From ec3ac85b0b1780f66626010f2dfde8ea2ee835f9 Mon Sep 17 00:00:00 2001
From: Erik Abele Apache HTTP Server Version 2.0 Some hints and tips on security issues in setting up a web server.
Some of the suggestions will be general, others specific to Apache. In typical operation, Apache is started by the root user, and it
- switches to the user defined by the It is assumed that /, /usr, and /usr/local are only modifiable by
root. When you install the httpd executable, you should ensure that
it is similarly protected: You can create an htdocs subdirectory which is modifiable by other
users -- since root never executes any files out of there, and shouldn't
@@ -52,7 +54,7 @@
themselves are writeable (by a non-root user), then someone may be
able to overwrite the log itself with bogus data. Another solution is to disable the ability to run scripts and
programs from SSI pages. To do this replace Most sites choose this option over the non script aliased CGI
approach. In the server configuration file, put This prevents the use of For instance, consider the following example: This would allow clients to walk through the entire filesystem. To
work around this, add the following block to your server's
configuration:Apache HTTP Server Version 2.0
Security Tips
+ -->Security Tips
Permissions on ServerRoot Directories
+ Permissions on ServerRoot Directories
User
directive to serve hits. As is the
+ switches to the user defined by the User
directive to serve hits. As is the
case with any command that root executes, you must take care that it is
protected from modification by non-root users. Not only must the files
themselves be writeable only by root, but so must the directories, and
@@ -18,25 +20,25 @@
ServerRoot in /usr/local/apache then it is suggested that you create
that directory as root, with commands like these:
+
- mkdir /usr/local/apache
- cd /usr/local/apache
- mkdir bin conf logs
- chown 0 . bin conf logs
- chgrp 0 . bin conf logs
+
+ mkdir /usr/local/apache
+ cd /usr/local/apache
+ mkdir bin conf logs
+ chown 0 . bin conf logs
+ chgrp 0 . bin conf logs
chmod 755 . bin conf logs
-
+
- cp httpd /usr/local/apache/bin
- chown 0 /usr/local/apache/bin/httpd
- chgrp 0 /usr/local/apache/bin/httpd
+
+ cp httpd /usr/local/apache/bin
+ chown 0 /usr/local/apache/bin/httpd
+ chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd
- Server Side Includes
+ Server Side Includes
@@ -85,11 +87,11 @@
Includes
- with IncludesNOEXEC
in the Options
directive. Note that users may
+ with IncludesNOEXEC
in the Options
directive. Note that users may
still use >--#include virtual="..." --< to execute CGI scripts if
- these scripts are in directories desginated by a ScriptAlias
directive.ScriptAlias
directive.
- CGI in General
+ CGI in General
@@ -109,7 +111,7 @@
popular way of doing this is with
CGIWrap.
- Non Script Aliased CGI
+ Non Script Aliased CGI
@@ -124,7 +126,7 @@
Script Aliased CGI
+ Script Aliased CGI
@@ -137,7 +139,7 @@
Protecting System Settings
+ Protecting System Settings
@@ -147,16 +149,16 @@
+
- <Directory />
- AllowOverride None
+
+ <Directory />
+ AllowOverride None
</Directory>
- .htaccess
files in all
directories apart from those specifically enabled.Protect Server Files by Default
+ Protect Server Files by Default
@@ -167,52 +169,52 @@
+
- # cd /; ln -s / public_html
+
+ # cd /; ln -s / public_html
Accessing http://localhost/~root/
-
+
- <Directory />
- Order Deny,Allow
- Deny from all
+
+ <Directory />
+ Order Deny,Allow
+ Deny from all
</Directory>
-
This will forbid default access to filesystem locations. Add
- appropriate Directory
blocks to
+ appropriate Directory
blocks to
allow access only in those areas you wish. For example,
+ -
- <Directory /usr/users/*/public_html>
- Order Deny,Allow
- Allow from all
- </Directory>
- <Directory /usr/local/httpd>
- Order Deny,Allow
- Allow from all
+
+ <Directory /usr/users/*/public_html>
+ Order Deny,Allow
+ Allow from all
+ </Directory>
+ <Directory /usr/local/httpd>
+ Order Deny,Allow
+ Allow from all
</Directory> -
Pay particular attention to the interactions of Location
and Directory
directives; for instance, even
+
Pay particular attention to the interactions of Location
and Directory
directives; for instance, even
if <Directory />
denies access, a
<Location />
directive might overturn it
Also be wary of playing games with the UserDir
directive; setting it to
+
Also be wary of playing games with the UserDir
directive; setting it to
something like "./" would have the same effect, for root, as the first
example above. If you are using Apache 1.3 or above, we strongly
recommend that you include the following line in your server
configuration files:
+ -
+
UserDir disabled root -
A couple of examples:
-+
- grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log
+
+ grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log
grep "client denied" error_log | tail -n 10 -
The first example will list the number of attacks trying to exploit the Apache Tomcat Source.JSP Malformed Request Information Disclosure Vulnerability, the second example will list the ten last denied clients, for example:
-+
+
[Thu Jul 11 17:18:39 2002] [error] [client foo.bar.com] client denied by server configuration: /usr/local/apache/htdocs/.htpasswd -
As you can see, the log files only report what already has happend, so
if the client had been able to access the .htpasswd
file you
would have seen something similar to:
+
+
foo.bar.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1" -
in your Access Log. This means you probably commented out the following in your server configuration file:
-+ -
- <Files ~ "^\.ht">
- Order allow,deny
- Deny from all
+
+ <Files ~ "^\.ht">
+ Order allow,deny
+ Deny from all
<Files> -