To get an in-depth knowledge on Apache Web Server, please visit, this.
However if you’ve already begun working with Apache and know about it, and are only concerned with securing your server, here are a few tricks that will help you out, read them and use them carefully.
Protecting the Files on Your Web Server
Most files that control web server’s operation are under ‘ServerRoot’
–Server runs under an identity (nobody) that shouldn’t have the ability to modify its own control files
–Exceptions are error_log and access_log
Most files in server’s DocumentRoot should be read-only to server. Carefully consider exceptions.
–Symbolic links can bypass DocumentRoot control
Protecting your computer from unauthorized users
–Authentication – the process of allowing users access to the Web service based on usernames and passwords or IP addresses or domains
Protecting your computer from programs that run on the host computer
–SSI “includes”
–Executable directories
–Controls, scripts, applets, etc
Protecting the URLs on Your Web Site
This involves the Mandatory and Discretionary access that was discussed in the Server Users and Documents powerpoint slides which discussed the use of Authentication and Authorization.
Permissions on ServerRoot Directories
You want to be sure these directories are writeable only by root
–If non-root users can modify files that root either executes /writes, system is open to root compromises (httpd could be replaced, log files overwritten, etc.)
More Security Tips for Apache
CGI – scripts run under Apache’s user so may possibly conflict with other scripts
–suEXEC – program included with Apache to allow scripts to run as different users
Disallow .htaccess files – may override admin’s security controls
–AllowOverride None
Server Side Includes – require additional processing by Apache – require .shtml
–Can also execute (EXEC) any CGI script or program under permissions of user/group Apache Runs in
Use IncludesNOEXEC directive to prohibit
0 Comments