Apache Web server security configuration overview
- 2020-05-06 12:07:11
- OfStack
As the most popular Web server, Apache Server provides good security features that enable it to deal with possible security threats and information leaks.
Apache server security features
1. The security policy
of selective access control and mandatory access control is adopted
From the perspective of Apache or Web, selective access control DAC (Discretionary Access Control) is still based on the user name and password, while mandatory access control MAC (Mandatory Access Control) is defined based on the IP address or the domain number of the requesting client. For the DAC mode, if the input error, then the user has the opportunity to correct, new input the correct password; If the user fails to pass the MAC level, the user is prohibited from further action, and any efforts made by the user will be useless unless the server makes a security policy adjustment.
2.
security module of Apache
One of the advantages of Apache is its flexible module structure, and its design idea is based around the concept of modules (Modules). The security module is an extremely important part of Apache Server. These security modules are responsible for providing access control and authentication, authorization, and a range of critical security services for Apache Server.
The mod_access module controls access to the Apache server based on the visitor's IP address (or domain name, host name, etc.), which is called host-based access control.
The mod_auth module is used to control authentication authorization for users and groups (Authentication). The username and password are stored in a plain text file. The mod_auth_db and mod_auth_dbm modules store user information (such as name, group genus and password, etc.) in Berkeley-DB and DBM small databases respectively, which are easy to manage and improve application efficiency.
The mod_auth_digest module USES MD5 digital signature to authenticate the user, but it needs the support of the client.
The mod_auth_anon module has similar functionality to mod_auth, except that it allows anonymous login, using the E-mail address entered by the user as the password.
SSL (Secure Socket Lager), the secure socket layer protocol supported by Apache, provides secure transaction services on Internet, such as a security measure in e-commerce. To prevent the leakage of sensitive information by encrypting the communication byte stream. However, this support for Apache is based on the API extension to Apache, which ACTS as an external module that provides secure online transaction support in combination with third-party programs.
Security configuration for Apache server
Apache has flexible Settings, and all the security features of Apache require careful design and planning and careful configuration. The security configuration of the Apache server includes many layers, including the running environment, authentication, and authorization Settings. The installation configuration and running of Apache is as follows:
1. Run
as Nobody
Typically, Apache is installed and run by Root. If the Apache Server process has Root user privileges, it poses a significant threat to the security of the system, and you should ensure that the Apache Server process runs with the lowest possible user privileges. Running Apache for Nobody users is relatively safe by modifying the following options in the httpd.conf file.
User nobody
Es132en Group # - 1
2, ServerRoot directory permissions
To ensure that all configurations are appropriate and secure, access to the Apache home directory needs to be strictly controlled so that non-superusers cannot modify the contents of that directory. The home directory of Apache corresponds to the Apache Server configuration file httpd.conf in the Server Root control:
Server Root/usr/local/apache
3.
configuration of SSI
Add the Includes NO EXEC option to the Options directive in the configuration file access.conf or httpd.conf to disable the executive function in Apache Server. Avoid making the server system public by allowing the user to directly execute the execution in the Apache server.
Options Includes Noexec
4. Prevent users from modifying system Settings
The following Settings are set in the Apache server configuration file to prevent the user from creating and modifying the.htaccess file to prevent the user from exceeding the system security features that can be defined.
AllowOveride None
Options None
Allow from all
Then configure each of the specific directories appropriately.
5. Change Apache server to save access to
The default Settings of Apache only guarantee a certain degree of security. If the server can find the file through normal mapping rules, the client will get the file, such as http://local host/~ root/ will allow the user to access the entire file system. Add the following to the server file:
order deny ellow
Deny from all
Default access to the file system is disabled.
6. CGI script security considerations
The CGI script is a series of programs that can be run through the Web server. To ensure the security of the system, make sure that the authors of CGI are trusted. For CGI, it is best to limit it to a specific directory, such as cgi-bin, for easy management; In addition, you should ensure that the files in the CGI directory are not writable, so that some deceptive programs can be hosted or mixed in. If the user can be provided with a good security CGI program module as a reference, it may reduce many unnecessary troubles and security risks; Remove all scripts for non-business applications in the CGI directory to prevent information on exceptions from leaking.
These common measures above can provide a basic safe operating environment for Apache Server, and it is obvious that further refinement and decomposition should be carried out on the specific implementation, so as to formulate a security configuration scheme that conforms to the actual application.
Apache Server host based access control
Apache Server's default security configuration is to deny all access. Assuming Apache Server content stored in/usr local apache/share directory, the following command will achieve this setup:
Deny from all
Allow Override None
Changes to authentication and access control methods are prohibited in any directory.
Also, the specific commands Deny and Allow provide some flexibility by specifying which users are accessible and which are not. When Deny and Allow are used together, use the command Order to determine the order in which Deny and Allow are used together, as shown below:
1. Deny users of a certain type of address access to the server (Deny)
For example: Deny from all
Deny from test. cnn. com
Deny from 204.168.190.13
Deny from 10.10.10.0/255.255.0.0
2, allow users of a certain type of address access to the server (Allow)
For example: Allow from all
Allow from test. cnn. com
Allow from 204.168.190.13
Allow from 10.10.10.0/255.255.0.0
Multiple variables can be entered after the Deny and Allow instructions.
3. Simple configuration example:
Order Allow Deny
Allow from all
Deny from www. test. com
Means that you want everyone to have access to the Apache server, but you don't want any access from www.test.com.
Order Deny Allow
Deny from all
Allow from test. cnn. com
test.cnn.com.
Apache Sever user authentication and authorization
Generally speaking, user authentication is to verify the authenticity of the user's identity, such as whether the user account is in the database, and whether the corresponding password of the user account is correct; User authorization means verifying that a valid user is authorized to access a particular resource. In Apache, almost all security modules actually do both. From a security perspective, user authentication and authorization are equivalent to selective access control.
There are three steps to establishing authentication authorization for a user:
1. Establish user library
The list of user names and passwords needs to exist in a file (mod_auth module) or in a database (mod_auth_dbm module). For security reasons, the file cannot be stored in the file's root directory. For example, in/usr/local/etc/httpd users file, its format and UNIX password file formats are similar, but the password is stored in the form of encryption. Application htpasswd can be used to add or change programs:
htpasswd � c usr/local/etc/httpd/users martin
-c indicates that a new user has been added. martin is the newly added user name. Add the username and password to the users file. The resulting user file takes the following form:
martin: WrU808BHQai36
jane: iABCQFQs40E8M
art: FadHN3W753sSU
The first field is the user name, and the second field is the user password.
2. Configure the protection domain
of the server
To enable the Apache server to make use of the username and password information in the user file, you need to set up the protection domain (Realm). A domain is actually part of a site (such as a directory, document, etc.) or the entire site is only accessible to a subset of users. In the.htaccess file in the relevant directory or in the segment httpd.conf (acces.conf), the protected layer's domain is specified by AuthName. In the.htaccess file, the authorized access to the valid user of the user file and the protection of the specified domain are specified as follows:
AuthName "restricted stuff"
Authtype Basic
AuthUserFile/usr/local/etc/httpd/users
Require valid - user
Where AuthName indicates the domain name of the protected domain (Realm Name). The valid-user parameter means that all users in the user file are available. Once a user enters a valid user/password, other resources in the same domain can be accessed using the same user/password, and two different areas can share the same user/password.
3. Tell the server which users have access to the resource
If you want to grant access to a resource to a group of customers, list their names after Require. The best approach is to use the group (group) file. The operation of a group is similar to the concept of a standard UNIX group, where any user can belong to one and several groups. This allows you to use Require in the configuration file to give certain permissions to groups. Such as:
Require group staff
Require group staff admin
Require user adminuser
Specifies access rights for a group, several groups, or a user.
It is important to note that when a large number of user accounts need to be created, the Apache server's use of the user file database can significantly reduce efficiency. In this case, it is best to use account files in database format, such as DBM database format. You can also make use of data files in the db format (mod_auth_db) as needed, or directly use databases such as mSQL (mod_auth_msql) or DBI compatible databases (mod_auth_dbi).
Apache server security features
1. The security policy
of selective access control and mandatory access control is adopted
From the perspective of Apache or Web, selective access control DAC (Discretionary Access Control) is still based on the user name and password, while mandatory access control MAC (Mandatory Access Control) is defined based on the IP address or the domain number of the requesting client. For the DAC mode, if the input error, then the user has the opportunity to correct, new input the correct password; If the user fails to pass the MAC level, the user is prohibited from further action, and any efforts made by the user will be useless unless the server makes a security policy adjustment.
2.
security module of Apache
One of the advantages of Apache is its flexible module structure, and its design idea is based around the concept of modules (Modules). The security module is an extremely important part of Apache Server. These security modules are responsible for providing access control and authentication, authorization, and a range of critical security services for Apache Server.
The mod_access module controls access to the Apache server based on the visitor's IP address (or domain name, host name, etc.), which is called host-based access control.
The mod_auth module is used to control authentication authorization for users and groups (Authentication). The username and password are stored in a plain text file. The mod_auth_db and mod_auth_dbm modules store user information (such as name, group genus and password, etc.) in Berkeley-DB and DBM small databases respectively, which are easy to manage and improve application efficiency.
The mod_auth_digest module USES MD5 digital signature to authenticate the user, but it needs the support of the client.
The mod_auth_anon module has similar functionality to mod_auth, except that it allows anonymous login, using the E-mail address entered by the user as the password.
SSL (Secure Socket Lager), the secure socket layer protocol supported by Apache, provides secure transaction services on Internet, such as a security measure in e-commerce. To prevent the leakage of sensitive information by encrypting the communication byte stream. However, this support for Apache is based on the API extension to Apache, which ACTS as an external module that provides secure online transaction support in combination with third-party programs.
Security configuration for Apache server
Apache has flexible Settings, and all the security features of Apache require careful design and planning and careful configuration. The security configuration of the Apache server includes many layers, including the running environment, authentication, and authorization Settings. The installation configuration and running of Apache is as follows:
1. Run
as Nobody
Typically, Apache is installed and run by Root. If the Apache Server process has Root user privileges, it poses a significant threat to the security of the system, and you should ensure that the Apache Server process runs with the lowest possible user privileges. Running Apache for Nobody users is relatively safe by modifying the following options in the httpd.conf file.
User nobody
Es132en Group # - 1
2, ServerRoot directory permissions
To ensure that all configurations are appropriate and secure, access to the Apache home directory needs to be strictly controlled so that non-superusers cannot modify the contents of that directory. The home directory of Apache corresponds to the Apache Server configuration file httpd.conf in the Server Root control:
Server Root/usr/local/apache
3.
configuration of SSI
Add the Includes NO EXEC option to the Options directive in the configuration file access.conf or httpd.conf to disable the executive function in Apache Server. Avoid making the server system public by allowing the user to directly execute the execution in the Apache server.
Options Includes Noexec
4. Prevent users from modifying system Settings
The following Settings are set in the Apache server configuration file to prevent the user from creating and modifying the.htaccess file to prevent the user from exceeding the system security features that can be defined.
AllowOveride None
Options None
Allow from all
Then configure each of the specific directories appropriately.
5. Change Apache server to save access to
The default Settings of Apache only guarantee a certain degree of security. If the server can find the file through normal mapping rules, the client will get the file, such as http://local host/~ root/ will allow the user to access the entire file system. Add the following to the server file:
order deny ellow
Deny from all
Default access to the file system is disabled.
6. CGI script security considerations
The CGI script is a series of programs that can be run through the Web server. To ensure the security of the system, make sure that the authors of CGI are trusted. For CGI, it is best to limit it to a specific directory, such as cgi-bin, for easy management; In addition, you should ensure that the files in the CGI directory are not writable, so that some deceptive programs can be hosted or mixed in. If the user can be provided with a good security CGI program module as a reference, it may reduce many unnecessary troubles and security risks; Remove all scripts for non-business applications in the CGI directory to prevent information on exceptions from leaking.
These common measures above can provide a basic safe operating environment for Apache Server, and it is obvious that further refinement and decomposition should be carried out on the specific implementation, so as to formulate a security configuration scheme that conforms to the actual application.
Apache Server host based access control
Apache Server's default security configuration is to deny all access. Assuming Apache Server content stored in/usr local apache/share directory, the following command will achieve this setup:
Deny from all
Allow Override None
Changes to authentication and access control methods are prohibited in any directory.
Also, the specific commands Deny and Allow provide some flexibility by specifying which users are accessible and which are not. When Deny and Allow are used together, use the command Order to determine the order in which Deny and Allow are used together, as shown below:
1. Deny users of a certain type of address access to the server (Deny)
For example: Deny from all
Deny from test. cnn. com
Deny from 204.168.190.13
Deny from 10.10.10.0/255.255.0.0
2, allow users of a certain type of address access to the server (Allow)
For example: Allow from all
Allow from test. cnn. com
Allow from 204.168.190.13
Allow from 10.10.10.0/255.255.0.0
Multiple variables can be entered after the Deny and Allow instructions.
3. Simple configuration example:
Order Allow Deny
Allow from all
Deny from www. test. com
Means that you want everyone to have access to the Apache server, but you don't want any access from www.test.com.
Order Deny Allow
Deny from all
Allow from test. cnn. com
test.cnn.com.
Apache Sever user authentication and authorization
Generally speaking, user authentication is to verify the authenticity of the user's identity, such as whether the user account is in the database, and whether the corresponding password of the user account is correct; User authorization means verifying that a valid user is authorized to access a particular resource. In Apache, almost all security modules actually do both. From a security perspective, user authentication and authorization are equivalent to selective access control.
There are three steps to establishing authentication authorization for a user:
1. Establish user library
The list of user names and passwords needs to exist in a file (mod_auth module) or in a database (mod_auth_dbm module). For security reasons, the file cannot be stored in the file's root directory. For example, in/usr/local/etc/httpd users file, its format and UNIX password file formats are similar, but the password is stored in the form of encryption. Application htpasswd can be used to add or change programs:
htpasswd � c usr/local/etc/httpd/users martin
-c indicates that a new user has been added. martin is the newly added user name. Add the username and password to the users file. The resulting user file takes the following form:
martin: WrU808BHQai36
jane: iABCQFQs40E8M
art: FadHN3W753sSU
The first field is the user name, and the second field is the user password.
2. Configure the protection domain
of the server
To enable the Apache server to make use of the username and password information in the user file, you need to set up the protection domain (Realm). A domain is actually part of a site (such as a directory, document, etc.) or the entire site is only accessible to a subset of users. In the.htaccess file in the relevant directory or in the segment httpd.conf (acces.conf), the protected layer's domain is specified by AuthName. In the.htaccess file, the authorized access to the valid user of the user file and the protection of the specified domain are specified as follows:
AuthName "restricted stuff"
Authtype Basic
AuthUserFile/usr/local/etc/httpd/users
Require valid - user
Where AuthName indicates the domain name of the protected domain (Realm Name). The valid-user parameter means that all users in the user file are available. Once a user enters a valid user/password, other resources in the same domain can be accessed using the same user/password, and two different areas can share the same user/password.
3. Tell the server which users have access to the resource
If you want to grant access to a resource to a group of customers, list their names after Require. The best approach is to use the group (group) file. The operation of a group is similar to the concept of a standard UNIX group, where any user can belong to one and several groups. This allows you to use Require in the configuration file to give certain permissions to groups. Such as:
Require group staff
Require group staff admin
Require user adminuser
Specifies access rights for a group, several groups, or a user.
It is important to note that when a large number of user accounts need to be created, the Apache server's use of the user file database can significantly reduce efficiency. In this case, it is best to use account files in database format, such as DBM database format. You can also make use of data files in the db format (mod_auth_db) as needed, or directly use databases such as mSQL (mod_auth_msql) or DBI compatible databases (mod_auth_dbi).