Setting Up Security on Apache


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Setting Up Security on Apache

  1. 1. Setting Up Security on Apache <ul><li>Three main areas to consider </li></ul><ul><li>Protecting the Files on Your Web Server </li></ul><ul><li>Protecting the URLs on Your Web Site </li></ul><ul><li>Controlling Real-Time Activity </li></ul>
  2. 2. Protecting the Files on Your Web Server <ul><li>Most files that control web server's operation are under 'ServerRoot' </li></ul><ul><ul><li>Server runs under an identity ( nobody ) that shouldn't have the ability to modify its own control files </li></ul></ul><ul><ul><li>Exceptions are error_log and access_log </li></ul></ul><ul><li>Most files in server's DocumentRoot should be read-only to server . Carefully consider exceptions. </li></ul><ul><ul><li>Symbolic links can bypass DocumentRoot control </li></ul></ul>
  3. 3. Symbolic Links <ul><li>Symbolic Links – allow making a file appear to exist in multiple locations </li></ul><ul><ul><li>Danger exists when symbolic links inadvertently provide access to files via unexpected paths </li></ul></ul><ul><ul><li>To create sym links: ln –s resource_to_link symlink_name </li></ul></ul><ul><ul><li>To find sym links: find documentroot -type l -print </li></ul></ul>
  4. 4. More on Symbolic Links <ul><ul><li>In httpd.conf, these directives affect symbolic links </li></ul></ul><ul><ul><li>Options FollowSymLinks – allows Apache to follow links to real file or directory </li></ul></ul><ul><ul><ul><li>Options -FollowSymLinks turns off symlinks </li></ul></ul></ul><ul><ul><li>Options FollowSymLinksIfOwnerMatch – allows Apache to follow links ONLY if the user ID that owns the link is the same as the one that owns the actual file </li></ul></ul>
  5. 5. Protecting the URLs on Your Web Site <ul><li>This involves the Mandatory and Discretionary access that was discussed in the Server Users and Documents powerpoint slides which discussed the use of Authentication and Authorization. </li></ul>
  6. 6. Controlling Real-Time Activity - Options <ul><li>Options – each scope has options </li></ul><ul><ul><li>All (all options enable) None (no options enabled) </li></ul></ul><ul><ul><li>ExecCGI (enables CGI script execution) </li></ul></ul><ul><ul><li>FollowSymLinks | FollowSymLinksIfOwnerMatched </li></ul></ul><ul><ul><li>Includes (allows server-side includes) </li></ul></ul><ul><ul><li>IncludesNoEXEC (above w/o #exec and #include) </li></ul></ul><ul><ul><li>Indexes (allows default directory indexes to be created) </li></ul></ul><ul><ul><li>MultiViews (content negotiation multiviews – not in All ) </li></ul></ul>
  7. 7. More on Options <ul><li>Good idea to turn off Options in areas where web admin does not have sole control </li></ul><ul><ul><li>Turn off all Options: </li></ul></ul><ul><ul><li>Options None </li></ul></ul><ul><ul><li>Turn off individual options: </li></ul></ul><ul><ul><li>Options – Includes – IncludesNoEXEC - ExecCGI </li></ul></ul>
  8. 8. Controlling Real-Time Activity - AllowOverride <ul><li>AllowOverride – this directive controls if directives are allowable in .htaccess files and what are allowable </li></ul><ul><ul><li>All (any directive allowed in .htaccess) </li></ul></ul><ul><ul><li>AuthConfig (authentication directives like AuthType allowed) </li></ul></ul><ul><ul><li>FileInfo (file processing directives like AddType allowed) </li></ul></ul><ul><ul><li>Indexes (allows directives for indexing, if enabled, like DirectoryIndex ) </li></ul></ul><ul><ul><li>Limit (controls whether mandatory access controls, order, allow, deny are processed if in .htaccess) </li></ul></ul><ul><ul><li>None (completely disables processing of .htaccess files) </li></ul></ul><ul><ul><li>Options (allows Options directives found in .htaccess to be published) </li></ul></ul>
  9. 9. Permissions on ServerRoot Directories <ul><li>You want to be sure these directories are writeable only by root </li></ul><ul><ul><li>If non-root users can modify files that root either executes /writes, system is open to root compromises (httpd could be replaced, log files overwritten, etc.) </li></ul></ul>
  10. 10. Protect the file system <ul><li>– http://localhost/~root </li></ul><ul><ul><ul><li><Directory /> </li></ul></ul></ul><ul><ul><ul><ul><li>Order Deny, Allow </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Deny from ALL </li></ul></ul></ul></ul><ul><ul><ul><li></Directory> </li></ul></ul></ul><ul><ul><ul><li>UserDir disabled root </li></ul></ul></ul><ul><ul><ul><li>Run server in chroot environment </li></ul></ul></ul>
  11. 11. General Security Tips for Apache <ul><li>CGI – scripts run under Apache's user so may possibly conflict with other scripts </li></ul><ul><ul><li>suEXEC – program included with Apache to allow scripts to run as different users </li></ul></ul><ul><li>Disallow .htaccess files – may override admin's security controls </li></ul><ul><ul><li>AllowOverride None </li></ul></ul><ul><li>Server Side Includes – require additional processing by Apache – require .shtml </li></ul><ul><ul><li>Can also execute ( EXEC ) any CGI script or program under permissions of user/group Apache Runs in </li></ul></ul><ul><ul><ul><li>Use IncludesNOEXEC directive to prohibit </li></ul></ul></ul>
  12. 12. Major Web Site Security Concerns <ul><li>Protecting your computer from unauthorized users </li></ul><ul><ul><li>Authentication – the process of allowing users access to the Web service based on usernames and passwords or IP addresses or domains </li></ul></ul><ul><li>Protecting your computer from programs that run on the host computer </li></ul><ul><ul><li>SSI &quot;includes&quot; </li></ul></ul><ul><ul><li>Executable directories </li></ul></ul><ul><ul><li>Controls, scripts, applets, etc </li></ul></ul>