From: Erik Abele Date: Thu, 5 Sep 2002 23:13:41 +0000 (+0000) Subject: Updated transformation. X-Git-Tag: AGB_BEFORE_AAA_CHANGES~56 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ec3ac85b0b1780f66626010f2dfde8ea2ee835f9;p=apache Updated transformation. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96654 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/misc/security_tips.html.en b/docs/manual/misc/security_tips.html.en index abc898f7f8..05b4f86dbb 100644 --- a/docs/manual/misc/security_tips.html.en +++ b/docs/manual/misc/security_tips.html.en @@ -1,16 +1,18 @@ -Security Tips - Apache HTTP Server
[APACHE DOCUMENTATION]

Apache HTTP Server Version 2.0

Security Tips

+ -->Security Tips - Apache HTTP Server

Modules | Directives | FAQ | Glossary | Sitemap

Apache HTTP Server Version 2.0

<-

Security Tips

Some hints and tips on security issues in setting up a web server. Some of the suggestions will be general, others specific to Apache.

-

Permissions on ServerRoot Directories

+
top

Permissions on ServerRoot Directories

In typical operation, Apache is started by the root user, and it - switches to the user defined by the User directive to serve hits. As is the + switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writeable only by root, but so must the directories, and @@ -18,25 +20,25 @@ ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:

-
- mkdir /usr/local/apache
- cd /usr/local/apache
- mkdir bin conf logs
- chown 0 . bin conf logs
- chgrp 0 . bin conf logs
+

+ mkdir /usr/local/apache
+ cd /usr/local/apache
+ mkdir bin conf logs
+ chown 0 . bin conf logs
+ chgrp 0 . bin conf logs
chmod 755 . bin conf logs -

+

It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:

-
- cp httpd /usr/local/apache/bin
- chown 0 /usr/local/apache/bin/httpd
- chgrp 0 /usr/local/apache/bin/httpd
+

+ cp httpd /usr/local/apache/bin
+ chown 0 /usr/local/apache/bin/httpd
+ chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd -

+

You can create an htdocs subdirectory which is modifiable by other users -- since root never executes any files out of there, and shouldn't @@ -52,7 +54,7 @@ themselves are writeable (by a non-root user), then someone may be able to overwrite the log itself with bogus data.

-

Server Side Includes

+
top

Server Side Includes

@@ -85,11 +87,11 @@

Another solution is to disable the ability to run scripts and programs from SSI pages. To do this replace Includes - with IncludesNOEXEC in the Options directive. Note that users may + with IncludesNOEXEC in the Options directive. Note that users may still use >--#include virtual="..." --< to execute CGI scripts if - these scripts are in directories desginated by a ScriptAlias directive.

+ these scripts are in directories desginated by a ScriptAlias directive.

-

CGI in General

+
top

CGI in General

@@ -109,7 +111,7 @@ popular way of doing this is with CGIWrap.

-

Non Script Aliased CGI

+
top

Non Script Aliased CGI

@@ -124,7 +126,7 @@
  • You have no users, and nobody ever visits your server.
    • -

    Script Aliased CGI

    +
    top

    Script Aliased CGI

    @@ -137,7 +139,7 @@

    Most sites choose this option over the non script aliased CGI approach.

    -

    Protecting System Settings

    +
    top

    Protecting System Settings

    @@ -147,16 +149,16 @@

    In the server configuration file, put

    -
    - <Directory />
    - AllowOverride None
    +

    + <Directory />
    + AllowOverride None
    </Directory> -

    +

    This prevents the use of .htaccess files in all directories apart from those specifically enabled.

    -

    Protect Server Files by Default

    +
    top

    Protect Server Files by Default

    @@ -167,52 +169,52 @@

    For instance, consider the following example:

    -
    - # cd /; ln -s / public_html
    +

    + # cd /; ln -s / public_html
    Accessing http://localhost/~root/ -

    +

    This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server's configuration:

    -
    - <Directory />
    - Order Deny,Allow
    - Deny from all
    +

    + <Directory />
    + Order Deny,Allow
    + Deny from all
    </Directory> -

    +

    This will forbid default access to filesystem locations. Add - appropriate Directory blocks to + appropriate Directory blocks to allow access only in those areas you wish. For example,

    -
    - <Directory /usr/users/*/public_html>
    - Order Deny,Allow
    - Allow from all
    - </Directory>
    - <Directory /usr/local/httpd>
    - Order Deny,Allow
    - Allow from all
    +

    + <Directory /usr/users/*/public_html>
    + Order Deny,Allow
    + Allow from all
    + </Directory>
    + <Directory /usr/local/httpd>
    + Order Deny,Allow
    + Allow from all
    </Directory> -

    +

    -

    Pay particular attention to the interactions of Location and Directory directives; for instance, even +

    Pay particular attention to the interactions of Location and Directory directives; for instance, even if <Directory /> denies access, a <Location /> directive might overturn it

    -

    Also be wary of playing games with the UserDir directive; setting it to +

    Also be wary of playing games with the UserDir directive; setting it to something like "./" would have the same effect, for root, as the first example above. If you are using Apache 1.3 or above, we strongly recommend that you include the following line in your server configuration files:

    -
    +

    UserDir disabled root -

    +

    -

    Watching Your Logs

    +
    top

    Watching Your Logs

    @@ -224,38 +226,38 @@

    A couple of examples:

    -
    - grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log
    +

    + grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log
    grep "client denied" error_log | tail -n 10 -

    +

    The first example will list the number of attacks trying to exploit the Apache Tomcat Source.JSP Malformed Request Information Disclosure Vulnerability, the second example will list the ten last denied clients, for example:

    -
    +

    [Thu Jul 11 17:18:39 2002] [error] [client foo.bar.com] client denied by server configuration: /usr/local/apache/htdocs/.htpasswd -

    +

    As you can see, the log files only report what already has happend, so if the client had been able to access the .htpasswd file you would have seen something similar to:

    -
    +

    foo.bar.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1" -

    +

    in your Access Log. This means you probably commented out the following in your server configuration file:

    -
    - <Files ~ "^\.ht">
    - Order allow,deny
    - Deny from all
    +

    + <Files ~ "^\.ht">
    + Order allow,deny
    + Deny from all
    <Files> -

    +

    -

    Apache HTTP Server Version 2.0

    IndexHome \ No newline at end of file + \ No newline at end of file