Home arrow Apache arrow Secure Installation and Configuration

Secure Installation and Configuration

This chapter provides Apache downloading steps and cautionary tips. Mobily recommends compiling most of the modules dynamically, and leaving the main server stripped to the bones. He covers the free tool Nikto and how to use it. Also see why he says to disable the TRACE method. (From the book Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)

TABLE OF CONTENTS:
  1. Secure Installation and Configuration
  2. Asymmetric Encryption and GnuPG
  3. GnuPG and Apache Signatures
  4. Checking and Installing Apache
  5. Running Apache and Testing it with Nikto
  6. Secure Configuration
  7. File Permissions
  8. Don’t Give Extra Information Away
  9. Apache and SSL
  10. Generate Certificates
  11. Configuration
By: Apress Publishing
Rating: starstarstarstarstar / 31
August 17, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

mobilyWhen you install a piece of software, you can usually just follow the instructions provided by the README or the INSTALL file. In a way, Apache is no exception. However, Apache is a very complex program, and needs to be compiled and installed with particular care, to make sure that it’s reasonably secure in the short and in the long term.

In this chapter I will show you:


 

  • How to download Apache making sure that you have a “genuine” package; I will also take the opportunity to describe how encryption works.

  • The commands I used to install both Apache 1.3. x and Apache 2. x. I included this section mainly because I will use those installations throughout the book.

  • How to test your installation with an automatic testing tool.

  • How to configure Apache more securely.

  • How to block particular requests and IP addresses.

  • How to configure Apache 1.3. x and 2. x with Secure Sockets Layer (SSL).

Downloading the Right Apache

There are two major “branches” of Apache that are still fully supported: 1.3. x and 2.0. x (the latest ones at the time of writing are 1.3.29 and 2.0.48). Remember that by the time this book goes to print the versions will probably have been updated. You have two options for downloading Apache:

  • Download the Apache source from http://httpd.apache.org. This is the only option available for maximum control.

  • Use a package from your favorite distribution. In this case, you are bound to what your distribution gives you in terms of version and compiling options.

In this book I will only cover downloading and installing the “official” Apache server source distributed by the Apache Software Foundation.

Is It Safe to Download?

The very first step in installing Apache is downloading the Apache package from http://httpd.apache.org/download.cgi.

Downloading Apache is very straightforward. Unfortunately, there are dangerous conditions: the Apache web site (or, more possibly, one of its many mirror sites) might have been hacked, and a maliciously modified version of Apache might have replaced the real distribution file. This fake version could do exactly what it was supposed to do, plus open a back door on the server that was running it (and maybe somehow notify the person who originally wrote the code for the back door).

The Apache Software Foundation is well aware of this problem, so it signs its own packages. It is up to you to check that the signature of the package you downloaded is correct. In this section I will show you how to do that step by step.

Making Sure Your Apache Is Right Using GnuPG

Every official Apache package comes with a digital signature, aimed at ensuring that your package is genuine.

To sign a file, as well as verify the validity of an existing signature, you can use GnuPG (http://www.gnupg.org), a free clone of Pretty Good Privacy (PGP). If you are security-conscious, it’s probably worth your while to study how GnuPG works.

NOTE GnuPG comes with a very well written manual, the GNU Privacy Handbook, The manual is at http://www.gnupg.org/gph/en/manual.html, and is an amazing introduction to cryptography in general.

In the next section, I will introduce the basic concepts behind cryptography, while showing what commands you can use to verify your Apache package. I will refer to these concepts to make sure that you know exactly what each command does. 

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.



 
 
>>> More Apache Articles          >>> More By Apress Publishing
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

APACHE ARTICLES

- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: