Make sure that Apacheís files and directories are only writable by root. These are the commands suggested by Apacheís web site:
# cd /usr/local/apache
Having the wrong permissions set could allow a malicious user to replace the httpd binary, and therefore execute a script as root.
Understand How Options Are Applied
Most directives can be defined in different sections of your httpd.conf file:
Apache merges the directives found in these sections following this particular order. Also, each section is processed in the order that it appears in the configuration file, except <Directory>, where the shortest directories are processed first. Also, <Directory> refers to actual directories on the file system, <Location> whereas
The configuration files I proposed earlier in the chapter read:
The directive <Directory /> refers to the actual root directory of the server. Immediately after, you can see the following directive, which is processed after the previous one, as it refers to a longer path:
In this case, I set very restrictive permissions for the serverís root directory, and then I allowed looser security for the document root (/usr/local/apache2/ htdocs). I could have defined different options for a directory inside htdocs:
For the directory insecure, the options FollowSymLinks (which allows the following of symbolic links, and should be turned off ) and AllowOverride (which enables the .htaccess file mechanism, and should be disabled if possible) are added (thanks to the + symbol) to the inherited options.
You should be aware of how this mechanism works. The document http://httpd.apache.org/docs-2.0/sections.html explains exactly how Apache reads its configuration section, and http://httpd.apache.org/docs-2.0/mod/core.html#options explains what options can be set. A complete understanding of both these documents is vital to ensure the security of your Apache installation.
Donít Expose Rootís Home Page
If you need to allow usersí directories (such as http://www.site.com/~username) with the directive Userdir, remember to have this line in your configuration:
UserDir disabled root
Delete Any Default Files
The CGI scripts printenv and test-cgi are installed by default. They have caused problems in the past, because standard Apache scripts that came with the server were inherently vulnerable, and a source of security breaches and problems. Now, when Apache is installed they are not executable. However, in a production environment they should be deleted:[root@merc root]# cd /usr/local/apache2/
[root@merc apache2]# ls cgi-bin
[root@merc apache2]# rm cgi-bin/*
rm: remove regular file `cgi-bin/printenv'? y
rm: remove regular file `cgi-bin/test-cgi'? y
The same applies to the default web site, which should be deleted:[root@merc root]# rm -rf /usr/local/apache2/htdocs/*
You should then place your own web site in the htdocs directory.
blog comments powered by Disqus