4ab980a06412fd86f52a6d054fb7e26de155c530erikabele<!DOCTYPE manualpage SYSTEM "/style/manualpage.dtd">
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
5f5d1b4cc970b7f06ff8ef6526128e9a27303d88nd<!-- $LastChangedRevision$ -->
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding Licensed to the Apache Software Foundation (ASF) under one or more
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding contributor license agreements. See the NOTICE file distributed with
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding this work for additional information regarding copyright ownership.
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding The ASF licenses this file to You under the Apache License, Version 2.0
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding (the "License"); you may not use this file except in compliance with
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding the License. You may obtain a copy of the License at
1aa933455fcd538b1ee573f4566e1a78a89fce77nd Unless required by applicable law or agreed to in writing, software
1aa933455fcd538b1ee573f4566e1a78a89fce77nd distributed under the License is distributed on an "AS IS" BASIS,
1aa933455fcd538b1ee573f4566e1a78a89fce77nd WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
1aa933455fcd538b1ee573f4566e1a78a89fce77nd See the License for the specific language governing permissions and
1aa933455fcd538b1ee573f4566e1a78a89fce77nd limitations under the License.
3577f1d38e53397f6b431c02011f875316b2f070nd <parentdocument href="./">Miscellaneous Documentation</parentdocument>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>Some hints and tips on security issues in setting up a web server.
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Some of the suggestions will be general, others specific to Apache.</p>
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive <p>The Apache HTTP Server has a good record for security and a
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive developer community highly concerned about security issues. But
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive it is inevitable that some problems -- small or large -- will be
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive discovered in software after it is released. For this reason, it
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive is crucial to keep aware of updates to the software. If you have
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive obtained your version of the HTTP Server directly from Apache, we
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive highly recommend you subscribe to the <a
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive href="http://httpd.apache.org/lists.html#http-announce">Apache
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive HTTP Server Announcements List</a> where you can keep informed of
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive new releases and security updates. Similar services are available
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive from most third-party distributors of Apache software.</p>
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive <p>Of course, most times that a web server is compromised, it is
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive not because of problems in the HTTP Server code. Rather, it comes
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive from problems in add-on code, CGI scripts, or the underlying
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive Operating System. You must therefore stay aware of problems and
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive updates with all the software on your system.</p>
06d77ae37da42a6f8bbea25b7d7f8b6629245629slive <p>All network servers can be subject to denial of service attacks
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive that attempt to prevent responses to clients by tying up the
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive resources of the server. It is not possible to prevent such
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive attacks entirely, but you can do certain things to mitigate the
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive problems that they create.</p>
c6f41bc69d643835804e7e831776d3d46c6f5962slive <p>Often the most effective anti-DoS tool will be a firewall or
c6f41bc69d643835804e7e831776d3d46c6f5962slive other operating-system configurations. For example, most
c6f41bc69d643835804e7e831776d3d46c6f5962slive firewalls can be configured to restrict the number of simultaneous
c6f41bc69d643835804e7e831776d3d46c6f5962slive connections from any individual IP address or network, thus
d7604f90897d9b08b227c127ff5392393178911crpluem preventing a range of simple attacks. Of course this is no help
d7604f90897d9b08b227c127ff5392393178911crpluem against Distributed Denial of Service attacks (DDoS).</p>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive <p>There are also certain Apache HTTP Server configuration
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive settings that can help mitigate problems:</p>
263168fdb45221efa79580de89bdde883b7561f7sf <li>The <directive module="mod_reqtimeout">RequestReadTimeout</directive>
263168fdb45221efa79580de89bdde883b7561f7sf directive allows to limit the time a client may take to send the
263168fdb45221efa79580de89bdde883b7561f7sf request.</li>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive <li>The <directive module="core">TimeOut</directive> directive
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive should be lowered on sites that are subject to DoS attacks.
d7604f90897d9b08b227c127ff5392393178911crpluem Setting this to as low as a few seconds may be appropriate.
d7604f90897d9b08b227c127ff5392393178911crpluem As <directive module="core">TimeOut</directive> is currently
d7604f90897d9b08b227c127ff5392393178911crpluem used for several different operations, setting it to a low value
d7604f90897d9b08b227c127ff5392393178911crpluem introduces problems with long running CGI scripts.</li>
d7604f90897d9b08b227c127ff5392393178911crpluem <li>The <directive module="core">KeepAliveTimeout</directive>
d7604f90897d9b08b227c127ff5392393178911crpluem directive may be also lowered on sites that are subject to DoS
d7604f90897d9b08b227c127ff5392393178911crpluem attacks. Some sites even turn off the keepalives completely via
d7604f90897d9b08b227c127ff5392393178911crpluem <directive module="core">KeepAlive</directive>, which has of course
d7604f90897d9b08b227c127ff5392393178911crpluem other drawbacks on performance.</li>
d7604f90897d9b08b227c127ff5392393178911crpluem <li>The values of various timeout-related directives provided by
d7604f90897d9b08b227c127ff5392393178911crpluem other modules should be checked.</li>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <li>The directives
c6f41bc69d643835804e7e831776d3d46c6f5962slive <directive module="core">LimitRequestBody</directive>,
c6f41bc69d643835804e7e831776d3d46c6f5962slive <directive module="core">LimitRequestFields</directive>,
06d77ae37da42a6f8bbea25b7d7f8b6629245629slive <directive module="core">LimitRequestFieldSize</directive>,
c6f41bc69d643835804e7e831776d3d46c6f5962slive <directive module="core">LimitRequestLine</directive>, and
c6f41bc69d643835804e7e831776d3d46c6f5962slive <directive module="core">LimitXMLRequestBody</directive>
c6f41bc69d643835804e7e831776d3d46c6f5962slive should be carefully configured to limit resource consumption
c6f41bc69d643835804e7e831776d3d46c6f5962slive triggered by client input.</li>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive <li>On operating systems that support it, make sure that you use
c6f41bc69d643835804e7e831776d3d46c6f5962slive the <directive module="core">AcceptFilter</directive> directive
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive to offload part of the request processing to the operating
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive system. This is active by default in Apache httpd, but may
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive require reconfiguration of your kernel.</li>
3fa816e4832a1c70600bdfd6fc5ef60e9f1c18bbsf module="mpm_common">MaxRequestWorkers</directive> directive to allow
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive the server to handle the maximum number of simultaneous
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive connections without running out of resources. See also the <a
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive href="perf-tuning.html">performance tuning
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive <li>The use of a threaded <a href="/mpm.html">mpm</a> may
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive allow you to handle more simultaneous connections, thereby
7a98571671f92e53441bf24a0222768072172f90coar mitigating DoS attacks. Further, the
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive uses asynchronous processing to avoid devoting a thread to each
67f57b90aea98fc792b6c6e67bd27ee35f7d026bigalic connection. Due to the nature of the OpenSSL library the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <module>event</module> mpm is currently incompatible with
fb8e9fe6c16732646511fb8050845a14e726be19jailletc <module>mod_ssl</module> and other input filters. In these
67f57b90aea98fc792b6c6e67bd27ee35f7d026bigalic cases it falls back to the behaviour of the
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive <li>There are a number of third-party modules available through
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive href="http://modules.apache.org/">http://modules.apache.org/</a>
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive that can restrict certain client behaviors and thereby mitigate
aa8cf57195dfb7fa3d0baedf81f8be377946cea8slive DoS problems.</li>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <title>Permissions on ServerRoot Directories</title>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>In typical operation, Apache is started by the root user, and it
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun switches to the user defined by the <directive
be53b26ab84a854da3111caf7b06585078222280rbowen module="mod_unixd">User</directive> directive to serve hits. As is the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun case with any command that root executes, you must take care that it is
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun protected from modification by non-root users. Not only must the files
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun themselves be writeable only by root, but so must the directories, and
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun parents of all directories. For example, if you choose to place
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun ServerRoot in <code>/usr/local/apache</code> then it is suggested that
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun you create that directory as root, with commands like these:</p>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele mkdir bin conf logs <br />
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele chown 0 . bin conf logs <br />
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele chgrp 0 . bin conf logs <br />
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele chmod 755 . bin conf logs
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>It is assumed that <code>/</code>, <code>/usr</code>, and
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <code>/usr/local</code> are only modifiable by root. When you install the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <program>httpd</program> executable, you should ensure that it is
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun similarly protected:</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>You can create an htdocs subdirectory which is modifiable by other
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun users -- since root never executes any files out of there, and shouldn't
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele be creating files in there.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>If you allow non-root users to modify any files that root either
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun executes or writes on then you open your system to root compromises.
a1ef40892ffa2b44fc249423c5b6c42a74a84c68nd For example, someone could replace the <program>httpd</program> binary so
a1ef40892ffa2b44fc249423c5b6c42a74a84c68nd that the next time you start it, it will execute some arbitrary code. If
a1ef40892ffa2b44fc249423c5b6c42a74a84c68nd the logs directory is writeable (by a non-root user), someone could replace
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun a log file with a symlink to some other system file, and then root
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun might overwrite that file with arbitrary data. If the log files
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun themselves are writeable (by a non-root user), then someone may be
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele able to overwrite the log itself with bogus data.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>Server Side Includes (SSI) present a server administrator with
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele several potential security risks.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>The first risk is the increased load on the server. All
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun SSI-enabled files have to be parsed by Apache, whether or not
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun there are any SSI directives included within the files. While this
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun load increase is minor, in a shared server environment it can become
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele significant.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>SSI files also pose the same risks that are associated with CGI
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun scripts in general. Using the <code>exec cmd</code> element, SSI-enabled
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun files can execute any CGI script or program under the permissions of the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun user and group Apache runs as, as configured in
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>There are ways to enhance the security of SSI files while still
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele taking advantage of the benefits they provide.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>To isolate the damage a wayward SSI file can cause, a server
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun administrator can enable <a href="/suexec.html">suexec</a> as
10a304fc5348d394375b98ae10ca9b137fd10cafkess described in the <a href="#cgi">CGI in General</a> section.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>Enabling SSI for files with <code>.html</code> or <code>.htm</code>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun extensions can be dangerous. This is especially true in a shared, or high
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun traffic, server environment. SSI-enabled files should have a separate
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun extension, such as the conventional <code>.shtml</code>. This helps keep
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun server load at a minimum and allows for easier management of risk.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>Another solution is to disable the ability to run scripts and
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele programs from SSI pages. To do this replace <code>Includes</code>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele with <code>IncludesNOEXEC</code> in the <directive
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun module="core">Options</directive> directive. Note that users may
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun still use <code><--#include virtual="..." --></code> to execute CGI
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun scripts if these scripts are in directories designated by a <directive
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele module="mod_alias">ScriptAlias</directive> directive.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>First of all, you always have to remember that you must trust the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun writers of the CGI scripts/programs or your ability to spot potential
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun security holes in CGI, whether they were deliberate or accidental. CGI
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun scripts can run essentially arbitrary commands on your system with the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun permissions of the web server user and can therefore be extremely
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele dangerous if they are not carefully checked.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>All the CGI scripts will run as the same user, so they have potential
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun to conflict (accidentally or deliberately) with other scripts e.g. User
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun A hates User B, so he writes a script to trash User B's CGI database. One
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele program which can be used to allow scripts to run as different users is
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <a href="/suexec.html">suEXEC</a> which is included with Apache as of
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun 1.2 and is called from special hooks in the Apache server code. Another
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun popular way of doing this is with
8ba6e8ba8d8ad4d8228872d5526fa7295ff43149poirier <a href="http://cgiwrap.sourceforge.net/">CGIWrap</a>.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>Allowing users to execute CGI scripts in any directory should only be
5d7e5de2da57434c8e68c8fa49cbf6d70ee0f817slive considered if:</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <li>You trust your users not to write scripts which will deliberately
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele or accidentally expose your system to an attack.</li>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <li>You consider security at your site to be so feeble in other areas,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele as to make one more potential hole irrelevant.</li>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <li>You have no users, and nobody ever visits your server.</li>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>Limiting CGI to special directories gives the admin control over what
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun goes into those directories. This is inevitably more secure than non
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun script aliased CGI, but only if users with write access to the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun directories are trusted or the admin is willing to test each
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele new CGI script/program for potential security holes.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>Most sites choose this option over the non script aliased CGI
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele approach.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>Embedded scripting options which run as part of the server itself,
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun such as <code>mod_php</code>, <code>mod_perl</code>, <code>mod_tcl</code>,
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun and <code>mod_python</code>, run under the identity of the server itself
be53b26ab84a854da3111caf7b06585078222280rbowen (see the <directive module="mod_unixd">User</directive> directive), and
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun therefore scripts executed by these engines potentially can access anything
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun the server user can. Some scripting engines may provide restrictions, but
a3388213b2b4d46b356be205e38204e67b4304d8rbowen it is better to be safe and assume not.</p>
df321386f1d9ed17a3e5e6468807996a12890d50gryzor <p>When setting up dynamic content, such as <code>mod_php</code>,
df321386f1d9ed17a3e5e6468807996a12890d50gryzor <code>mod_perl</code> or <code>mod_python</code>, many security considerations
df321386f1d9ed17a3e5e6468807996a12890d50gryzor get out of the scope of <code>httpd</code> itself, and you need to consult
df321386f1d9ed17a3e5e6468807996a12890d50gryzor documentation from those modules. For example, PHP lets you setup <a
df321386f1d9ed17a3e5e6468807996a12890d50gryzor href="http://www.php.net/manual/en/ini.sect.safe-mode.php">Safe Mode</a>,
df321386f1d9ed17a3e5e6468807996a12890d50gryzor which is most usually disabled by default. Another example is <a
df321386f1d9ed17a3e5e6468807996a12890d50gryzor href="http://www.hardened-php.net/suhosin/">Suhosin</a>, a PHP addon for more
df321386f1d9ed17a3e5e6468807996a12890d50gryzor security. For more information about those, consult each project
df321386f1d9ed17a3e5e6468807996a12890d50gryzor documentation.</p>
df321386f1d9ed17a3e5e6468807996a12890d50gryzor <p>At the Apache level, a module named <a href="http://modsecurity.org/">mod_security</a>
df321386f1d9ed17a3e5e6468807996a12890d50gryzor can be seen as a HTTP firewall and, provided you configure it finely enough,
df321386f1d9ed17a3e5e6468807996a12890d50gryzor can help you enhance your dynamic content security.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>To run a really tight ship, you'll want to stop users from setting
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun up <code>.htaccess</code> files which can override security features
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele you've configured. Here's one way to do it.</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Directory "/">
188629185b3dcdb7856d000373166e3f0b131187humbedooh AllowOverride None
188629185b3dcdb7856d000373166e3f0b131187humbedooh</Directory>
b3c1e4e5b0fc67887a85bc388c16949a21e66f51humbedooh </highlight>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>This prevents the use of <code>.htaccess</code> files in all
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele directories apart from those specifically enabled.</p>
fb8e9fe6c16732646511fb8050845a14e726be19jailletc <p>Note that this setting is the default since Apache 2.3.9.</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>One aspect of Apache which is occasionally misunderstood is the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun feature of default access. That is, unless you take steps to change it,
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun if the server can find its way to a file through normal URL mapping
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele rules, it can serve it to clients.</p>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>For instance, consider the following example:</p>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele # cd /; ln -s / public_html <br />
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>This would allow clients to walk through the entire filesystem. To
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun work around this, add the following block to your server's
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele configuration:</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Directory "/">
8c2f1f25121a96f35a3b95912fdd85586513c80ehumbedooh Require all denied
188629185b3dcdb7856d000373166e3f0b131187humbedooh</Directory>
b3c1e4e5b0fc67887a85bc388c16949a21e66f51humbedooh </highlight>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>This will forbid default access to filesystem locations. Add
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun appropriate <directive module="core">Directory</directive> blocks to
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele allow access only in those areas you wish. For example,</p>
8c2f1f25121a96f35a3b95912fdd85586513c80ehumbedooh Require all granted
188629185b3dcdb7856d000373166e3f0b131187humbedooh</Directory>
8c2f1f25121a96f35a3b95912fdd85586513c80ehumbedooh Require all granted
188629185b3dcdb7856d000373166e3f0b131187humbedooh</Directory>
b3c1e4e5b0fc67887a85bc388c16949a21e66f51humbedooh </highlight>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>Pay particular attention to the interactions of <directive
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun module="core">Directory</directive> directives; for instance, even
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar if <code><Directory "/"></code> denies access, a <code>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar <Location "/"></code> directive might overturn it.</p>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>Also be wary of playing games with the <directive
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun module="mod_userdir">UserDir</directive> directive; setting it to
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun something like <code>./</code> would have the same effect, for root, as
13dd6a45ad3051c84a03bfbc88f0e314a5322ed6rbowen the first example above. We strongly
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun recommend that you include the following line in your server
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele configuration files:</p>
7a98571671f92e53441bf24a0222768072172f90coarUserDir disabled root
7a98571671f92e53441bf24a0222768072172f90coar </highlight>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>To keep up-to-date with what is actually going on against your server
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun you have to check the <a href="/logs.html">Log Files</a>. Even though
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun the log files only reports what has already happened, they will give you
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun some understanding of what attacks is thrown against the server and
2c44e52ec852d7d8392068fd13a1d8d8a4e830c1kess allow you to check if the necessary level of security is present.</p>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br />
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele grep "client denied" error_log | tail -n 10
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>The first example will list the number of attacks trying to exploit the
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <a href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun Source.JSP Malformed Request Information Disclosure Vulnerability</a>,
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele the second example will list the ten last denied clients, for example:</p>
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun [Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele by server configuration: /usr/local/apache/htdocs/.htpasswd
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>As you can see, the log files only report what already has happened, so
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun if the client had been able to access the <code>.htpasswd</code> file you
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele would have seen something similar to:</p>
e8811b6d38f756b325446ded5d96857d13856511takashi foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun <p>in your <a href="/logs.html#accesslog">Access Log</a>. This means
ad93f15b0bef55041347cdbad447d94296eb89f2nilgun you probably commented out the following in your server configuration
188629185b3dcdb7856d000373166e3f0b131187humbedooh<Files ".ht*">
8c2f1f25121a96f35a3b95912fdd85586513c80ehumbedooh Require all denied
188629185b3dcdb7856d000373166e3f0b131187humbedooh</Files>
b3c1e4e5b0fc67887a85bc388c16949a21e66f51humbedooh </highlight>
bd43fc31993cfc191e744a9490481f4294894099covener <p> The merging of configuration sections is complicated and sometimes
bd43fc31993cfc191e744a9490481f4294894099covener directive specific. Always test your changes when creating dependencies
bd43fc31993cfc191e744a9490481f4294894099covener on how directives are merged.</p>
7a98571671f92e53441bf24a0222768072172f90coar <p> For modules that don't implement any merging logic, such as
bd43fc31993cfc191e744a9490481f4294894099covener <directive>mod_access_compat</directive>, the behavior in later sections
bd43fc31993cfc191e744a9490481f4294894099covener depends on whether the later section has any directives
7a98571671f92e53441bf24a0222768072172f90coar from the module. The configuration is inherited until a change is made,
bd43fc31993cfc191e744a9490481f4294894099covener at which point the configuration is <em>replaced</em> and not merged.</p>
4ab980a06412fd86f52a6d054fb7e26de155c530erikabele</manualpage>