Setting Up Security on Apache
-
Upload
elliando-dias -
Category
Technology
-
view
2.012 -
download
1
description
Transcript of Setting Up Security on Apache
Setting Up Security on Apache
Three main areas to consider
Protecting the Files on Your Web Server
Protecting the URLs on Your Web Site
Controlling Real-Time Activity
Protecting the Files on Your Web Server
Most files that control web server's operation are under 'ServerRoot'– Server runs under an identity (nobody) that shouldn't
have the ability to modify its own control files– Exceptions are error_log and access_log
Most files in server's DocumentRoot should be read-only to server. Carefully consider exceptions.– Symbolic links can bypass DocumentRoot control
Symbolic Links
Symbolic Links – allow making a file appear to exist in multiple locations
– Danger exists when symbolic links inadvertently provide access to files via unexpected paths
– To create sym links: ln –s resource_to_link symlink_name
– To find sym links: find documentroot -type l -print
More on Symbolic Links
In httpd.conf, these directives affect symbolic links– Options FollowSymLinks – allows Apache to
follow links to real file or directory Options -FollowSymLinks turns off symlinks
– Options FollowSymLinksIfOwnerMatch – allows Apache to follow links ONLY if the user ID that owns the link is the same as the one that owns the actual file
Protecting the URLs on Your Web Site
This involves the Mandatory and Discretionary access that was discussed in the Server Users and Documents powerpoint slides which discussed the use of Authentication and Authorization.
Controlling Real-Time Activity - Options
Options– each scope has options – All (all options enable) None (no options enabled)– ExecCGI (enables CGI script execution)– FollowSymLinks | FollowSymLinksIfOwnerMatched– Includes (allows server-side includes)– IncludesNoEXEC (above w/o #exec and #include)– Indexes (allows default directory indexes to be created)– MultiViews (content negotiation multiviews – not in All)
More on Options
Good idea to turn off Options in areas where web admin does not have sole control– Turn off all Options:
Options None
– Turn off individual options:
Options –Includes –IncludesNoEXEC -ExecCGI
Controlling Real-Time Activity - AllowOverride
AllowOverride – this directive controls if directives are allowable in .htaccess files and what are allowable
– All (any directive allowed in .htaccess)– AuthConfig (authentication directives like AuthType allowed)– FileInfo (file processing directives like AddType allowed)– Indexes (allows directives for indexing, if enabled, like
DirectoryIndex)– Limit (controls whether mandatory access controls, order, allow,
deny are processed if in .htaccess)– None (completely disables processing of .htaccess files)– Options (allows Options directives found in .htaccess to be
published)
Permissions on ServerRoot Directories
You want to be sure these directories are writeable only by root– If non-root users can modify files that root either
executes /writes, system is open to root compromises (httpd could be replaced, log files overwritten, etc.)
Protect the file system
– http://localhost/~root <Directory />
Order Deny, Allow
Deny from ALL
</Directory>
UserDir disabled root
Run server in chroot environment
General Security Tips for Apache
CGI – scripts run under Apache's user so may possibly conflict with other scripts
– suEXEC – program included with Apache to allow scripts to run as different users
Disallow .htaccess files – may override admin's security controls
– AllowOverride None Server Side Includes – require additional processing by
Apache – require .shtml– Can also execute (EXEC) any CGI script or program under
permissions of user/group Apache Runs in Use IncludesNOEXEC directive to prohibit
Major Web Site Security Concerns
Protecting your computer from unauthorized users– Authentication – the process of allowing users access
to the Web service based on usernames and passwords or IP addresses or domains
Protecting your computer from programs that run on the host computer– SSI "includes"– Executable directories– Controls, scripts, applets, etc