Apache security configuration

0x00 Test environment

---

centos6.5+apache2.2.15+php5.3.3

0x01 php Introduction to operation mode of

---

php There are four operation modes ：

1 2 3 4 5

<code>1. CGI Universal gateway interface 2. fast-cgi Resident CGI 3. cli Command line run 4. web Module mode </code>

In general ,apache Use web Module mode operation php

0x02 Apache Introduction to operation principle

---

Apache It's based on modular design , Each module is loaded on demand when the system starts .Apache about php Parsing , It's through a lot of Module Medium php Module To complete .

therefore ,php Loading becomes apache A module of , You can put apache and php Look at... As a whole .

When the browser requests a php When you file , We can understand it as apache Directly process the results returned to the browser , There will only be... On the server httpd process , There will be no php process .

apache Some configurations of are mainly through httpd.conf To achieve , But you can httpd.conf Turn on the right .htaccess Support for , And then in .htaccess To configure . But in general , Should not be used .htaccess file , Unless you don't have access to the main configuration file ..htaccess The file should be used when the content provider needs to change the server configuration for a specific directory without root In case of authority . If the server administrator is unwilling to modify the configuration frequently , You can allow users to pass .htaccess Modify the configuration file by yourself .

0x03 Apache Security configuration scheme

---

1. Choose one with fewer vulnerabilities apache edition , And put a security patch on it

see apache Version number ：httpd -v

And then in sebug What's the flaw in searching for this version number on , You can upgrade the version or patch it according to the prompt

2. Close some unused modules and functions

Can be found in LoadModule Before to add #, To comment out some unused modules

3. hide banner Information

ServerTokens OS　 It is amended as follows ：ServerTokens Prod （ Do not display the name of the server operating system when the error page appears ）

ServerSignature On It is amended as follows ：ServerSignature Off（ No echo apache Version information ）

4. Delete default websites and pages

Delete the default page , Prevent disclosure of server information

5. Modifiable banner Information

6. To configure httpd.conf Disable directory browsing

take Options Indexes FollowSymLinks Change it to Options -Indexes FollowSymLinks

7. To configure httpd.conf Set default document

DirectoryIndex index.html

8. The reasonable configuration apache Operating account of

by apache Establish a separate operation account and account group , And in httpd.conf To configure

1 2 3

<code>User apache Group apache </code>

9. Reasonable control apache Write to disk by running account , Executive authority

Cancel apache Write permission of the running account to the website directory , Except upload directory , Try not to give permission to other non website directories

10. Reasonable control apache Running account pair sh And so on

Cancel the running account pair sh Etc. can prevent webshell By default sh Carry out orders

11. To configure httpd.conf Cancel the of upload directory php Executive authority

1 2 3 4 5 6

<code><Directory "/var/www/html/aaa">         <FilesMatch ".(php|php5)$">             Deny from all         </FilesMatch> </Directory> </code>

12. To configure httpd.conf Restrict forbidden folders , For example, background Directory

1 2 3 4

<code><Directory "/var/www/html/aaa">             Deny from all     </Directory> </code>

13. To configure httpd.conf Limit the specific of some special directories ip visit , Such as internal interface, etc .

1 2 3 4 5 6

<code><Directory "/var/www/html/aaa">         Order Deny,Allow     Deny from all     Allow from 192.168.1.111    </Directory> </code>

14. To configure httpd.conf Restrict access to some file types , Such as txt Log

1 2 3 4 5

<code><Files ~ ".txt$">     Order allow,deny     Deny from all </Files> </code>

15. To configure httpd.conf Modify the listening port to prevent some internal systems from being scanned

This prevents some direct scanning 80 Port hackers

1 2	<code>Listen 12345 </code>

16. Close to .htaccess Support for

1 2	<code>AllowOverride All </code>

Change it to

1 2	<code>AllowOverride None </code>

17. To configure httpd.conf Log access logs

0x04 .htaccess Refer to for common configuration methods

---

First , Not recommended .htaccess, secondly , Use .htaccess Need to be in httpd.conf In the open , Last , Start .htaccess After support, it needs to be in httpd.conf Configure to prevent .htaccess The file is downloaded , Several basic configuration methods are introduced below , For more information, please refer to other websites specifically for .htaccess Configuration method of .

1. Default document for custom Directory

1 2	<code>DirectoryIndex index.html index.php index.htm </code>

2. Custom error page

1 2	<code>ErrorDocument 404 errors/404.html </code>

3. Control the level of access to files and directories

1 2 3 4

<code>order deny,allow  deny from all  allow from 192.168.0.0/24 </code>

4. Prevent column directory

1 2	<code>Options -Indexes </code>

0x05 summary

---

Actually, one. web Server protection is divided into several levels （ The vulnerability of the program will not be considered for the time being ）：

1. Hide oneself

To protect a web The server must first learn to hide itself , For some internal systems , Like backstage , Internal interface, etc , We can change the port , Limit ip And other ways to prevent hackers from discovering .

2. Hidden identity

For the majority web system , It's all for outside access , So it's hard to hide yourself . But we still have to learn to hide our identity , You can change banner, It's time to return information to hide your identity and make it more difficult for hackers to attack .

3. Choose a safe version and fix some known vulnerabilities

In fact, the first two steps are easy to break through , Then learn about a web System used web Server version of , At this point, all we can do is choose a version with fewer vulnerabilities , And apply security patches .

4. Do a good job in security configuration

Do a good job in basic security configuration , Disable directory browsing , Set default document , Upload directory restrictions php Execution and so on , To stop hackers .

5. The reasonable configuration web The permissions of the service process account

When a hacker has uploaded a through a program vulnerability webshell And has successfully implemented , here , The account permissions of the service process can only be well configured , Including reading and writing of disk , Special procedures such as sh Implementation , wait , In this way, the harm can be minimized .

6. Log

Last , When hackers have patronized , We can only analyze through logs , See what's wrong .

This article comes from the dark cloud knowledge base , This image is for the convenience of your study and research , The copyright of this article belongs to Wuyun knowledge base ！