Beruflich Dokumente
Kultur Dokumente
Home
Free eBook
Contact
About
Start Here
20 Me gusta 70 Tweet 91
If you are a sysadmin, you should secure your Apache web server by following the 10 tips mentioned in this
article.
userdir Mapping of requests to user-specific directories. i.e ~username in URL will get translated to a
directory in the server
autoindex Displays directory listing when no index.html file is present
status Displays server stats
env Clearing/setting of ENV vars
setenvif Placing ENV vars on headers
cgi CGI scripts
actions Action triggering on requests
negotiation Content negotiation
alias Mapping of requests to different filesystem parts
include Server Side Includes
http://www.thegeekstuff.com/2011/03/apache-hardening/ 1/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux
Disable all of the above modules as shown below when you do ./configure
./configure \
--enable-ssl \
--enable-so \
--disable-userdir \
--disable-autoindex \
--disable-status \
--disable-env \
--disable-setenvif \
--disable-cgi \
--disable-actions \
--disable-negotiation \
--disable-alias \
--disable-include \
--disable-filter \
--disable-version \
--disable-asis
If you enable ssl, and disable mod_setenv, youll get the following error.
After the installation, when you do httpd -l, youll see all installed modules.
# /usr/local/apache2/bin/httpd -l
Compiled in modules:
core.c
mod_authn_file.c
mod_authn_default.c
mod_authz_host.c
mod_authz_groupfile.c
mod_authz_user.c
mod_authz_default.c
mod_auth_basic.c
mod_log_config.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_dir.c
mod_so.c
http://www.thegeekstuff.com/2011/03/apache-hardening/ 2/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux
Use Google
AdWords
Llegue a potenciales
clientes. Cree su
anuncio en Google hoy.
groupadd apache
useradd -d /usr/local/apache2/htdocs -g apache -s /bin/false apache
# vi httpd.conf
User apache
Group apache
After this, if you restart apache, and do ps -ef, youll see that the apache is running as apache (Except the 1st
httpd process, which will always run as root).
<Directory />
Options None
Order deny,allow
Deny from all
</Directory>
In the above:
Options None Set this to None, which will not enable any optional extra features.
Order deny,allow This is the order in which the Deny and Allow directivites should be processed.
This processes the deny first and allow next.
Deny from all This denies request from everybody to the root directory. There is no Allow directive for
the root directory. So, nobody can access it.
groupadd apacheadmin
Add appropriate members to this group. In this example, both ramesh and john are part of apacheadmin
# vi /etc/group
apacheadmin:x:1121:ramesh,john
If you dont do this, users will be able to see all the files (and directories) under your root (or any sub-
directory).
For example, if they go to http://{your-ip}/images/ and if you dont have an index.html under images, theyll
see all the image files (and the sub-directories) listed in the browser (just like a ls -1 output). From here, they
can click on the individual image file to view it, or click on a sub-directory to see its content.
To disable directory browsing, you can either set the value of Options directive to None or -Indexes. A
in front of the option name will remove it from the current list of options enforced for that directory.
Indexes will display a list of available files and sub-directories inside a directory in the browser (only when no
index.html is present inside that folder). So, Indexes should not be allowed.
<Directory />
Options None
http://www.thegeekstuff.com/2011/03/apache-hardening/ 4/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux
Order allow,deny
Allow from all
</Directory>
(or)
<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>
You should not allow users to use the .htaccess file and override apache directives. To do this, set
AllowOverride None in the root directory.
<Directory />
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Options All All options are enabled (except MultiViews). If you dont specify Options directive, this is
the default value.
Options ExecCGI Execute CGI scripts (uses mod_cgi)
Options FollowSymLinks If you have symbolic links in this directory, it will be followed.
Options Includes Allow server side includes (uses mod_include)
Options IncludesNOEXEC Allow server side includes without the ability to execute a command or
cgi.
Options Indexes Disable directory listing
Options MultiViews - Allow content negotiated multiviews (uses mod_negotiation)
Options SymLinksIfOwnerMatch Similar to FollowSymLinks. But, this will follow only when the
owner is same between the link and the original directory to which it is linked.
Never specify Options All. Always specify one (or more) of the options mentioned above. You can combine
multiple options in one line as shown below.
Options Includes FollowSymLinks
The + and in front of an option value is helpful when you have nested direcotires, and would like to overwrite
an option from the parent Directory directive.
In this example, for /site directory, it has both Includes and Indexes:
<Directory /site>
Options Includes Indexes
AllowOverride None
Order allow,deny
http://www.thegeekstuff.com/2011/03/apache-hardening/ 5/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux
For /site/en directory, if you need Only Indexes from /site (And not the Includes), and if you want to
FollowSymLinks only to this directory, do the following.
<Directory /site/en>
Options -Includes +FollowSymLink
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Please note that the statically compiled apache modules will not be listed as LoadModule directive.
If you want your site to be viewed only by a specific ip-address or network, do the following:
To allow a specific network to access your site, give the network address in the Allow directive.
<Directory /site>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.10.0.0/24
</Directory>
To allow a specific ip-address to access your site, give the ip-address in the Allow directive.
<Directory /site>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.10.1.21
</Directory>
http://www.thegeekstuff.com/2011/03/apache-hardening/ 6/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux
To avoid this, set the ServerTokens to Prod in httpd.conf. This will display Server: Apache without any
version information.
# vi httpd.conf
ServerTokens Prod
Apart from all the above 10 tips, make sure to secure your UNIX / Linux operating system. There is no point in
securing your apache, if your OS is not secure. Also, always keep your apache version upto date. The latest
version of the apache contains fixes for all the known security issues. Make sure to review your apache log files
frequently.
Linux provides several powerful administrative tools and utilities which will
help you to manage your systems effectively. If you dont know what these tools are and how to use them, you
could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is
to help you understand system administration tools, which will help you to become an effective Linux system
administrator.
Get the Linux Sysadmin Course Now!
Im a newbie with Apache. I can just follow a how-to to get working an Apache php mysql in order
to run Joomla!
But, after this, considering all these security advices, will I need to run any of those non-secure modules
that I shouldnt load? Is that configuration suitable to run Joomla!?
If you cannot allow .htaccess then most php based website cms (drupal wordpress), will not work.
thanx
World needs gud brains like u.. God bless u. nice stuff
Thanks, Chris Adam for you answer, its useful for me.
http://www.thegeekstuff.com/2011/03/apache-hardening/ 8/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux
I just set up a LAMP server with WordPress and I have AllowOverride None which disables .htaccess
file. Everything works.
Wow! excellent Mate. I really enjoyed going through all of the stuff.
whether it is memory handling or GDB or the Apache admin stuff
awesome. keep up the good work. I really a[ppreciate your efforts.
Leave a Comment
Name
Website
http://www.thegeekstuff.com/2011/03/apache-hardening/ 9/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux
Submit
Previous post: Linux IPTables: Incoming and Outgoing Rule Examples (SSH and HTTP)
Search
COURSE
Linux Sysadmin CentOS 6 Course - Master the Tools, Configure it Right, and be Lazy
EBOOKS
Linux 101 Hacks 2nd Edition eBook - Practical Examples to Build a Strong Foundation in
Linux
Bash 101 Hacks eBook - Take Control of Your Bash Command Line and Shell Scripting
Sed and Awk 101 Hacks eBook - Enhance Your UNIX / Linux Life with Sed and Awk
Vim 101 Hacks eBook - Practical Examples for Becoming Fast and Productive in Vim Editor
Nagios Core 3 eBook - Monitor Everything, Be Proactive, and Sleep Well
http://www.thegeekstuff.com/2011/03/apache-hardening/ 10/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux
POPULAR POSTS
12 Amazing and Essential Linux Books To Enrich Your Brain and Library
50 UNIX / Linux Sysadmin Tutorials
50 Most Frequently Used UNIX / Linux Commands (With Examples)
How To Be Productive and Get Things Done Using GTD
30 Things To Do When you are Bored and have a Computer
Linux Directory Structure (File System Structure) Explained with Examples
Linux Crontab: 15 Awesome Cron Job Examples
Get a Grip on the Grep! 15 Practical Grep Command Examples
Unix LS Command: 15 Practical Examples
15 Examples To Master Linux Command Line History
Top 10 Open Source Bug Tracking System
Vi and Vim Macro Tutorial: How To Record and Play
Mommy, I found it! -- 15 Practical Linux Find Command Examples
15 Awesome Gmail Tips and Tricks
15 Awesome Google Search Tips and Tricks
RAID 0, RAID 1, RAID 5, RAID 10 Explained with Diagrams
Can You Top This? 15 Practical Linux Top Command Examples
Top 5 Best System Monitoring Tools
Top 5 Best Linux OS Distributions
How To Monitor Remote Linux Host using Nagios 3.0
Awk Introduction Tutorial 7 Awk Print Examples
How to Backup Linux? 15 rsync Command Examples
The Ultimate Wget Download Guide With 15 Awesome Examples
Top 5 Best Linux Text Editors
Packet Analyzer: 15 TCPDUMP Command Examples
The Ultimate Bash Array Tutorial with 15 Examples
3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id
Unix Sed Tutorial: Advanced Sed Substitution Examples
UNIX / Linux: 10 Netstat Command Examples
The Ultimate Guide for Creating Strong Passwords
6 Steps to Secure Your Home Wireless Network
Turbocharge PuTTY with 12 Powerful Add-Ons
CATEGORIES
http://www.thegeekstuff.com/2011/03/apache-hardening/ 11/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux
Linux Tutorials
Vim Editor
Sed Scripting
Awk Scripting
Bash Shell Scripting
Nagios Monitoring
OpenSSH
IPTables Firewall
Apache Web Server
MySQL Database
Perl Programming
Google Tutorials
Ubuntu Tutorials
PostgreSQL DB
Hello World Examples
C Programming
C++ Programming
DELL Server Tutorials
Oracle Database
VMware Tutorials
Ramesh Natarajan
Seguir
Support Us
http://www.thegeekstuff.com/2011/03/apache-hardening/ 12/13
4/11/2014 10 Tips to Secure Your Apache Web Server on UNIX / Linux
Contact Us
Email Me : Use this Contact Form to get in touch me with your comments, questions or suggestions
about this site. You can also simply drop me a line to say hello!.
Follow us on Google+
Follow us on Twitter
http://www.thegeekstuff.com/2011/03/apache-hardening/ 13/13