|
Developer Geek Resources Hardening Apache |
Custom Search
|
My motto on a development system is "security, we don't need no stinking security." This is NOT a motto you want to embrace for a production server. Nothing could be truer if you are on a webserver that is internet accessible. Apache is inherently a secure webserver if you take measures to properly secure it.
The following are some tips for doing so. This is not meant to be the "be-all end-all" guide to hardening your a Apache webserver. But, it will get you started. Most VPS and ISP's I have used have viligent system administrators, but you still need to do your part. At worst, you should review your conf.http file to ensure it it has no major security holes.
I am assuming most of you reading this are running on a posix (Linux) server. I am also assuming you have the ability to access the file. Different ISP's have different setups, so you may need to open a ticket to be able to access the file. Many purposely will not give you direct access to the file so they can maintain proper security of your webserver. If this is the case you are likely secure and can focus your time on other matters. Many VPS plans allow you full control so you will be able to access the file. Anyhow, on a posix server you should find it located at.
/usr/local/apache/conf
On a Windows Server you can find httpd.conf located under the path where you installed the Apache webserver at apache/conf.
Bottom line, if you are using a reputable ISP then you likely have system administrators and support staff that are well schooled in the art of security. Check their forums and faq's. Open a ticket to inquire about webserver security if you are not sure.
In a production server you do not want people directly accessing the file system. Being able to view your Php code on the server is just an invitation to a hacker to figure out how to exploit your server.
This is a very important setting to make.
# Options -Indexes
# as in ...
<Directory "/">
Order Deny,Allow
Deny from all
Options -Indexes
</Directory>
You only want people going to where your web content resides.
# Order Deny,Allow
# Deny from all
# as in ...
<Directory "/">
Order Deny,Allow
Deny from all
Options -Indexes
</Directory>
Best advice I have here is if you are not sure then take no action until you have researched if it is okay to disable. If all you are hosting is static content then you can diable both server side includes and CGI.
Options -IncludesOptions -ExecCGIInformation like the webserver you are using and the operating system that it is running on are helpful to hackers. You can hide these details with the following directives
ServerSignature Off
ServerTokens Prod
Of course if you are running your site on an ISP you may not have direct access the .htaccess file so an override would be required.
The following useful information is excerpted directly from the Apache site
In general, you should never use .htaccess files unless you don't have
access to the main server configuration file. There is, for example, a
prevailing misconception that user authentication should always be done
in .htaccess files. This is simply not the case. You can put user
authentication configurations in the main server configuration, and this
is, in fact, the preferred way to do things.
.htaccess files should be used in a case where the content providers need
to make configuration changes to the server on a per-directory basis, but
do not have root access on the server system. In the event that the server
administrator is not willing to make frequent configuration changes, it
might be desirable to permit individual users to make these changes in
.htaccess files for themselves. This is particularly true, for example, in
cases where ISPs are hosting multiple user sites on a single machine, and
want their users to be able to alter their configuration.
However, in general, use of .htaccess files should be avoided when
possible. Any configuration that you would consider putting in a .htaccess
file, can just as effectively be made in a
<Directory "/usr/local/apache/cgi-bin">
AllowOverride None
Options -Includes
Order allow,deny
Allow from all
</Directory>
You want to ensure that files are secured properly to 755 under path /usr/local/apache. Below is as example of this vector
drwxr-xr-x 2 root root 2048 Aug 15 2009 bin/
drwxr-xr-x 2 root root 2048 Aug 15 2009 build/
drwxr-xr-x 2 root root 2048 Aug 15 2009 cgi-bin/
drwxr-xr-x 8 root root 2048 Aug 1 15:13 conf/
If you find this site useful and are a book buyer/reader...Abe Books is one of my affiliates. I only use affiliates that I also purchase products from. I love Abe books. I have purchased many books from them originally cost $40 to $60 for as little as $5 to $10 dollars including shipping costs. By accessing Abe books and clicking on one of my links I receive a small commission on your purchase that helps pay for this site. You pay no more for your books than if you accessed their site directly. Thanks for your support. |
|||
WAMP
Apache
SysAdmin
