Confining the Apache Web Server with Security
Download
Report
Transcript Confining the Apache Web Server with Security
Michelle J. Gosselin, Jennifer Schommer
Guanzhong Wang
Linux is mainly used for setting up network server. Today the
reports that server and websites are hacked by hackers can
be seen almost every day; with the variety of network
applications, the forms and methods of attacking are also
changing. How to enhance the security of Linux server
becomes one of the most important issues that concern the
Linux system administrators.
Linux system belongs to open source software.
Because of its technical features like high stability
and security, strong network load and small
hardware demand, it has been quickly promoted
and implemented since its birthday, and has
developed into one of the mainstream server
operating systems in the current world.
Linux service includes contents of DNS, DFS,
Samba, Sendmail, Posfix, Apache…..
APACHE
(1) The client (browser) and Web server will build a TCP
connection. Then it sends an access request (like “get”) to
the Web server. According to HTTP protocol, the request
includes information like IP address, browser type and URL of
the client.
(2) After the Web server receives the request, it turns the
requested pages back to the client. If errors appear, it turns
back an error code.
(3) Disconnect from the remote Web server.
Install patches regularly
The latest change log in
http://www.apache.org/ are written: bug fix,
security bug fix.
Hide and mask Apache version
The method to remove Apache version
number is to change configuration
file/etc/httpd.conf.
Apache server includes four main directories as
follows
ServerRoot:save configuration file, binary files and other server
configuration files.
DocumentRoot:save content of Web sites including HTML files and
pictures.
ScriptAlias:save CGI script.
Customlog and Errorlog:save access logs and error logs.
Principle of least privilege is one of the
most basic principles in system security. It
restricts the least privilege required when
users access the system and data, hence it
guarantees that users could complete the
operated tasks, meanwhile it also ensures
the least loss caused by illegal users or
abnormal operation.
group add webteam
usermod –G webteam GW
chown –R httpd.webteam
Chmod –R 2570 /www/htdocs
G means modify the additional groups where the users belong.
R means change the same owner for all files in the current directory and subdirectories,
which is to change one after one by pull over.
SUID means that if a user set the permission on his own shell script, the other users
performing this script will also have the same appropriate permission as the lord.
GUID means the users who implement the corresponding script will have the permissions
same with the user's group.
1. Forbid using catalogue index
2. Forbid default access
If allow accessing the/var/www /html directory, please using the following
settings:
Order deny,allow
Allow from all
3. Forbid user reloading
In order to prevent users from overloading on this directory configuration file, it
can be set:
AllowOverride None
Apache servers are under the threat of DOS
attacks all the time. It mainly includes the
following several forms.
1. The flood attack of data packet
2. Disk attack
3. The router is inaccessible
4. The attacks of distributed denial of service
Apache server realizes its defense of attack of
denial service mainly through software
Apache DoS Evasive Maneuvers Module . It is
an alternative to mod access, against the
attack of DoS. And this software could quickly
deny repeated requests from the same
address toward the same URL.
Using a Web server with SSL can improve the safety
performance of website. SSL protocol works
between Linux TCP/IP protocol and HTTP protocol,
SSL uses encryption method to protect the flow of
information between Web servers and browsers.
SSL is not only used to encrypt the data flow
transmitted over the Internet, but can also provide
authentication.
1. The client application link includes the algorithm lists and
other achievable information,
2. When the server responds to a link, it can confirm the
algorithm needed by this communication, and sends its own
certificate, which contains its own identity and public key,
3. After it receives a message, the client-side will generate a
secret key, encrypt it and send it by using the web server's
public key
4. Then the server uses the private key to decrypt and
process it, so as to generate an encryption key, the session
key is success in negotiation,
5. The client-side and the server both realize the session key,
and use the session key to encrypt the data.