作者: Fred F.M. Wang (FW知識瑣記) 日期: 2021/4/13
筆者整理網路上一些Apache安全性設定的文章做為備忘。
基本安全性設定
httpd.conf (xampp on linux: /etc/httpd/conf/httpd.conf)
#LoadModule info_module modules/ mod_info.so | 隱藏Apache版本資訊與其他敏感資訊 Disable the server-info Directive |
#<Location /server-status> # SetHandler server-status # Order deny,allow # Deny from all # Allow from .your_domain.com #</Location> | 隱藏Apache版本資訊與其他敏感資訊 Disable the server-status Directive |
ServerSignature Off | 隱藏Apache版本資訊與其他敏感資訊 Disable the ServerSignature Directive |
ServerTokens Prod | 隱藏Apache版本資訊與其他敏感資訊 Set the ServerTokens Directive to Prod |
User <user name> Group <group name> ex: User http-web Group http-web | 設定執行Apache的帳號 預設執行Apache的帳號為daemon user and group, 建議使用非預設帳號 |
<Directory /> Order Deny,Allow Deny from all Options None AllowOverride None </Directory> <Directory 網站根目錄> Order Allow,Deny Allow from all </Directory> | 設定Apache只能存取網頁根目錄 |
<Directory 網站根目錄> Options -Indexes </Directory> | Disable Directory Listing 停用顯示資料夾清單 |
<Directory 網站根目錄> Options -ExecCGI -Includes </Directory> | Restrict Unwanted Services
|
啟用mod_log_config module, 並 設定log格式 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" detailed 指定log檔案位置 CustomLog logs/access.log detailed | Enable Logging |
停用一些不需要的LoadModule列, 前面加# | 只啟用必需的模組, 例如下面這些模組 通常是開啟,但是通常不需要 : mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex. |
安全模組
Mod_Security 說明 : ModSecurity WAF是open-source module,是一個web application firewall, 包含filtering, server identity masking, and null-byte attack prevention等功能,也可以執行real-time traffic monitoring. 可以阻擋SQL Injection and Cross-site Scripting攻擊(註一)
此模組是O’Reilly出版”Apache Security”書籍作者Ivan Ristic所開發的
安裝方式(RHEL/CentOS/Fedora/) : # yum install mod_security # /etc/init.d/httpd restart
安裝方式(Ubuntu/Debian) : $ sudo apt-get install libapache2-modsecurity $ sudo a2enmod mod-security $ sudo /etc/init.d/apache2 force-reload
ModSecurity相關設定 : SecChrootDir /chroot/apache
Run Apache in a Chroot environment chroot allows you to run a program in its own isolated jail.詳細請見mod_security文件 |
Mod_evasive It prevents DDOS attacks from doing as much damage. This feature of mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack. This module detects attacks with three methods. If so many requests come to a same page in a few times per second. If any child process trying to make more than 50 concurrent requests. If any IP still trying to make new requests when its temporarily blacklisted.
詳細請見 Protect Apache Against Brute Force or DDoS Attacks Using Mod_Security and Mod_evasive Modules |
其他安全性事項
1 保持Apache在最新版 a. 檢查Apache版本 httpd -v b. 更新Apache到最新版 yum update httpd apt-get install apache2 |
2 安裝Apache最新版的security patches Apache Security Vulnerabilities內有bug fix and related update |
3 設定只有root帳號可以存取Apache設定與執行的資料夾 Make sure only "root" has read access to apache's config and binaries, ex: Apache Server root在/usr/local/apache chown -R root:root /usr/local/apache chmod -R o-rwx /usr/local/apache
Apache官網 : cd /usr/local/apache chown 0 . bin conf logs chgrp 0 . bin conf logs chmod 755 . bin conf logs |
4 Securing Apache with SSL Certificates 安裝方式 : # openssl genrsa -des3 -out example.com.key 1024 # openssl req -new -key example.com.key -out exmaple.csr # openssl x509 -req -days 365 -in example.com.com.csr -signkey example.com.com.key -out example.com.com.crt
Apache httpd.conf設定, 例 : <VirtualHost 172.16.25.125:443> SSLEngine on SSLCertificateFile /etc/pki/tls/certs/example.com.crt SSLCertificateKeyFile /etc/pki/tls/certs/example.com.key SSLCertificateChainFile /etc/pki/tls/certs/sf_bundle.crt ServerAdmin ravi.saive@example.com ServerName example.com DocumentRoot /var/www/html/example/ ErrorLog /var/log/httpd/example.com-error_log CustomLog /var/log/httpd/example.com-access_log common </VirtualHost> |
資源限制相關設定(可預防DDOS攻擊)
LimitRequestBody 1048576 LimitXMLRequestBody 10485760 其他限制設定請參考Apache官方設定文件 LimitRequestFields, LimitRequestFieldSize, LimitRequestLine | 限制HTTP requests, XML request大小, 不要 超過1MB(1048576 Bytes) |
MaxClients 根據記憶體大小, 作業系統與CPU決定這些 限制設定, 其他如 : MaxSpareServers, MaxRequestsPerChild, and on Apache2 ThreadsPerChild, ServerLimit, and MaxSpareThreads | 限制concirrent requests的最大數量
|
MaxKeepAliveRequests 預設為100 KeepAliveTimeout 預設為15 | 調整KeepAlive設定以提高執行效能,可以分 析log來決定設定值 |
<Directory 網站根目錄> Order Deny,Allow Deny from all Allow from 176.16.0.0/16 Or by IP: Order Deny,Allow Deny from all Allow from 127.0.0.1 </Directory> | 可以限制特定範圍的網路或IP Addresses存 取網站 |
註一 : ModSecurity
ModSecurity is an open-source module that works as a web application firewall. Different
functionalities include filtering, server identity masking, and null-byte attack prevention.
This module also lets you perform real-time traffic monitoring.
We recommend that you follow the ModSecurity manual to install mod_security to improve
your web server security and protect against a multitude of attacks including distributed
denial of service attacks (DDOS). You can also temporarily use ModSecurity to protect
against certain attacks like SQL Injection and Cross-site Scripting until vulnerabilities are
fixed by the developer.
mod_security is a super handy Apache module written by Ivan Ristic, the author of
Apache Security from O'Reilly press.
來源:
1 Apache Security – 10 Tips for a Secure Installation
2 20 ways to Secure your Apache Configuration
3 13 Apache Web Server Security and Hardening Tips (***很詳細)
4. Apache官網 Security Tips - Apache HTTP Server Version 2.4 (尚未整理)
5. Apache Web Server Hardening and Security Guide (尚未整理)
沒有留言:
張貼留言
歡迎提供意見, 謝謝 (註 : 留言經過版主審核通過才會發布)