Apache is the world's number one Web server software. It can run on almost all widely used computer platforms. Because it is widely used across platforms and security, it is one of the most popular Web server software. It is fast, reliable, and can be compiled into a server using a simple API extension, such as Perl/Python.
0x01 Why Do Security Configurations?In the last two issues, we discussed the security configuration of the database. The web middleware also has security problems caused by improper security configuration. There are some security issues in the default configuration of Apache, such as the disclosure of version number information and the use of SSL protocol. Therefore, secure configuration of Apache server can effectively reduce security threats. The following section discusses the security configuration of Apache.
1.Apache user account shell is invalid
The apache account cannot be used as a regular login account and should be assigned an invalid or nologin shell to ensure that the account cannot be used for login. The apache account shell should be: /sbin/nologin or /dev/null.
Hardening method: Modify the apache account to use the nologin shell or an invalid shell such as /dev/null.
# chsh -s /sbin/nologin apache
2. Lock Apache user account
The Apache running user account should not have a valid password and should be locked.
Reinforcement method: Use the passwd command to lock the apache account
# passwd -l apache
3. Configuration error log
The LogLevel directive is used to set the severity level of the error log. The ErrorLog instruction sets the error log file name. The log level values ​​are the standard syslog levels for emerge, alert, crit, error, warn, noTIce, info, and debug. The recommended level is noTIce to record all errors from the level of emerg to noTIce. The core module is recommended to be set to info so that any "notfound" requests are included in the error log.
Reinforcement method:
a. Add or modify the LogLevel value in the Apache configuration, the core module is set to info or lower, all other modules are set to noTIce or lower. If you need more detailed logging and the storage and monitoring processes can handle additional load, you can also set info or debug. The recommended value is notice core:info.
LogLevel notice core:info
b. If not already configured, add the ErrorLog instruction. The file path may be relative or absolute, or the log may be configured to be sent to the syslog server.
ErrorLog "logs/error_log"
c. If the virtual host has different people responsible for the site, add an instruction similar to ErrorLog for each configured virtual host. Each responsible person or organization needs access to their own web logs and needs skills/training/tools to monitor the logs.
4. Disable weak SSL protocol
The Apache SSLProtocol directive specifies the allowed SSL and TLS protocols. Because the SSLv2 and SSLv3 protocols are outdated and vulnerable to information leakage, they should be disabled. Only the TLS protocol should be enabled.
Hardening method: Look for the SSLProtocol directive in the Apache configuration file; add it if it does not exist, or modify the value to match one of the following values. If you can also disable the TLSv1.0 protocol, the setting "TLSv1.1 TLS1.2" is preferred.
SSLProtocol TLSv1.1 TLSv1.2 SSLProtocol TLSv1
5. Insecure SSL Renegotiation Should Be Limited
In order for the web server to connect to OpenSSL 0.9.8m or later, the SSLInsecureRenegotiation directive was added in Apache 2.2.15 to allow insecure renegotiation to provide backward compatibility for older clients using unpatched SSL. While providing backwards compatibility, enabling the SSLInsecureRenegotiation directive makes the server vulnerable to man-in-the-middle renegotiation attacks (CVE-2009-3555). Therefore, the SSLInsecureRenegotiation directive should not be enabled.
Hardening method: Look for the SSLInsecureRenegotiation directive in the Apache configuration file. If it exists, change the value to off.
SSLInsecureRenegotiation off
6.TimeOut should be set to less than or equal to 10
The TimeOut directive controls the maximum time (in seconds) that the Apache HTTP server waits for input/output calls to complete. It is recommended to set the TimeOut instruction to 10 or less.
Hardening method: Modify the Apache configuration file to set TimeOut to 10 seconds or less.
Timeout 10
7. KeepAlive should be set to On
The KeepAlive directive determines whether to close the TCP connection immediately after processing the user-initiated HTTP request.
Hardening method: Modify the Apache configuration file and set KeepAlive to On to enable the KeepAlive connection.
KeepAlive On
8.MaxKeepAliveRequests should be set to greater than or equal to 100
When KeepAlive is enabled, the MaxKeepAliveRequests directive limits the number of requests allowed per connection. If set to 0, unlimited requests are allowed. It is recommended to set MaxKeepAliveRequests to 100 or more.
Hardening method: Modify the Apache configuration file to set MaxKeepAliveRequests to 100 or more.
MaxKeepAliveRequests 100
9. KeepAliveTimeout should be set to less than or equal to 15
The KeepAliveTimeout directive specifies the number of seconds to wait for the next request before closing the persistent connection.
Hardening method: Modify the Apache configuration file to set KeepAliveTimeout to 15 or less.
KeepAliveTimeout 15
10. Disable WebDAV module
The Apache mod_dav and mod_dav_fs modules support Apache's WebDAV (Network Distributed Authoring and Versioning) functionality. WebDAV is an extension of the HTTP protocol that allows clients to create, move, and delete files and resources on a Web server.
Reinforcement method:
a. For the source module version of the static module, run Apache. The /configure script does not include mod_dav and mod_dav_fs in the --enable-modules=configure option.
$ cd $DOWNLOAD/httpd $ . /configure
b. For dynamically loaded modules, comment out or remove the LoadModule directives for the mod_dav and mod_dav_fs modules in the apache configuration file.
# LoadModule dav_module modules/mod_dav.so # LoadModule dav_fs_module modules/mod_dav_fs.so
11. Hide Apache version number and other sensitive information
Configure the Apache ServerTokens directive to provide minimal information. By setting the value to Prod or ProductOnly, the only version information given in the HTTP response header of the server will be "Apache" instead of providing detailed information on the installed modules and versions. Disables generation of signature lines at the bottom of server-generated documents (such as error pages) as server signatures for the footer.
Hardening method: ServerToken in the Apache configuration file should be set to: Prod, ServerSignature should be set to: Off
12. Prevent leakage of default Apache content
In the previous proposal, the default content was removed, such as the Apache manual and the default CGI program. However, if you want to further limit the information disclosure about the web server, it is also important that the default content such as icons do not remain on the web server.
Reinforcement method:
a. The default source version places automatic indexing and icon configuration in the extra/httpd-autoindex.conf file, so you can disable it by commenting out include lines in the main httpd.conf file:
# Fancy directory listings # Include xxx/httpd-autoindex.conf
b. Alternatively, you can comment out the icons alias directive and directory access control as follows:
# We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. # #Alias ​​/icons/ "/var/" #"Directory "/var/"" # Options Indexes MultiViews FollowSymLinks # AllowOverride None # Order allow,deny # Allow from all #/Directory
13. Disabling HTTP TRACE Methods
Use Apache TraceEnable to disable the HTTP TRACE request method. Cross-site attack vulnerability due to HTTP TRACE.
Hardening method: Find the main Apache configuration file such as httpd.conf. Set TraceEnable to off in the server-level configuration. The server-level configuration is a top-level configuration and is not nested within any other directive such as Directory or Location.
14. Restrict all directory coverage
Apache AllowOverride allows the use of .htaccess files to override most configurations, including authentication, document type handling, automatically generated indexes, access controls, and options. When the server finds a .htaccess file (specified by AccessFileName), it needs to know which instruction is declared in the file to overwrite the earlier access information. When this directive is set to None, then the .htaccess file will be completely ignored. In this case, the server will not even try to read the .htaccess file in the file system. When this directive is set to All, any directive with a .htaccess context is allowed in the .htaccess file.
Hardening method: The Directory in the Apache configuration file should be set to: AllowOverride None
15. Delete the default CGI content test-cgi
Most Web servers (including Apache installations) have default CGI content that is not needed or not suitable for production use. The main role of these sample programs is to demonstrate the capabilities of the Web server. A common default CGI content for apache installations is the script test-cgi. This script will print back to the requester's CGI environment variable, which includes many server configuration details.
Reinforcement method:
a. Find the cgi-bin file and directory enabled in the Apache configuration via the Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives.
b. Delete the printenv default CGI (if installed) in the cgi-bin directory.
0x03 summaryConfiguring security for Apache can effectively prevent some common security problems. Performing security configuration in accordance with the baseline standards can reduce the occurrence of security events. Domestic common baseline standards include China's information security level protection, telecommunication network and Internet security baseline configuration requirements and testing requirements. The US CIS baseline also has detailed Apache baseline standards. Different enterprises can also establish their own enterprise security based on their own business. Baseline standard.
Do you still operate 11 Inch Laptop Deals? If yes, here is the right place you should put more time and energy. You can see here 11 Inch Laptop in traditional standard or touch screen or 360 rotating. 11 Inch Windows Laptop in metal with 360 yoga, 11 Inch Touch Screen Laptop on 2 in 1 style, 11 Inch Laptop With 8gb Ram 128gb in plastic, etc. Believe you can find right one here for you. Of course, if have other special requirement prefer, just call us and share your demand details, thus we can send right and value information for you quickly. Sometimes, you may hesitate which storage is most suitable for your jobs? 256GB or 512GB SSD ROM provides huge storage space for big files, so that you can hold large documents and work your way through it freely. No worry lack of storage any more. N5100 CPU can enhance the overall performance for office, children students, daily entertainment, etc.
Any other style prefer, just contact us and share your demand, then we can know how to do more for you.
11 Inch Laptop,11 Inch Windows Laptop,11 Inch Touch Screen Laptop,11 Inch Laptop Deals,11 Inch Laptop With 8gb Ram
Henan Shuyi Electronics Co., Ltd. , https://www.shuyielectronictech.com