Setting Up Security on Apache

Three main areas to consider

Protecting the Files on Your Web Server

Protecting the URLs on Your Web Site

Controlling Real-Time Activity

Protecting the Files on Your Web Server

Most files that control web server's operation are under 'ServerRoot'– Server runs under an identity (nobody) that shouldn't

have the ability to modify its own control files– Exceptions are error_log and access_log

Most files in server's DocumentRoot should be read-only to server. Carefully consider exceptions.– Symbolic links can bypass DocumentRoot control

Symbolic Links

Symbolic Links – allow making a file appear to exist in multiple locations

– Danger exists when symbolic links inadvertently provide access to files via unexpected paths

– To create sym links: ln –s resource_to_link symlink_name

– To find sym links: find documentroot -type l -print

More on Symbolic Links

In httpd.conf, these directives affect symbolic links– Options FollowSymLinks – allows Apache to

follow links to real file or directory Options -FollowSymLinks turns off symlinks

– Options FollowSymLinksIfOwnerMatch – allows Apache to follow links ONLY if the user ID that owns the link is the same as the one that owns the actual file

Protecting the URLs on Your Web Site

This involves the Mandatory and Discretionary access that was discussed in the Server Users and Documents powerpoint slides which discussed the use of Authentication and Authorization.

Controlling Real-Time Activity - Options

Options– each scope has options – All (all options enable) None (no options enabled)– ExecCGI (enables CGI script execution)– FollowSymLinks | FollowSymLinksIfOwnerMatched– Includes (allows server-side includes)– IncludesNoEXEC (above w/o #exec and #include)– Indexes (allows default directory indexes to be created)– MultiViews (content negotiation multiviews – not in All)

More on Options

Good idea to turn off Options in areas where web admin does not have sole control– Turn off all Options:

Options None

– Turn off individual options:

Options –Includes –IncludesNoEXEC -ExecCGI

Controlling Real-Time Activity - AllowOverride

AllowOverride – this directive controls if directives are allowable in .htaccess files and what are allowable

– All (any directive allowed in .htaccess)– AuthConfig (authentication directives like AuthType allowed)– FileInfo (file processing directives like AddType allowed)– Indexes (allows directives for indexing, if enabled, like

DirectoryIndex)– Limit (controls whether mandatory access controls, order, allow,

deny are processed if in .htaccess)– None (completely disables processing of .htaccess files)– Options (allows Options directives found in .htaccess to be

published)

Permissions on ServerRoot Directories

You want to be sure these directories are writeable only by root– If non-root users can modify files that root either

executes /writes, system is open to root compromises (httpd could be replaced, log files overwritten, etc.)

Protect the file system

– http://localhost/~root <Directory />

Order Deny, Allow

Deny from ALL

</Directory>

UserDir disabled root

Run server in chroot environment

General Security Tips for Apache

CGI – scripts run under Apache's user so may possibly conflict with other scripts

– suEXEC – program included with Apache to allow scripts to run as different users

Disallow .htaccess files – may override admin's security controls

– AllowOverride None Server Side Includes – require additional processing by

Apache – require .shtml– Can also execute (EXEC) any CGI script or program under

permissions of user/group Apache Runs in Use IncludesNOEXEC directive to prohibit

Major Web Site Security Concerns

Protecting your computer from unauthorized users– Authentication – the process of allowing users access

to the Web service based on usernames and passwords or IP addresses or domains

Protecting your computer from programs that run on the host computer– SSI "includes"– Executable directories– Controls, scripts, applets, etc