Securing Apache has been the subject of many books and tutorials and will continue to be as security is an ever-changing field. By no means is this short page meant to be exhaustive. The steps below are basic recommendations for beginning to protect a web server; however, much more strenuous measures are needed to begin to truly secure one. Please use the information below as a starting place only. If you haven't yet set up with the web server, you may want to look at that first. 
# Configuring Apache
* Tweaking Defaults

One of the first things to do after installing Apache is to configure where it will serve files from, and to limit the options that people accessing the web server have. This is done by editing /etc/apache2/sites-available/default. Look for this section:


        Options FollowSymLinks
        AllowOverride None
 This section controls how Apache treats the root directory of the file system (and by inheritance, all the files within the file system). This is somewhat secure, but a more secure configuration is better. Change the section to read like this:

        Order Deny,Allow
        Deny from all
        Options None
        AllowOverride None


This tells Apache not to serve any files at all from the file system, and also to allow no special options (such as symlinking, includes, or cgi scripts), and not to allow this to be overridden by .htaccess files in the directories. This is used to protect files that Apache shouldn't have access to. However, since we do want Apache to access files from within the /var/www directory, we need to edit the section below it to look like this:

        Options FollowSymLinks MultiViews
        Order allow,deny
        Allow from all

The allow from all is what allows Apache to serve pages from within /var/www. Also, removing Indexes means that web users will not be able to see the contents of web directories. You'll need to restart Apache in order for this to take effect. Restart Apache with apache2ctl restart. 

* Hiding Server Version

If you open up a web browser and visit http://www.yourserver.com/nonexistant.html, you'll see an error page like the one shown below. That gives away an awful lot of information to someone interested in attacking the system! To obfuscate this information, open /etc/apache2/apache2.conf. Look for the line

ServerTokens Full

and change it to
ServerTokens Prod
You'll need to restart Apache in order for this to take effect. Restart Apache with apache2ctl restart. Afterward, server error pages should look something more like this:
# Installing Mod_Security
* Getting all the Pieces
The security module, or mod_security, is an Apache module that can be installed for closer monitoring of HTTP requests and responses as well as easy denial of packets that look suspicious. Unfortunately, due to licensing differences, mod_security is not available through the Debian repository, and so it can't be apt-gotten. Still, the module isn't terribly difficult to install. Before obtaining the source code, there are a few other parts that can be installed through apt. These are libxml2-dev and apache2-prefork-dev. To install these, run

apt-get install libxml2-dev apache2-prefork-dev

To get the source code for mod_security, you must first create a user account with Breach Security, the developers of mod_security. After logging in, navigate to Downloads and then modsecurity-apache/. Find the latest version of modsecurity-apache...tar.gz and right-click it to save the download location. From where you keep your source code, run

wget --no-check-certificate


Untar the file with tar xvzf and then cd into the new directory. From there, cd into apache2. Mod_security follows the typical source installation paradigm, so no surprises there. Run ./configure --help to see all available options. In most cases, none will be necessary. Go ahead and run ./configure (with any options) and then make. If it finishes without an error, it's safe to make install.

# Configuring Apache


Now that the files for mod_security have been installed, Apache needs to be told to use them. Cd into /etc/apache2/mods-available. A new file needs to be created to tell Apache to load the mod_security module. Call this file modsecurity2.load and enter the following contents:

LoadFile /usr/lib/libxml2.so
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so


Now move up one directory and then into mods-enabled (cd ../mods-enabled). Here, a symlink to the file needs to be created. This is done with

ln -s ../mods-available/modsecurity2.load


While we're here, mod_security also requires mod_unique_id to be running, so create a symlink to enable that one, too:

ln -s ../mods-available/unique_id.load


After this, it's time to restart Apache and make sure it loads the new file. Run apache2ctl restart and then look at the bottom of the Apache log with tail /var/log/apache2/error.log. You should see something like this:

[Sun Apr 06 18:54:25 2008] [notice] ModSecurity for Apache/2.5.2 (http://www.modsecurity.org/) configured.


If you don't, or you see any errors, double check the above and make sure you're error-free before continuing.



Created by d'za

Baca Pula Artikel Terkait >>





0 comments

Post a Comment