Setting Up Security on Apache - PowerPoint PPT Presentation

1 / 12

About This Presentation

Title:

Setting Up Security on Apache

Description:

Number of Views:328

Avg rating:3.0/5.0

Slides: 13

Provided by: CIS4114

Category:

Tags: apache | directories | security | setting

Transcript and Presenter's Notes

Title: Setting Up Security on Apache

1
Setting Up Security on Apache

2
Protecting the Files on Your Web Server

Most files that control web server's operation
are under 'ServerRoot'
Server runs under an identity (nobody) that
shouldn't have the ability to modify its own
control files
Exceptions are error_log and access_log
Most files in server's DocumentRoot should be
read-only to server. Carefully consider
exceptions.
Symbolic links can bypass DocumentRoot control

3
Symbolic Links

Symbolic Links allow making a file appear to
exist in multiple locations
Danger exists when symbolic links inadvertently
provide access to files via unexpected paths
To create sym links ln s resource_to_link
symlink_name
To find sym links find documentroot -type l
-print

4
More on Symbolic Links

In httpd.conf, these directives affect symbolic
links
Options FollowSymLinks allows Apache to follow
links to real file or directory
Options -FollowSymLinks turns off symlinks
Options FollowSymLinksIfOwnerMatch allows
Apache to follow links ONLY if the user ID that
owns the link is the same as the one that owns
the actual file

5
Protecting the URLs on Your Web Site

This involves the Mandatory and Discretionary
access that was discussed in the Server Users and
Documents powerpoint slides which discussed the
use of Authentication and Authorization.

6
Controlling Real-Time Activity - Options

7
More on Options

Good idea to turn off Options in areas where web
admin does not have sole control
Turn off all Options
Options None
Turn off individual options
Options Includes IncludesNoEXEC -ExecCGI

8
Controlling Real-Time Activity - AllowOverride

AllowOverride this directive controls if
directives are allowable in .htaccess files and
what are allowable
All (any directive allowed in .htaccess)
AuthConfig (authentication directives like
AuthType allowed)
FileInfo (file processing directives like AddType
allowed)
Indexes (allows directives for indexing, if
enabled, like DirectoryIndex)
Limit (controls whether mandatory access
controls, order, allow, deny are processed if in
.htaccess)
None (completely disables processing of .htaccess
files)
Options (allows Options directives found in
.htaccess to be published)

9
Permissions on ServerRoot Directories

You want to be sure these directories are
writeable only by root
If non-root users can modify files that root
either executes /writes, system is open to root
compromises (httpd could be replaced, log files
overwritten, etc.)

10
Protect the file system

11
General Security Tips for Apache

CGI scripts run under Apache's user so may
possibly conflict with other scripts
suEXEC program included with Apache to allow
scripts to run as different users
Disallow .htaccess files may override admin's
security controls
AllowOverride None
Server Side Includes require additional
processing by Apache require .shtml
Can also execute (EXEC) any CGI script or program
under permissions of user/group Apache Runs in
Use IncludesNOEXEC directive to prohibit

12
Major Web Site Security Concerns

Protecting your computer from unauthorized users
Authentication the process of allowing users
access to the Web service based on usernames and
passwords or IP addresses or domains
Protecting your computer from programs that run
on the host computer
SSI "includes"
Executable directories
Controls, scripts, applets, etc

Write a Comment

User Comments (0)