory to save request data, and an attacker can send a long request to overflow the buffer. For example, some PERL write a gateway script that handles the user request. Once the buffer overflows, the attacker can perform its malicious instructions or make the system downtime.
(3) Security defects from the attacker get root privileges
The security defect is mainly because the Apache server typically runs with root privileges (parent process), and attackers will receive root privileges, which in turn controls the entire Apache system.
(4) The malicious attacker conducts the security defect of "Deny Service" (DOS) attack
This latest vulnerability found on June 17, which is mainly in the CHUnk Encoding of Apache, which is a function of the HTTP protocol defined for accepting the data submitted by the web user. Effective attacks can be valid for running in FreeBSD 4.5, OpenBSD 3.0 / 3.1, NetBSD 1.5.2 platform.
All use the highest and latest security versions are critical to strengthening security of the Apache web server. Please visit the majority of Apache server administrators
Http://www.apache.org/dist/httpd/ Download Patch to make sure that its web server is safe!
Third, proper maintenance and configuration Apache server Although the developer of the Apache server is very paying great attention to safety, there is inevitable security hazard due to its huge projects of the Apache server. It is important to properly maintain and configure the Apache web server. Some questions we should pay attention to:
(1) APACHE server configuration file
The Apache Web server has three configuration files, located in the / usr / local / apache / conf directory. These three files are:
httpd.con -----> Main configuration file
SRM.CONF ------> Fill a resource file
Access.conf ---> Settings access to files
Note: The specific configuration can be referred to:
http://httpd.apache.org/docs/mod/core.html
(2) Log files for Apache servers
We can use the log format instruction to control the information of the log file. Using the logformat "% a% L" instruction, you can record the IP address and hostname of the HTTP request browser to the log file. For security considerations, we should know at least those Web users who should fail, adding the logformat "% 401u" instruction to the http.conf file to achieve this. This instruction has many other parameters, and the user can refer to the Apache documentation. In addition, the Apache's error log file is also very important for system administrators. In the error log file, the server is included, the stop, and the CGI implementation failure. For more information, please see the Apache Log Series 1-5.
(3) Directory safety certification of Apache Server
In Apache Server is allowed to use .htaccess to make directory security, you want to read this protection, you need to type the correct user account and password. This can be used as a directory that is stored in the web page or as a member area.
Place a file in the protected directory, file name is .htaccss
Authname "Member Zone"
Authtype "Basic"
Authorfile "/var/tmp/xxx.pw" -----> Place Password outside the website
Require Valid-User
To the apache / bin directory, build a Password file
% ./htpasswd -c /var/tmp/xxx.pw username1 -----> The first set of parameters "-c"
% ./htpasswd /var/tmp/xxx.pw username2
This can protect the content within the directory, enter the user who is legal.
Note: The module attached to Apache is adopted. You can also use it in httpd.conf:
Options Indexes FollowSymlinks
ALLOWOVERRIDE AUTHCONFIG
ORDER ALOW, DENY
ALLOW FROM ALL
(4) APACHE server access control
We have to see the third file in three configuration files, ie Access.conf files, which contain some instruction control to allow any user to access the Apache directory. You should set the Deny from ALL to the initialization instruction, and then open access to the Allow from instruction.
ORDER DENY, ALOW
Deny from all
Allow from SafeChina.net
Settings Allow access from a domain, IP address, or IP segment.
(5) APACHE server password protection problem We use the .htaccess file gives an access to a certain directory to a user. System administrators need to use AccessFileName instructions to open directory access control in httpd.conf or SRM.conf files. Such as:
Authname privatefiles
Authtype Basic
Authiserfile / path / to / httpd / users
Require Phoenix
# htpasswd -c / path / to / httpd / users phoenix
Fourth, set the web and file server of the Apache server
We store the web server files on the Apache server for users to access, and set the / home / ftp / pub directory as a file storage area, with
Http://download.your.com/pub/ is accessed. Set Apache in the firewall, which is accessed by firewall proxy.
(1) Setting of Apache Server
Apache servers use default configurations. The main directory is / home / httpd / html, the host domain is phoenix.Your.com, and the alias
Http://www.your.com/, and set SRM.CONF plus a row of alias is defined as follows:
Alias / Pub / Home / FTP / PUB /
Changing the default application type is defined as follows:
DEFAULTTYPE Application / OcTet-stream
Finally add one definition in /etc/httpd/conf/access.conf
Options indexes
ALLOWOVERRIDE AUTHCONFIG
ORDER ALOW, DENY
ALLOW FROM ALL
Note: Options indexes allows you to list a list of directory / files in the case where you can't find the index.html file. Allowoverride Authconfig allows for basic username and password verification. In this case, you need to put it in the / home / ftp / pub directory. HTACCESS, the content is as follows:
[root @ Shopu Pub] # more .htaccess
Authname Branch Office Public Software Download Area
Authtype Basic
Authiserfile /etc/.usrpasswd
Require Valid-User
Use the # htpasswd -c /etc/.usrpasswd user1 to create different usernames and passwords that allow access / PUB subsequent file services.
(2) Configure reverse proxy technology on the firewall.
Add NameVirtualHost xxx.xxx.xxx.xxx in /etc/httpd/conf/httpd.conf
# Xxx.xxx.xxx.xxx -----> Is the external area of the firewall in the internet permanent IP address
Servername
http://www.your.com/
ErrorLog / Var / log / httpd / error_log
Transferlog / VAR / log / httpd / access_log
ReWriteEngine on
ProxyRequests OFF
Usecanonicalname OFF
Rewriterule ^ / (. *) $
http: //xxx.xxx.xx.x/$1 Apache server IP address.
Servername
http://download.your.com/pub/
ErrorLog / VAR / log / httpd / download / error_log
Transferlog / VAR / log / httpd / download / access_log
ReWriteEngine on
ProxyRequests OFF
Usecanonicalname offrewriterule ^ / (. *) $
http: //xxx.xxx.xx.x/$$ The IP address of the Apache server.
Set up DNS on the firewall, let Download.Your.com and
Http://www.your.com/ Both point to the external network address of the firewall xxx.xxx.xxx.xxx. use
Http://www.your.com/ Access home page, use
Http://download.your.com/pub/ Access to the public files.
Note: You will also need to create directory / var / log / httpd / download / on the Apache server host, otherwise it will be wrong. Alternatively, you can also set the properties of /Home/httpd/html/index.httpd/html/index.html on the firewall host to block access, which is an anti-outside user access to the Apache server on the firewall.
Http://www.your.com/.
Summary: Apache Server is a very good, very great server, as long as you correctly configure and maintain the Apache server, you will feel the benefits of Apache Server, and I hope that you can achieve the theory and practice double harvest through reading this article. the goal of. Thank you.
