Apache
  Home arrow Apache arrow Page 2 - Server Limits for Apache Security
Dev Shed Forums  
Administration  
AJAX  
Apache  
BrainDump  
DHTML  
Flash  
Java  
JavaScript  
Multimedia  
MySQL  
Oracle  
Perl  
PHP  
Practices  
Python  
Reviews  
Security  
Smartphone Development  
Style-Sheets  
Web Services  
XML  
Zend  
Zope  
Mobile Linux  
App Generation ROI  
IBM® developerWorks  
Forums Sitemap  
E-Commerce Hosting  
Linux Web Hosting  
Managed Hosting  
Small Business Hosting  
VPS Hosting  
Weekly Newsletter

 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us Get Paid  
Request Media Kit
Contact Us  
Site Map  
Privacy Policy  
Support  
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
Google.com  
APACHE

Server Limits for Apache Security
By: O'Reilly Media
  • Search For More Articles!
  • Disclaimer
  • Author Terms
  • Rating: starstarstarstarstar / 8
    2008-01-17


    Table of Contents:
  • Server Limits for Apache Security
  • Preventing Information Leaks
  • Changing Web Server Identity
  • Changing the Server Header Field

  • Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      error-file:tidyout.log Del.ici.ous error-file:tidyout.log Digg
      error-file:tidyout.log Blink error-file:tidyout.log Simpy
      error-file:tidyout.log Google error-file:tidyout.log Spurl
      error-file:tidyout.log Y! MyWeb error-file:tidyout.log Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article

     
     
    ADVERTISEMENT


    Server Limits for Apache Security - Preventing Information Leaks
    ( Page 2 of 4 )

    By default, Apache provides several bits of information to anyone interested. Any information obtained by attackers helps them build a better view of the system and makes it easier for them to break into the system.

    For example, the installation process automatically puts the email address of the user compiling Apache (or, rather, the email address it thinks is the correct email address) into the configuration file. This reveals the account to the public, which is undesirable. The following directive replaces the Apache-generated email address with a generic address:

      ServerAdmin webmaster@apachesecurity.net

    By default, the email address defined with this directive appears on server-generated pages. Since this is probably not what you want, you can turn off this feature completely via the following directive:

      ServerSignature Off

    The HTTP protocol defines a response header field Server , whose purpose is to identify the software responding to the request. By default, Apache populates this header with its name, version number, and names and version numbers of all its modules willing to identify themselves. You can see what this looks like by sending a test request to the newly installed server:

      $ telnet localhost 80
     
    Trying 127.0.0.1...
      Connected to localhost.
      Escape character is '^]'.
      HEAD / HTTP/1.0

      HTTP/1.1 200 OK
      Date: Fri, 19 Mar 2004 22:05:35 GMT
      Server: Apache/1.3.29 (Unix)
      Content-Location: index.html.en
      Vary: negotiate,accept-language,accept-charset
      TCN: choice
      Last-Modified: Fri, 04 May 2001 00:00:38 GMT
      ETag: "4002c7-5b0-3af1f126;405a21d7"
      Accept-Ranges: bytes
      Content-Length: 1456
      Connection: close
      Content-Type: text/html
      Content-Language: en
      Expires: Fri, 19 Mar 2004 22:05:35 GMT

    This header field reveals specific and valuable information to the attacker. You can’t hide it completely (this is not entirely true, as you will find in the next section), but you can tell Apache to disclose only the name of the server (“Apache”).

      ServerTokens ProductOnly

    We turned off the directory indexing feature earlier when we set the Options direc tive to have the value None . Having the feature off by default is a good approach. You can enable it later on a per-directory basis:

      <Directory /var/www/htdocs/download >
          Options +Indexes
      </Directory>

    Automatic directory indexes are dangerous because programmers frequently create folders that have no default indexes. When that happens, Apache tries to be helpful and lists the contents of the folder, often showing the names of files that are publicly available (because of an error) but should not be seen by anyone, such as the following:

    1. Files (usually archives) stored on the web server but not properly protected (e.g., with a password) because users thought the files could not be seen and thus were secure
    2. Files that were uploaded “just for a second” but were never deleted
    3. Source code backup files automatically created by text editors and uploaded to the production server by mistake
    4. Backup files created as a result of direct modification of files on the production server

    To fight the problem of unintentional file disclosure, you should turn off automatic indexing (as described in the “AllowOverride directive” section) and instruct Apache to reject all requests for files matching a series of regular expressions given below. Similar configuration code exists in the default httpd.conf file to deny access to . htaccess files (the per-directory configuration files I mentioned earlier). The follow ing extends the regular expression to look for various file extensions that should normally not be present on the web server:

      <FilesMatch "(^\.ht|~$|\.bak$|\.BAK$)" >
          Order Allow,Deny
          Deny from all
     
    </FilesMatch>

    The FilesMatch directive only looks at the last part of the full filename (the basename), and thus, FilesMatch configuration specifications do not apply to directory names. To completely restrict access to a particular directory, for example to deny access to CVS administrative files (frequently found on web sites), use something like:

      <DirectoryMatch /CVS/>
          Order Allow,Deny
          Deny from all
      </DirectoryMatch>




     
     
    >>> More Apache Articles          >>> More By O'Reilly Media
     

       

    APACHE ARTICLES

    - Creating a VAMP (Vista, Apache, MySQL, PHP) ...
    - Putting Apache in Jail
    - Containing Intrusions in Apache
    - Server Limits for Apache Security
    - Setting Permissions in Apache
    - Installing Apache
    - Apache Installation and Configuration
    - Apache Tapestry and Custom Components: DateI...
    - Tapestry and AJAX: Autocompleter and InlineE...
    - PropertySelection and IPropertySelectionMode...
    - The DatePicker and Shell Components of Apach...
    - Apache Tapestry: ASO and More Components
    - Apache Tapestry and DirectLink, IoC and DI
    - Making a CelebrityCollector with Apache Tape...
    - Apache Tapestry and Listener Methods, Condit...





    © 2003-2009 by Developer Shed. All rights reserved. DS Cluster 1 Hosted by Hostway
    For more Enterprise Application Development news, visit eWeek