security_tips.xml revision 8ba6e8ba8d8ad4d8228872d5526fa7295ff43149
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye<!DOCTYPE manualpage SYSTEM "/style/manualpage.dtd">
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye<!-- $LastChangedRevision$ -->
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye Licensed to the Apache Software Foundation (ASF) under one or more
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye contributor license agreements. See the NOTICE file distributed with
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye this work for additional information regarding copyright ownership.
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye The ASF licenses this file to You under the Apache License, Version 2.0
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye (the "License"); you may not use this file except in compliance with
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye the License. You may obtain a copy of the License at
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye Unless required by applicable law or agreed to in writing, software
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye distributed under the License is distributed on an "AS IS" BASIS,
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye See the License for the specific language governing permissions and
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye limitations under the License.
cf1f7b5e81583dfca30972cfef322266a6928e7fKnut Anders Hatlen <parentdocument href="./">Miscellaneous Documentation</parentdocument>
7e33e87b7d6c9a61ff11d23e37c02274b1223ce1Jens Elkner <p>Some hints and tips on security issues in setting up a web server.
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye Some of the suggestions will be general, others specific to Apache.</p>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye <section id="uptodate"><title>Keep up to Date</title>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye <p>The Apache HTTP Server has a good record for security and a
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye developer community highly concerned about security issues. But
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye it is inevitable that some problems -- small or large -- will be
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye discovered in software after it is released. For this reason, it
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye is crucial to keep aware of updates to the software. If you have
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye obtained your version of the HTTP Server directly from Apache, we
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye highly recommend you subscribe to the <a
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye href="http://httpd.apache.org/lists.html#http-announce">Apache
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye HTTP Server Announcements List</a> where you can keep informed of
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye new releases and security updates. Similar services are available
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye from most third-party distributors of Apache software.</p>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye <p>Of course, most times that a web server is compromised, it is
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye not because of problems in the HTTP Server code. Rather, it comes
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye from problems in add-on code, CGI scripts, or the underlying
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye Operating System. You must therefore stay aware of problems and
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye updates with all the software on your system.</p>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye <p>All network servers can be subject to denial of service attacks
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye that attempt to prevent responses to clients by tying up the
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye resources of the server. It is not possible to prevent such
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye attacks entirely, but you can do certain things to mitigate the
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye problems that they create.</p>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye <p>Often the most effective anti-DoS tool will be a firewall or
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye other operating-system configurations. For example, most
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye firewalls can be configured to restrict the number of simultaneous
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye connections from any individual IP address or network, thus
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye preventing a range of simple attacks. Of course this is no help
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye against Distributed Denial of Service attacks (DDoS).</p>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye <p>There are also certain Apache HTTP Server configuration
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye settings that can help mitigate problems:</p>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye <li>The <directive module="core">TimeOut</directive> directive
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye should be lowered on sites that are subject to DoS attacks.
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye Setting this to as low as a few seconds may be appropriate.
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye As <directive module="core">TimeOut</directive> is currently
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye used for several different operations, setting it to a low value
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye introduces problems with long running CGI scripts.</li>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye <li>The <directive module="core">KeepAliveTimeout</directive>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye directive may be also lowered on sites that are subject to DoS
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye attacks. Some sites even turn off the keepalives completely via
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye <directive module="core">KeepAlive</directive>, which has of course
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye other drawbacks on performance.</li>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye <li>The values of various timeout-related directives provided by
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye other modules should be checked.</li>
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye <li>The directives
0a0811923cbbd2976425db6f4c78eed811c2825bKnut Anders Hatlen <directive module="core">LimitRequestBody</directive>,
653794abf1d9fda5f111e2401d8bd3ead80cfc83Vladimir Kotal <directive module="core">LimitRequestFields</directive>,
a07b2874263e3c5f0cd2e83441719415d53059c2Knut Anders Hatlen <directive module="core">LimitRequestFieldSize</directive>,
7e33e87b7d6c9a61ff11d23e37c02274b1223ce1Jens Elkner <directive module="core">LimitRequestLine</directive>, and
7e33e87b7d6c9a61ff11d23e37c02274b1223ce1Jens Elkner <directive module="core">LimitXMLRequestBody</directive>
c7eb123c8b2081a261deff3c401fbf92ddba1b58Jorgen Austvik should be carefully configured to limit resource consumption
c7eb123c8b2081a261deff3c401fbf92ddba1b58Jorgen Austvik triggered by client input.</li>
945f4c3c36a15447913781dfb1894b34f2941c57Jorgen Austvik <li>On operating systems that support it, make sure that you use
5a0c5ad4116f5a4dd0dd5a0a4e6d02973cd5eef9Lubos Kosco the <directive module="core">AcceptFilter</directive> directive
780cc7d1b57609ff15fb283201e93cb501ebe9e6Jorgen Austvik to offload part of the request processing to the operating
780cc7d1b57609ff15fb283201e93cb501ebe9e6Jorgen Austvik system. This is active by default in Apache httpd, but may
f754dd2bbc98a89a613ab4f76dad5534dc13e929Vladimir Kotal require reconfiguration of your kernel.</li>
780cc7d1b57609ff15fb283201e93cb501ebe9e6Jorgen Austvik module="mpm_common">MaxClients</directive> directive to allow
5dd7583c971e0c2c9e99378930d83df43de56098Lubos Kosco the server to handle the maximum number of simultaneous
780cc7d1b57609ff15fb283201e93cb501ebe9e6Jorgen Austvik connections without running out of resources. See also the <a
7b9f9a1761f76744fc3772181877d5e301f122adKnut Anders Hatlen href="perf-tuning.html">performance tuning
0466de7c67573e1ce5e0733325c1e5383270f5d5Knut Anders Hatlen <li>The use of a threaded <a href="/mpm.html">mpm</a> may
0466de7c67573e1ce5e0733325c1e5383270f5d5Knut Anders Hatlen allow you to handle more simultaneous connections, thereby
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye mitigating DoS attacks. Further, the experimental
5a0c5ad4116f5a4dd0dd5a0a4e6d02973cd5eef9Lubos Kosco uses asynchronous processing to avoid devoting a thread to each
5a0c5ad4116f5a4dd0dd5a0a4e6d02973cd5eef9Lubos Kosco connection. At the current point of time this
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco is work in progress and not fully implemented. Especially the
7ecd52b03dc1f0b03ff8f522b4891c8531896c3dJorgen Austvik <module>event</module> mpm is currently incompatible with
7ecd52b03dc1f0b03ff8f522b4891c8531896c3dJorgen Austvik <module>mod_ssl</module> and other input filters.</li>
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye <li>There are a number of third-party modules available through
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco href="http://modules.apache.org/">http://modules.apache.org/</a>
7ecd52b03dc1f0b03ff8f522b4891c8531896c3dJorgen Austvik that can restrict certain client behaviors and thereby mitigate
7ecd52b03dc1f0b03ff8f522b4891c8531896c3dJorgen Austvik DoS problems.</li>
5a0c5ad4116f5a4dd0dd5a0a4e6d02973cd5eef9Lubos Kosco <title>Permissions on ServerRoot Directories</title>
49f592091468eac515dde6139fbc8efa26056b0aJorgen Austvik <p>In typical operation, Apache is started by the root user, and it
945f4c3c36a15447913781dfb1894b34f2941c57Jorgen Austvik switches to the user defined by the <directive
945f4c3c36a15447913781dfb1894b34f2941c57Jorgen Austvik module="mpm_common">User</directive> directive to serve hits. As is the
5a0c5ad4116f5a4dd0dd5a0a4e6d02973cd5eef9Lubos Kosco case with any command that root executes, you must take care that it is
945f4c3c36a15447913781dfb1894b34f2941c57Jorgen Austvik protected from modification by non-root users. Not only must the files
945f4c3c36a15447913781dfb1894b34f2941c57Jorgen Austvik themselves be writeable only by root, but so must the directories, and
945f4c3c36a15447913781dfb1894b34f2941c57Jorgen Austvik parents of all directories. For example, if you choose to place
b411dcdf67df825303fcb366759169c881936ac9Vladimir Kotal ServerRoot in <code>/usr/local/apache</code> then it is suggested that
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco you create that directory as root, with commands like these:</p>
b411dcdf67df825303fcb366759169c881936ac9Vladimir Kotal mkdir bin conf logs <br />
b411dcdf67df825303fcb366759169c881936ac9Vladimir Kotal chown 0 . bin conf logs <br />
b411dcdf67df825303fcb366759169c881936ac9Vladimir Kotal chgrp 0 . bin conf logs <br />
b411dcdf67df825303fcb366759169c881936ac9Vladimir Kotal chmod 755 . bin conf logs
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco <p>It is assumed that <code>/</code>, <code>/usr</code>, and
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco <code>/usr/local</code> are only modifiable by root. When you install the
b411dcdf67df825303fcb366759169c881936ac9Vladimir Kotal <program>httpd</program> executable, you should ensure that it is
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco similarly protected:</p>
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco <p>You can create an htdocs subdirectory which is modifiable by other
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco users -- since root never executes any files out of there, and shouldn't
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco be creating files in there.</p>
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco <p>If you allow non-root users to modify any files that root either
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco executes or writes on then you open your system to root compromises.
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco For example, someone could replace the <program>httpd</program> binary so
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco that the next time you start it, it will execute some arbitrary code. If
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco the logs directory is writeable (by a non-root user), someone could replace
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco a log file with a symlink to some other system file, and then root
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco might overwrite that file with arbitrary data. If the log files
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco themselves are writeable (by a non-root user), then someone may be
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco able to overwrite the log itself with bogus data.</p>
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco <p>Server Side Includes (SSI) present a server administrator with
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco several potential security risks.</p>
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco <p>The first risk is the increased load on the server. All
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco SSI-enabled files have to be parsed by Apache, whether or not
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco there are any SSI directives included within the files. While this
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco load increase is minor, in a shared server environment it can become
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco significant.</p>
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco <p>SSI files also pose the same risks that are associated with CGI
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco scripts in general. Using the <code>exec cmd</code> element, SSI-enabled
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco files can execute any CGI script or program under the permissions of the
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco user and group Apache runs as, as configured in
474ac6921d21d2e44cf9c1e91f17d6bcbb15c9e8Lubos Kosco <p>There are ways to enhance the security of SSI files while still
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye taking advantage of the benefits they provide.</p>
9cf771c10c134cc953a502f895eaf321ec927f13Lubos Kosco <p>To isolate the damage a wayward SSI file can cause, a server
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen administrator can enable <a href="/suexec.html">suexec</a> as
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen described in the <a href="#cgi">CGI in General</a> section.</p>
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen <p>Enabling SSI for files with <code>.html</code> or <code>.htm</code>
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen extensions can be dangerous. This is especially true in a shared, or high
9cf771c10c134cc953a502f895eaf321ec927f13Lubos Kosco traffic, server environment. SSI-enabled files should have a separate
9cf771c10c134cc953a502f895eaf321ec927f13Lubos Kosco extension, such as the conventional <code>.shtml</code>. This helps keep
7b046969a1b2565787df8ae3a8126359e8cd6fafTrond Norbye server load at a minimum and allows for easier management of risk.</p>
9cf771c10c134cc953a502f895eaf321ec927f13Lubos Kosco <p>Another solution is to disable the ability to run scripts and
9cf771c10c134cc953a502f895eaf321ec927f13Lubos Kosco programs from SSI pages. To do this replace <code>Includes</code>
7b046969a1b2565787df8ae3a8126359e8cd6fafTrond Norbye with <code>IncludesNOEXEC</code> in the <directive
7b046969a1b2565787df8ae3a8126359e8cd6fafTrond Norbye module="core">Options</directive> directive. Note that users may
7b046969a1b2565787df8ae3a8126359e8cd6fafTrond Norbye still use <code><--#include virtual="..." --></code> to execute CGI
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen scripts if these scripts are in directories designated by a <directive
9cf771c10c134cc953a502f895eaf321ec927f13Lubos Kosco module="mod_alias">ScriptAlias</directive> directive.</p>
0e633a1629c696cc57f02d620a8be7a118fd7956Vladimir Kotal <p>First of all, you always have to remember that you must trust the
0e633a1629c696cc57f02d620a8be7a118fd7956Vladimir Kotal writers of the CGI scripts/programs or your ability to spot potential
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen security holes in CGI, whether they were deliberate or accidental. CGI
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen scripts can run essentially arbitrary commands on your system with the
9cf771c10c134cc953a502f895eaf321ec927f13Lubos Kosco permissions of the web server user and can therefore be extremely
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen dangerous if they are not carefully checked.</p>
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen <p>All the CGI scripts will run as the same user, so they have potential
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen to conflict (accidentally or deliberately) with other scripts e.g. User
0e633a1629c696cc57f02d620a8be7a118fd7956Vladimir Kotal A hates User B, so he writes a script to trash User B's CGI database. One
9cf771c10c134cc953a502f895eaf321ec927f13Lubos Kosco program which can be used to allow scripts to run as different users is
9cf771c10c134cc953a502f895eaf321ec927f13Lubos Kosco <a href="/suexec.html">suEXEC</a> which is included with Apache as of
9cf771c10c134cc953a502f895eaf321ec927f13Lubos Kosco 1.2 and is called from special hooks in the Apache server code. Another
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen popular way of doing this is with
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen <a href="http://cgiwrap.sourceforge.net/">CGIWrap</a>.</p>
a5cc1506d5c0704805c6733a46c7f1f8f91ae724Knut Anders Hatlen <p>Allowing users to execute CGI scripts in any directory should only be
0e633a1629c696cc57f02d620a8be7a118fd7956Vladimir Kotal considered if:</p>
7b046969a1b2565787df8ae3a8126359e8cd6fafTrond Norbye <li>You trust your users not to write scripts which will deliberately
7b046969a1b2565787df8ae3a8126359e8cd6fafTrond Norbye or accidentally expose your system to an attack.</li>
7b046969a1b2565787df8ae3a8126359e8cd6fafTrond Norbye <li>You consider security at your site to be so feeble in other areas,
7b046969a1b2565787df8ae3a8126359e8cd6fafTrond Norbye as to make one more potential hole irrelevant.</li>
7b046969a1b2565787df8ae3a8126359e8cd6fafTrond Norbye <li>You have no users, and nobody ever visits your server.</li>
2e3c025fdd5908a27cc82eb1d5346368a8be4e0dJorgen Austvik <p>Limiting CGI to special directories gives the admin control over what
d3d2404f9a49bf70b124053feabe666f85ef5361Knut Anders Hatlen goes into those directories. This is inevitably more secure than non
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye script aliased CGI, but only if users with write access to the
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco directories are trusted or the admin is willing to test each
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco new CGI script/program for potential security holes.</p>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco <p>Most sites choose this option over the non script aliased CGI
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco approach.</p>
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen <title>Other sources of dynamic content</title>
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen <p>Embedded scripting options which run as part of the server itself,
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen such as <code>mod_php</code>, <code>mod_perl</code>, <code>mod_tcl</code>,
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye and <code>mod_python</code>, run under the identity of the server itself
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen (see the <directive module="mpm_common">User</directive> directive), and
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen therefore scripts executed by these engines potentially can access anything
5a0c5ad4116f5a4dd0dd5a0a4e6d02973cd5eef9Lubos Kosco the server user can. Some scripting engines may provide restrictions, but
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen it is better to be safe and assume not.</p>
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye <p>When setting up dynamic content, such as <code>mod_php</code>,
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye <code>mod_perl</code> or <code>mod_python</code>, many security considerations
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye get out of the scope of <code>httpd</code> itself, and you need to consult
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye documentation from those modules. For example, PHP lets you setup <a
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye href="http://www.php.net/manual/en/ini.sect.safe-mode.php">Safe Mode</a>,
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye which is most usually disabled by default. Another example is <a
81a83bbf0a20e99b5b27be2bcc34c5dbb703c898jel+opengrok href="http://www.hardened-php.net/suhosin/">Suhosin</a>, a PHP addon for more
81a83bbf0a20e99b5b27be2bcc34c5dbb703c898jel+opengrok security. For more information about those, consult each project
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen documentation.</p>
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen <p>At the Apache level, a module named <a href="http://modsecurity.org/">mod_security</a>
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen can be seen as a HTTP firewall and, provided you configure it finely enough,
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye can help you enhance your dynamic content security.</p>
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen <p>To run a really tight ship, you'll want to stop users from setting
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen up <code>.htaccess</code> files which can override security features
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen you've configured. Here's one way to do it.</p>
2dbc1835e0ae88ad102e2b9a85e5c7b5298b14b6Knut Anders Hatlen <p>In the server configuration file, put</p>
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye <Directory /> <br />
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye AllowOverride None <br />
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye </Directory>
9cf297d9a579835e9336d587eaee187ca0954767Knut Anders Hatlen <p>This prevents the use of <code>.htaccess</code> files in all
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco directories apart from those specifically enabled.</p>
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco <p>One aspect of Apache which is occasionally misunderstood is the
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco feature of default access. That is, unless you take steps to change it,
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco if the server can find its way to a file through normal URL mapping
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco rules, it can serve it to clients.</p>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco <p>For instance, consider the following example:</p>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco # cd /; ln -s / public_html <br />
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco <p>This would allow clients to walk through the entire filesystem. To
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco work around this, add the following block to your server's
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco configuration:</p>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco <Directory /> <br />
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco Order Deny,Allow <br />
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco Deny from all <br />
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco </Directory>
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco <p>This will forbid default access to filesystem locations. Add
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco appropriate <directive module="core">Directory</directive> blocks to
3c390a5cd6f5baf2ceb8607d33fe66f93b7826baLubos Kosco allow access only in those areas you wish. For example,</p>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco <Directory /usr/users/*/public_html> <br />
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco Order Deny,Allow <br />
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco Allow from all <br />
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco </Directory> <br />
64b763950bf11e9357facbd2b5666631a895c085Trond Norbye Order Deny,Allow <br />
9cf297d9a579835e9336d587eaee187ca0954767Knut Anders Hatlen Allow from all <br />
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye </Directory>
20a0bde399487a651cdeb66fc8b44b2212036355Trond Norbye <p>Pay particular attention to the interactions of <directive
c0550b01024b910b8c1468811c0ea663b10b1372Trond Norbye module="core">Location</directive> and <directive
523201f786f6b12b7cf54091c6e5be167878cbeeTrond Norbye module="core">Directory</directive> directives; for instance, even
523201f786f6b12b7cf54091c6e5be167878cbeeTrond Norbye if <code><Directory /></code> denies access, a <code>
523201f786f6b12b7cf54091c6e5be167878cbeeTrond Norbye <Location /></code> directive might overturn it.</p>
523201f786f6b12b7cf54091c6e5be167878cbeeTrond Norbye <p>Also be wary of playing games with the <directive
523201f786f6b12b7cf54091c6e5be167878cbeeTrond Norbye module="mod_userdir">UserDir</directive> directive; setting it to
523201f786f6b12b7cf54091c6e5be167878cbeeTrond Norbye something like <code>./</code> would have the same effect, for root, as
523201f786f6b12b7cf54091c6e5be167878cbeeTrond Norbye the first example above. If you are using Apache 1.3 or above, we strongly
c0550b01024b910b8c1468811c0ea663b10b1372Trond Norbye recommend that you include the following line in your server
0a0811923cbbd2976425db6f4c78eed811c2825bKnut Anders Hatlen configuration files:</p>
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye UserDir disabled root
8bdb629053c6752f21668f2af5f336109439b15bkrystof.tulinger@oracle.com <title>Watching Your Logs</title>
a07b2874263e3c5f0cd2e83441719415d53059c2Knut Anders Hatlen <p>To keep up-to-date with what is actually going on against your server
a07b2874263e3c5f0cd2e83441719415d53059c2Knut Anders Hatlen you have to check the <a href="/logs.html">Log Files</a>. Even though
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye the log files only reports what has already happened, they will give you
a07b2874263e3c5f0cd2e83441719415d53059c2Knut Anders Hatlen some understanding of what attacks is thrown against the server and
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye allow you to check if the necessary level of security is present.</p>
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br />
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye grep "client denied" error_log | tail -n 10
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye <p>The first example will list the number of attacks trying to exploit the
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye <a href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye Source.JSP Malformed Request Information Disclosure Vulnerability</a>,
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye the second example will list the ten last denied clients, for example:</p>
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye [Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye by server configuration: /usr/local/apache/htdocs/.htpasswd
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye <p>As you can see, the log files only report what already has happened, so
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye if the client had been able to access the <code>.htpasswd</code> file you
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye would have seen something similar to:</p>
a07b2874263e3c5f0cd2e83441719415d53059c2Knut Anders Hatlen foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"
c6963a7ea2753672325502d342e653700be550a8Lubos Kosco <p>in your <a href="/logs.html#accesslog">Access Log</a>. This means
c6963a7ea2753672325502d342e653700be550a8Lubos Kosco you probably commented out the following in your server configuration
c6963a7ea2753672325502d342e653700be550a8Lubos Kosco <Files ~ "^\.ht"> <br />
c6963a7ea2753672325502d342e653700be550a8Lubos Kosco Order allow,deny <br />
c6963a7ea2753672325502d342e653700be550a8Lubos Kosco Deny from all <br />
d4ce228a333ba2daa19ad8b0672a704c8e42a2dcTrond Norbye </Files>