Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Apache Web Server Setup 4


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Apache Web Server Setup 4

  1. 1. Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers University Internet Institute Instructor: Chris Uriarte (CU520-03- WMPUPDT)
  2. 2. Today’s Session <ul><li>Protecting your Web server against attacks. </li></ul><ul><li>Providing authenticated access to your Web site. </li></ul><ul><li>Overview of SSL-enabled Web Servers </li></ul><ul><li>Apache Performance Tuning </li></ul><ul><li>Wrap-up and Evaluations </li></ul>
  3. 3. Levels of Web Server Security <ul><li>Protecting data supplied through client browsers. </li></ul><ul><li>Protecting or restricting access to data stored on your Web server. </li></ul><ul><li>Protecting the Web server software. </li></ul><ul><li>Protecting the server that houses your Web server. </li></ul>
  4. 4. Common Attacks on Systems that Run Web Servers <ul><li>CGI exploits </li></ul><ul><ul><li>Badly-written or buggy web applications (CGIs) programs allow access to restricted resources or consume server resources. </li></ul></ul><ul><li>DoS (Denial of Service) </li></ul><ul><ul><li>Software or operating system server exploits </li></ul></ul><ul><li>Packet sniffers </li></ul><ul><ul><li>Hackers ‘sniff’ clear-text passwords </li></ul></ul><ul><li>Buffer overflows </li></ul><ul><ul><li>Attacks that cause a piece of software to crash and possibly give unprivileged users privileged access </li></ul></ul>
  5. 5. Securing Your Web Server <ul><li>Restrict access (by location or authentication) to file systems and resources. </li></ul><ul><ul><li>Password or IP authentication/authorization </li></ul></ul><ul><li>Disable server-side technologies if they are not required. </li></ul><ul><ul><li>Disable CGI Access and Server Side Includes </li></ul></ul><ul><ul><li>Remove ExecCGI and Includes from the Options directive of your httpd.conf </li></ul></ul><ul><li>Do not run your server as “root.” </li></ul><ul><ul><li>The User directive in the httpd.conf should specify a user other than root (e.g. nobody, www, etc.) </li></ul></ul>
  6. 6. Securing Your Web Server, con’t. <ul><li>Filter traffic with a firewall. </li></ul><ul><ul><li>Use of a network device that only allows access to particular resources on a network </li></ul></ul><ul><li>Use encryption technologies (ssh, ssl). </li></ul><ul><li>Monitor your logs for problems. </li></ul><ul><li>Secure the system that hosts your Web server: disable ports and services not in use, install security patches, take preventative measures against popular exploits. </li></ul><ul><ul><li>Websites like and have information on current exploits </li></ul></ul>
  7. 7. Access by Authentication <ul><li>Standard Authentication Modules – mod_auth, mod_auth_anon, mod_auth_dbm, mod_auth_db, mod_digest </li></ul><ul><li>Access in Apache can be defined by user or group: </li></ul><ul><li>For Basic Authentication: </li></ul><ul><li><Directory /home/iti1234/htdocs/restricted> </li></ul><ul><li>AuthType Basic </li></ul><ul><li>AuthName “Restricted Access” </li></ul><ul><li>AuthUserFile/usr/local/apache/passwd.file </li></ul><ul><li>AuthGroupFile /usr/local/apache/group.file </li></ul><ul><li>require user1 group1 group2 </li></ul><ul><li></Directory> </li></ul>
  8. 8. Authentication, con’t. <ul><li>Authenticated access often setup through a .htaccess file in the directory you want to protect, but can be setup via httpd.conf. </li></ul><ul><li>Passwords sent in the clear for basic authentication. </li></ul>
  9. 9. Basic Authentication: Line by Line <ul><li>You can keep authentication info in a <DIRECTORY> block in the httpd.conf or in an .htaccess file </li></ul><ul><li>First, specify the AuthType, which is Basic </li></ul><ul><ul><li>AuthType Basic </li></ul></ul><ul><li>Next, Specify the text string that will be displayed when the username/pw box is presented to the user: </li></ul><ul><ul><li>AuthName “My Secret Webpages” </li></ul></ul><ul><li>Next, specify the path to a file that will contain the usernames and passwords of your users: </li></ul><ul><ul><li>AuthUserFile /home/apache/passwd.file </li></ul></ul><ul><li>(best to keep this file out of the DocumentRoot) </li></ul>
  10. 10. Basic Authentication: con’t. <ul><li>Finally, add a require statement within a <Limit GET> block, which can limit the access to a specific username, or group. This can contain a list of groups, user names or the text “valid-user” to represent any valid user in the password file </li></ul><ul><ul><li><Limit GET> </li></ul></ul><ul><ul><li>require valid-user </li></ul></ul><ul><ul><li></Limit> </li></ul></ul>
  11. 11. Basic Authentication: con’t <ul><li>The final block looks like this: </li></ul><ul><li><Directory /home/iti1234/htdocs/restricted> </li></ul><ul><li>AuthType Basic </li></ul><ul><li>AuthName “My Secret Webpage” </li></ul><ul><li>AuthUserFile/home/apache/passwd.file </li></ul><ul><li><Limit GET> </li></ul><ul><li>require valid-user </li></ul><ul><li><Limit GET> </li></ul><ul><li></Directory> </li></ul><ul><li>… which will prompt a user for a username/pw when any document under /home/iti1234/htdocs/restricted is requested. </li></ul>
  12. 12. Creating a Password File <ul><li>htpasswd is a utility for generating encrypted passwords and creating a password file </li></ul><ul><li>Part of apache distribution, located in : {SERVER ROOT}/bin/htpasswd </li></ul><ul><li>Usage: htpasswd [-c] password-file username </li></ul><ul><li>The –c flag creates a new password file. </li></ul><ul><li>Example, adds a user myname and creates a new password file (type all on one line): </li></ul><ul><ul><li>/home/iti1234/bin/htpasswd -c /home/iti1234/apache/passwdfile username </li></ul></ul>
  13. 13. Exercise: Password Protecting Your Website <ul><li>For this exercise, you will make the Website running on your workstation password restricted using a .htaccess file. </li></ul><ul><li>In the directory container for your document root (/home/itiXXXX/apache/htdocs), in httpd.conf set the following: AllowOverride AuthConfig </li></ul>
  14. 14. Exercise, con’t: <ul><li>In /home/itiXXX/apache/htdocs, create a .htaccess file with the following contents: </li></ul><ul><ul><li>AuthUserFile /home/itiXXXX/apache/.htpasswd </li></ul></ul><ul><ul><li>AuthGroupFile /dev/null </li></ul></ul><ul><ul><li>AuthName “My Protected Site” </li></ul></ul><ul><ul><li>AuthType Basic </li></ul></ul><ul><ul><li><Limit GET> </li></ul></ul><ul><ul><li>require valid-user </li></ul></ul><ul><ul><li></Limit> </li></ul></ul>
  15. 15. Exercise, con’t. <ul><li>Next, create a password file using htpasswd: </li></ul><ul><ul><li>htpasswd –c /home/itiXXXX/apache/.htpasswd guest </li></ul></ul><ul><li>Provide the password for the guest user when prompted. </li></ul><ul><li>Access your website ( ) and provide the username/password. </li></ul>
  16. 16. Restrict Access by Location Authorization <ul><li>As discussed in Meeting 2, you can restrict access to web resources by IP address, hostname, domain name and IP block by using a <DIRECTORY> block in the httpd.conf or an .htaccess file: </li></ul><ul><ul><li><Directory /home/itiXX/htdocs/restricted> order deny,allow deny from all allow from </li></ul></ul><ul><ul><li></Directory> </li></ul></ul>