Академический Документы
Профессиональный Документы
Культура Документы
10 Tip
o Sec e Yo
If you are a sysadmin, you should secure your Apache web server by following the 10 tips mentioned in this article.
. hegeek
ff.com/2011/03/apache-ha dening/
1/10
2/16/12
-d al-nld \ -i beic e -d al-i e \ -i befl -d al-e in\ -i be o -d al- i -i bea
10 Tip
o Sec e Yo
If you enable ssl, and disable mod_setenv, youll get the following error. Error: Syntax error on line 223 of /usr/local/apache2/conf/extra/httpd-ssl.conf: Invalid command BrowserMatch, perhaps misspelled or defined by a module not included in the server configuration Solution: If you use ssl, dont disable setenvif. Or, comment out the BrowserMatch in your httpd-ssl.conf, if you disable mod_setenvif. After the installation, when you do httpd -l, youll see all installed modules.
#/ /oa/pce/i/ p lclaah2bnh d l Cmie i mdl : opld n o e c ec o . mda h_iec o_ nfl. mda h_eal. o_ ndf c mda h_o . o_ h c mda h_ opiec o_ g fl. mda h_ e. o_ c mda h_eal. o_ df c mda hb i. o_ _a cc mdlgcni. o_o_ofgc md lc o_ . peokc f . h pc ec _o . mdmm. o_iec mdd . o_i c md oc o_ .
core.c Apache core module mod_auth* For various authentication modules mod_log_config.c Log client request. provides additional log flexibilities. mod_ssl.c For SSL prefork.c For MPM (Multi-Processing Module) module httpd_core.c Apache core module mod_mime.c For setting document MIME types mod_dir.c For trailing slash redirect on directory paths. if you specify url/test/, it goes to url/test/index.html mod_so.c For loading modules during start or restart
. hegeek
ff.com/2011/03/apache-ha dening/
2/10
2/16/12
10 Tip
o Sec e Yo
After this, if you restart apache, and do ps -ef, youll see that the apache is running as apache (Except the 1st httpd process, which will always run as root).
#p -f e o o aah pce aah pce aah pce aah pce aah pce ge - h p p i ak'pi $ ' n 1
In the above: Options None Set this to None, which will not enable any optional extra features. Order deny,allow This is the order in which the Deny and Allow directivites should be processed. This processes the deny first and allow next. Deny from all This denies request from everybody to the root directory. There is no Allow directive for the root directory. So, nobody can access it.
Add appropriate members to this group. In this example, both ramesh and john are part of apacheadmin
# i/ cgop e / aahamn :11 aehjh pcedi: 12: m ,on
. hegeek
ff.com/2011/03/apache-ha dening/
3/10
2/16/12
( ) o <ie o / D c > O in -nee p o Id Od al ,e e lo dn Al fo al lo m l <D e o > /i c
10 Tip
o Sec e Yo
The + and in front of an option value is helpful when you have nested direcotires, and would like to overwrite an option from the parent Directory directive. In this example, for /site directory, it has both Includes and Indexes:
<ie o /ie D c > O in Ic d Id e p o nl e ne Al Oe ieNn lo d oe Od al ,e e lo dn Al fo al lo m l <D e o > /i c
For /site/en directory, if you need Only Indexes from /site (And not the Includes), and if you want to FollowSymLinks only to this directory, do the following.
<ie o /iee> D c /n O in -nld +ol Smik p o Ic e Flo Ln Al Oe ieNn lo d oe Od al ,e e lo dn Al fo al lo m l <D e o > /i c
/site will have Includes and Indexes /site/en will have Indexes and FollowSymLink
. hegeek
ff.com/2011/03/apache-ha dening/
4/10
2/16/12
10 Tip
o Sec e Yo
To allow a specific ip-address to access your site, give the ip-address in the Allow directive.
<ie o /ie D c > O in Nn p o oe Al Oe ieNn lo d oe Od dn,lo e e al Dn fo al e m l Al fo 1.012 lo m 01..1 <D e o > /i c
To avoid this, set the ServerTokens to Prod in httpd.conf. This will display Server: Apache without any version information.
# ih p.of dcn S eTkn Po e oe d
Following are possible ServerTokens values: ServerTokens ServerTokens ServerTokens ServerTokens ServerTokens ServerTokens Prod displays Server: Apache Major displays Server: Apache/2 Minor displays Server: Apache/2.2 Min displays Server: Apache/2.2.17 OS displays Server: Apache/2.2.17 (Unix) Full displays Server: Apache/2.2.17 (Unix) PHP/5.3.5 (If you dont specify any ServerTokens value, this is the default)
Apart from all the above 10 tips, make sure to secure your UNIX / Linux operating system. There is no point in securing your apache, if your OS is not secure. Also, always keep your apache version upto date. The latest version of the apache contains fixes for all the known security issues. Make sure to review your apache log files frequently.
. hegeek
ff.com/2011/03/apache-ha dening/
5/10
2/16/12
10 Tip
o Sec e Yo
Li e
33
Share
Comment
Tags: Apache Hardening, Apache Security { 8 comments read them below or add one } 1 feseha March 22, 2011 at 4:33 am Great stuff as usual! Keep up the good/geek stuff! Feseha 2 Francisco Fiesta March 22, 2011 at 5:35 am Im a newbie with Apache. I can just follow a how-to to get working an Apache php mysql in order to run Joomla! But, after this, considering all these security advices, will I need to run any of those non-secure modules that I shouldnt load? Is that configuration suitable to run Joomla!? Thanks for the article! 3 j March 22, 2011 at 5:48 am nice post man. thx 4 chris adam March 22, 2011 at 3:04 pm If you cannot allow .htaccess then most php based website cms (drupal wordpress), will not work. Excellent article but not the .htaccess bit. thanx
. hegeek ff.com/2011/03/apache-ha dening/ 6/10
2/16/12
10 Tip
o Sec e Yo
5 ajay March 23, 2011 at 6:36 am World needs gud brains like u.. God bless u. nice stuff 6 Anonymous March 24, 2011 at 7:11 am Thanks, Chris Adam for you answer, its useful for me. 7 Mhabub Mamun March 26, 2011 at 5:40 am Very good article . Thank You 8 hotpotatoe June 14, 2011 at 11:48 am Very good article. very useful tips, thanks Leave a Comment Name E-mail Website
Previous post: Linux IPTables: Incoming and Outgoing Rule Examples (SSH and HTTP) Next post: Quick Info about the Upcoming eBook Sign up for our free email newsletter ou@address.com RSS Twitter Facebook
Sign U
Search
EBOOKS
. hegeek
ff.com/2011/03/apache-ha dening/
7/10
2/16/12
10 Tip
o Sec e Yo
POPULAR POSTS
12 Amazing and Essential Linux Books To Enrich Your Brain and Library 50 UNIX / Linux Sysadmin Tutorials 50 Most Frequently Used UNIX / Linux Commands (With Examples) How To Be Productive and Get Things Done Using GTD 30 Things To Do When you are Bored and have a Computer Linux Directory Structure (File System Structure) Explained with Examples Linux Crontab: 15 Awesome Cron Job Examples Get a Grip on the Grep! 15 Practical Grep Command Examples Unix LS Command: 15 Practical Examples 15 Examples To Master Linux Command Line History Top 10 Open Source Bug Tracking System Vi and Vim Macro Tutorial: How To Record and Play Mommy, I found it! -- 15 Practical Linux Find Command Examples 15 Awesome Gmail Tips and Tricks 15 Awesome Google Search Tips and Tricks RAID 0, RAID 1, RAID 5, RAID 10 Explained with Diagrams Can You Top This? 15 Practical Linux Top Command Examples Top 5 Best System Monitoring Tools
. hegeek ff.com/2011/03/apache-ha dening/ 8/10
2/16/12
10 Tip
o Sec e Yo
Top 5 Best Linux OS Distributions How To Monitor Remote Linux Host using Nagios 3.0 Awk Introduction Tutorial 7 Awk Print Examples How to Backup Linux? 15 rsync Command Examples The Ultimate Wget Download Guide With 15 Awesome Examples Top 5 Best Linux Text Editors Packet Analyzer: 15 TCPDUMP Command Examples The Ultimate Bash Array Tutorial with 15 Examples 3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id Unix Sed Tutorial: Advanced Sed Substitution Examples UNIX / Linux: 10 Netstat Command Examples The Ultimate Guide for Creating Strong Passwords 6 Steps to Secure Your Home Wireless Network Turbocharge PuTTY with 12 Powerful Add-Ons
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about Ramesh Natarajan and the blog.
Support Us
Support this blog by purchasing one of my ebooks. Bash 101 Hacks eBook Sed and Awk 101 Hacks eBook
. hegeek ff.com/2011/03/apache-ha dening/ 9/10
2/16/12
10 Tip
o Sec e Yo
Contact Us
Email Me : Use this Contact Form to get in touch me with your comments, questions or suggestions about this site. You can also simply drop me a line to say hello!. Follow us on Twitter Become a fan on Facebook Copyright 20082012 Ramesh Natarajan. All rights reserved | Terms of Service | Advertise
. hegeek
ff.com/2011/03/apache-ha dening/
10/10