Setting Up Security on Apache - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Setting Up Security on Apache

Description:

... is open to root compromises (httpd could be replaced, log files overwritten, etc. ... SSI 'includes' Executable directories. Controls, scripts, applets, etc ... – PowerPoint PPT presentation

Number of Views:328
Avg rating:3.0/5.0
Slides: 13
Provided by: CIS4114
Category:

less

Transcript and Presenter's Notes

Title: Setting Up Security on Apache


1
Setting Up Security on Apache
  • Three main areas to consider
  • Protecting the Files on Your Web Server
  • Protecting the URLs on Your Web Site
  • Controlling Real-Time Activity

2
Protecting the Files on Your Web Server
  • Most files that control web server's operation
    are under 'ServerRoot'
  • Server runs under an identity (nobody) that
    shouldn't have the ability to modify its own
    control files
  • Exceptions are error_log and access_log
  • Most files in server's DocumentRoot should be
    read-only to server. Carefully consider
    exceptions.
  • Symbolic links can bypass DocumentRoot control

3
Symbolic Links
  • Symbolic Links allow making a file appear to
    exist in multiple locations
  • Danger exists when symbolic links inadvertently
    provide access to files via unexpected paths
  • To create sym links ln s resource_to_link
    symlink_name
  • To find sym links find documentroot -type l
    -print

4
More on Symbolic Links
  • In httpd.conf, these directives affect symbolic
    links
  • Options FollowSymLinks allows Apache to follow
    links to real file or directory
  • Options -FollowSymLinks turns off symlinks
  • Options FollowSymLinksIfOwnerMatch allows
    Apache to follow links ONLY if the user ID that
    owns the link is the same as the one that owns
    the actual file

5
Protecting the URLs on Your Web Site
  • This involves the Mandatory and Discretionary
    access that was discussed in the Server Users and
    Documents powerpoint slides which discussed the
    use of Authentication and Authorization.

6
Controlling Real-Time Activity - Options
  • Options each scope has options
  • All (all options enable) None (no options
    enabled)
  • ExecCGI (enables CGI script execution)
  • FollowSymLinks FollowSymLinksIfOwnerMatched
  • Includes (allows server-side includes)
  • IncludesNoEXEC (above w/o exec and include)
  • Indexes (allows default directory indexes to be
    created)
  • MultiViews (content negotiation multiviews not
    in All)

7
More on Options
  • Good idea to turn off Options in areas where web
    admin does not have sole control
  • Turn off all Options
  • Options None
  • Turn off individual options
  • Options Includes IncludesNoEXEC -ExecCGI

8
Controlling Real-Time Activity - AllowOverride
  • AllowOverride this directive controls if
    directives are allowable in .htaccess files and
    what are allowable
  • All (any directive allowed in .htaccess)
  • AuthConfig (authentication directives like
    AuthType allowed)
  • FileInfo (file processing directives like AddType
    allowed)
  • Indexes (allows directives for indexing, if
    enabled, like DirectoryIndex)
  • Limit (controls whether mandatory access
    controls, order, allow, deny are processed if in
    .htaccess)
  • None (completely disables processing of .htaccess
    files)
  • Options (allows Options directives found in
    .htaccess to be published)

9
Permissions on ServerRoot Directories
  • You want to be sure these directories are
    writeable only by root
  • If non-root users can modify files that root
    either executes /writes, system is open to root
    compromises (httpd could be replaced, log files
    overwritten, etc.)

10
Protect the file system
  • http//localhost/root
  • ltDirectory /gt
  • Order Deny, Allow
  • Deny from ALL
  • lt/Directorygt
  • UserDir disabled root
  • Run server in chroot environment

11
General Security Tips for Apache
  • CGI scripts run under Apache's user so may
    possibly conflict with other scripts
  • suEXEC program included with Apache to allow
    scripts to run as different users
  • Disallow .htaccess files may override admin's
    security controls
  • AllowOverride None
  • Server Side Includes require additional
    processing by Apache require .shtml
  • Can also execute (EXEC) any CGI script or program
    under permissions of user/group Apache Runs in
  • Use IncludesNOEXEC directive to prohibit

12
Major Web Site Security Concerns
  • Protecting your computer from unauthorized users
  • Authentication the process of allowing users
    access to the Web service based on usernames and
    passwords or IP addresses or domains
  • Protecting your computer from programs that run
    on the host computer
  • SSI "includes"
  • Executable directories
  • Controls, scripts, applets, etc
Write a Comment
User Comments (0)
About PowerShow.com