Other sources of dynamic content
Embedded scripting options which run as part of the server itself, such asmod_php
, mod_perl
, mod_tcl
, and mod_python
, run under the identity of the server itself (see the User directive), and therefore scripts executed by these engines potentially can access anything the server user can. Some scripting engines may provide restrictions, but it is better to be safe and assume not.Dynamic content security
When setting up dynamic content, such asmod_php
, mod_perl
or mod_python
, many security considerations get out of the scope of httpd
itself, and you need to consult documentation from those modules. For example, PHP lets you setup Safe Mode, which is most usually disabled by default. Another example is Suhosin, a PHP addon for more security. For more information about those, consult each project documentation.At the Apache level, a module named mod_security can be seen as a HTTP firewall and, provided you configure it finely enough, can help you enhance your dynamic content security.
Protecting System Settings
To run a really tight ship, you'll want to stop users from setting up.htaccess
files which can override security features you've configured. Here's one way to do it.In the server configuration file, put
<Directory />
AllowOverride None
</Directory>
This prevents the use of .htaccess
files in all directories apart from those specifically enabled.Protect Server Files by Default
One aspect of Apache which is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients.For instance, consider the following example:
# cd /; ln -s / public_html
Accessing http://localhost/~root/
This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server's configuration:
<Directory />
Order Deny,Allow
Deny from all
</Directory>
This will forbid default access to filesystem locations. Add appropriate Directory blocks to allow access only in those areas you wish. For example,<Directory /usr/users/*/public_html>
Order Deny,Allow
Allow from all
</Directory>
<Directory /usr/local/httpd>
Order Deny,Allow
Allow from all
</Directory>
Pay particular attention to the interactions of Location and Directory directives; for instance, even if <Directory />
denies access, a <Location />
directive might overturn it.Also be wary of playing games with the UserDir directive; setting it to something like
./
would have the same effect, for root, as the first example above. We strongly recommend that you include the following line in your server configuration files:UserDir disabled root
Watching Your Logs
To keep up-to-date with what is actually going on against your server you have to check the Log Files. Even though the log files only reports what has already happened, they will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present.A couple of examples:
grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log
grep "client denied" error_log | tail -n 10
The first example will list the number of attacks trying to exploit the Apache Tomcat Source.JSP Malformed Request Information Disclosure Vulnerability, the second example will list the ten last denied clients, for example:
[Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied by server configuration: /usr/local/apache/htdocs/.htpasswd
As you can see, the log files only report what already has happened, so if the client had been able to access the
.htpasswd
file you would have seen something similar to:foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"
in your Access Log. This means you probably commented out the following in your server configuration file:
<Files ".ht*">
Order allow,deny
Deny from all
</Files>
Merging of configuration sections
The merging of configuration sections is complicated and sometimes directive specific. Always test your changes when creating dependencies on how directives are merged.For modules that don't implement any merging logic, such as
mod_access_compat
, the behavior in later sections depends on whether the later section has any directives from the module. The configuration is inherited until a change is made, at which point the configuration is replaced and not merged.
No comments:
Post a Comment