Guarantee Web Server Apache Security Five Measures

Needless to say, an important reason for Apache to occupy half of the Web server is that it can provide a secure Web operating environment. The Apache community has done a lot of work to ensure its security. In the past, when the product was found to have a security flaw, Apache developers made a patch as soon as possible.

However, although Apache is already a safe product, if you do not take some security precautions when building your server, this kind of web server is still vulnerable to many attacks.

In this article, I will provide you with 10 tips so you can protect your Apache web server from many attacks. However, it's important to remember that you need to carefully evaluate each technique to make sure it fits your organization.

Installing only the required

One of the biggest features of Apache is its flexibility and a large number of optional installation modules, which can be a huge weakness when it comes to security issues. The more you install, the bigger the attack surface is created for potential attackers. A standard Apache installation consists of more than 20 modules, including CGI features, as well as some authentication mechanisms. If you don't plan to adopt CGI, and you only want to use static Web sites, you don't need user authentication, you probably don't need any of the services provided by these modules, so disable them when you install Apache.

If you are using a running Apache server and don't want to reinstall it, you should double check the httpd.conf configuration file for lines starting with LoadModule. Check the Apache documentation (you can also search with Google, Yahoo, etc.), find the purpose of each module, and find out which modules you don't need. Then restart Apache. //This article transferred from www.45it.com.cn computer software and hardware application network

Minimized exposure

Apache is easy to install and fairly easy to manage. Unfortunately, many Apache installations provide too much helpful information about your server for complete strangers, such as Apache version numbers and operating system-related information. With this information, a potential attacker can track specific devastating vulnerabilities that can affect your system, especially if you are not able to keep all patches updated. In this way, the attacker can know exactly what you are running without trial and error, so that he can adjust his attack method.

To prevent the server from broadcasting sensitive information, be sure to set the ServerSignature directive in httpd.conf to off. A default Apache installation will set this directive to off, but many administrators have enabled it.

Similarly, disabling directory browsing is also a good idea. When directory browsing is enabled, users who access a directory that does not contain the documents they need will see a complete list of content in that directory. Undoubtedly, you should not store sensitive material in plain text on a web server. Unless you must do so, you should not allow people to see more than they need.

Directory browsing is enabled by default. To disable this feature, edit the http.conf file and clear the Indexs reference for each Directory directive.

For example, on the author's Apache 2.2.4 server for experimentation, this is the default directory command:

Options Indexes FollowSymLinks
AllowOverrride None
Order allow,deny
Allow from all

Clear the look after the Indexes reference:

Options FollowSymLinks
AllowOverrride None
Order allow,deny
Allow from all

You can also disable the directive (that is, -Indexes) by keeping the Indexes directive and booting with a dash.

Disabling Symbolic Connection Tracking

If you are the only person who is proofreading web content and you make almost no mistakes when creating a new symbolic link, you may not be concerned about this. However, if you have a lot of people who can add content to your site, not everyone is as cautious as you are, there is a risk that a user may accidentally create a symbolic link to your file system. Part of it, and you really don't want people to see these files. For example, if someone in the root of your Apache server creates a symbolic link to a /folder, what should you do?

To cancel the Apache server's request to allow users to track symbolic links, you should Clear the FollowSymlinks command in the Directory command.

For example, in the author's experimental Apache 2.2.4 server, the Directory command is as follows:

Options Indexes FollowSymLinks
AllowOverrride None
Order allow,deny
Allow From all

After clearing the FollowSymLinks reference, it looks like this:

Options Indexes
AllowOverrride None
Order allow,deny
Allow from all

If some users need the ability to track symbolic links, consider using SymLinksIfOwnerMatch instead.

Listen Command Specifics

When you first install Apache, httpd.conf contains a Listen 80 command. It should be changed to Listen mn.xx.yy.zz:80, where mn.xx.yy.zz is the IP address you want Apache to listen to for its request. This is especially important if your Apache is running on a server with multiple IP addresses. If you don't take precautions, the default Listen 80 command tells Apache to listen on port 80 of each IP address.

However, this measure may not apply to your environment and should be determined as needed.

Clear default comments from httpd.conf

The default httpd.conf file in Apache 2.2.4 has more than 400 lines. Of the 400 lines, only a small part is the actual Apache directive, and the rest is just a comment that helps the user properly place the directive in httpd.conf. According to the author's experience, these comments sometimes have a negative effect, and even keep dangerous instructions in the file. I copied the httpd.conf file to other files, such as httpd.conf.orig, on many of the Apache servers I manage, and then completely removed the extra comments. Files become easier to read, which better solves potential security issues or misconfigures files.