5.8. 增加 Apache 的安全性

FIXME: 增加内容: 有关 Apache 正常安装时提供的模块(在 /usr/lib/apache/X.X/mod_* 处) 和可能被安装的在 ibapache-mod-XXX 软件包中的模块.

You can limit access to the Apache server if you only want to use it internally (for testing purposes, to access the doc-central archive, etc.) and do not want outsiders to access it. To do this use the Listen or BindAddress directives in /etc/apache/http.conf.

使用监听:

  1. Listen 127.0.0.1:80

使用地址绑定:

  1. BindAddress 127.0.0.1

然后通过 /etc/init.d/apache restart 重启 Apache, 您会发现它只监听回送接口.

无论如何, 如果您并不使用 Apache 提供的全部功能, 您可以考虑一下 Debian 中提供的其它 web 服务器, 如dhttpd.

The http://httpd.apache.org/docs/misc/security_tips.html provides information regarding security measures to be taken on Apache web server (this same information is provided in Debian by the apache-doc package).

第 B.7.3 节 “Chroot environment for Apache 提供了更多的有关设置 chroot jail 以对 Apache 实现更多限制的信息.

5.8.1. 禁止用户发布 web 内容

在 Debian 中缺省的 Apache 安装允许用户在 $HOME/public_html 目录下发布 web 内容. 此内容可以远程通过形如 http://your\_apache\_server/~user 的 URL 检索到.

If you do not want to permit this you must change the /etc/apache/http.conf configuration file commenting out (in Apache 1.3) the following module:

  1. LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so

If you are using Apache 2.0 you must remove the file /etc/apache2/mods-enabled/userdir.load or restrict the default configuration by modifying /etc/apache2/mods-enabled/userdir.conf.

However, if the module was linked statically (you can list the modules that are compiled in running apache -l) you must add the following to the Apache configuration file:

  1. Userdir disabled

An attacker might still do user enumeration, since the answer of the web server will be a 403 Permission Denied and not a 404 Not available. You can avoid this if you use the Rewrite module.

5.8.2. 日志文件权限

Apache logfiles, since 1.3.22-1, are owned by user ‘root’ and group ‘adm’ with permissions 640. These permissions are changed after rotation. An intruder that accessed the system through the web server would not be able (without privilege escalation) to remove old log file entries.

5.8.3. 发布 web 文件

Apache files are located under /var/www. Just after installation the default file provides some information on the system (mainly that it’s a Debian system running Apache). The default webpages are owned by user root and group root by default, while the Apache process runs as user www-data and group www-data. This should make attackers that compromise the system through the web server harder to deface the site. You should, of course, substitute the default web pages (which might provide information you do not want to show to outsiders) with your own.