Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Setting Up Security on Apache


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Setting Up Security on Apache

  1. 1. Setting Up Security on Apache <ul><li>Three main areas to consider </li></ul><ul><li>Protecting the Files on Your Web Server </li></ul><ul><li>Protecting the URLs on Your Web Site </li></ul><ul><li>Controlling Real-Time Activity </li></ul>
  2. 2. Protecting the Files on Your Web Server <ul><li>Most files that control web server's operation are under 'ServerRoot' </li></ul><ul><ul><li>Server runs under an identity ( nobody ) that shouldn't have the ability to modify its own control files </li></ul></ul><ul><ul><li>Exceptions are error_log and access_log </li></ul></ul><ul><li>Most files in server's DocumentRoot should be read-only to server . Carefully consider exceptions. </li></ul><ul><ul><li>Symbolic links can bypass DocumentRoot control </li></ul></ul>
  3. 3. Symbolic Links <ul><li>Symbolic Links – allow making a file appear to exist in multiple locations </li></ul><ul><ul><li>Danger exists when symbolic links inadvertently provide access to files via unexpected paths </li></ul></ul><ul><ul><li>To create sym links: ln –s resource_to_link symlink_name </li></ul></ul><ul><ul><li>To find sym links: find documentroot -type l -print </li></ul></ul>
  4. 4. More on Symbolic Links <ul><ul><li>In httpd.conf, these directives affect symbolic links </li></ul></ul><ul><ul><li>Options FollowSymLinks – allows Apache to follow links to real file or directory </li></ul></ul><ul><ul><ul><li>Options -FollowSymLinks turns off symlinks </li></ul></ul></ul><ul><ul><li>Options FollowSymLinksIfOwnerMatch – allows Apache to follow links ONLY if the user ID that owns the link is the same as the one that owns the actual file </li></ul></ul>
  5. 5. Protecting the URLs on Your Web Site <ul><li>This involves the Mandatory and Discretionary access that was discussed in the Server Users and Documents powerpoint slides which discussed the use of Authentication and Authorization. </li></ul>
  6. 6. Controlling Real-Time Activity - Options <ul><li>Options – each scope has options </li></ul><ul><ul><li>All (all options enable) None (no options enabled) </li></ul></ul><ul><ul><li>ExecCGI (enables CGI script execution) </li></ul></ul><ul><ul><li>FollowSymLinks | FollowSymLinksIfOwnerMatched </li></ul></ul><ul><ul><li>Includes (allows server-side includes) </li></ul></ul><ul><ul><li>IncludesNoEXEC (above w/o #exec and #include) </li></ul></ul><ul><ul><li>Indexes (allows default directory indexes to be created) </li></ul></ul><ul><ul><li>MultiViews (content negotiation multiviews – not in All ) </li></ul></ul>
  7. 7. More on Options <ul><li>Good idea to turn off Options in areas where web admin does not have sole control </li></ul><ul><ul><li>Turn off all Options: </li></ul></ul><ul><ul><li>Options None </li></ul></ul><ul><ul><li>Turn off individual options: </li></ul></ul><ul><ul><li>Options – Includes – IncludesNoEXEC - ExecCGI </li></ul></ul>
  8. 8. Controlling Real-Time Activity - AllowOverride <ul><li>AllowOverride – this directive controls if directives are allowable in .htaccess files and what are allowable </li></ul><ul><ul><li>All (any directive allowed in .htaccess) </li></ul></ul><ul><ul><li>AuthConfig (authentication directives like AuthType allowed) </li></ul></ul><ul><ul><li>FileInfo (file processing directives like AddType allowed) </li></ul></ul><ul><ul><li>Indexes (allows directives for indexing, if enabled, like DirectoryIndex ) </li></ul></ul><ul><ul><li>Limit (controls whether mandatory access controls, order, allow, deny are processed if in .htaccess) </li></ul></ul><ul><ul><li>None (completely disables processing of .htaccess files) </li></ul></ul><ul><ul><li>Options (allows Options directives found in .htaccess to be published) </li></ul></ul>
  9. 9. Permissions on ServerRoot Directories <ul><li>You want to be sure these directories are writeable only by root </li></ul><ul><ul><li>If non-root users can modify files that root either executes /writes, system is open to root compromises (httpd could be replaced, log files overwritten, etc.) </li></ul></ul>
  10. 10. Protect the file system <ul><li>– http://localhost/~root </li></ul><ul><ul><ul><li><Directory /> </li></ul></ul></ul><ul><ul><ul><ul><li>Order Deny, Allow </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Deny from ALL </li></ul></ul></ul></ul><ul><ul><ul><li></Directory> </li></ul></ul></ul><ul><ul><ul><li>UserDir disabled root </li></ul></ul></ul><ul><ul><ul><li>Run server in chroot environment </li></ul></ul></ul>
  11. 11. General Security Tips for Apache <ul><li>CGI – scripts run under Apache's user so may possibly conflict with other scripts </li></ul><ul><ul><li>suEXEC – program included with Apache to allow scripts to run as different users </li></ul></ul><ul><li>Disallow .htaccess files – may override admin's security controls </li></ul><ul><ul><li>AllowOverride None </li></ul></ul><ul><li>Server Side Includes – require additional processing by Apache – require .shtml </li></ul><ul><ul><li>Can also execute ( EXEC ) any CGI script or program under permissions of user/group Apache Runs in </li></ul></ul><ul><ul><ul><li>Use IncludesNOEXEC directive to prohibit </li></ul></ul></ul>
  12. 12. Major Web Site Security Concerns <ul><li>Protecting your computer from unauthorized users </li></ul><ul><ul><li>Authentication – the process of allowing users access to the Web service based on usernames and passwords or IP addresses or domains </li></ul></ul><ul><li>Protecting your computer from programs that run on the host computer </li></ul><ul><ul><li>SSI &quot;includes&quot; </li></ul></ul><ul><ul><li>Executable directories </li></ul></ul><ul><ul><li>Controls, scripts, applets, etc </li></ul></ul>