Secure Apache 1.3

剑心通明

General Information
Apache is the most popular web server in use today.  But, not everybody that sets up their Apache server takes the necessary steps to secure it properly from intruders.  This guide will show you some good security changes to make to your Apache installation.
Requirements

Local root access on the box or be able to su to root.

A SSH client that supports ANSI colors such as puTTy or SecureCRT (if you aren't on the box).

Your favorite text editor (I prefer nano).

Apache already installed.
Configuration
These are a few changes to make to your Apache configuration file.  Open httpd.conf in your favorite editor.
#
nano -w /usr/local/etc/apache/httpd.confIt's a good idea to hide what version of Apache you are running.  If you change ServerTokens to Prod then only "Apache" will be returned when polled by netcraft.  This limits fingerprinting.
ServerTokens Prod
Another tip to limit fingerprinting is to turn off the server signature on server-generated error pages.
ServerSignature Off
By default, users may have access to the root directory of the server.  We should restrict this access in case of any potential attacks.  Change your to the following:
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
It is a good idea to disable TRACE and TRACK methods.  These are HTTP methods used to debug web server connections.  An attacker can trick legitimate web users to give him their credentials through cross-site-scripting attacks.
        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F]
mod_userdir can be convienent by accessing a user's homepage through http://my.domain.com/~user.  But using mod_userdir can pose a security risk because attackers can find out valid system users.  It is recommended that you disable the userdir module.  There are two methods of disabling mod_userdir.
The first method is to comment out the following lines:
LoadModule userdir_module     libexec/apache/mod_userdir.so
AddModule mod_userdir.c
    UserDir disabled
    UserDir public_html
*Note:  If you must allow some users to have UserDir directories, use the following:
    UserDir disabled
    UserDir enabled user1 user2
    UserDir public_html
Make sure /server-status is disable so people cannot see your current Apache status.  It is disabled by default.
#
#    SetHandler server-status
#    Order deny,allow
#    Deny from all
#    Allow from .example.com
#
Make sure /server-info is disabled so people cannot see your current Apache configuration.  It is disabled by default.
#
#    SetHandler server-info  
#    Order deny,allow
#    Deny from all
#    Allow from .example.com
#
Now your Apache installation is all the more secure.  Happy web serving!


本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/4206/showart_523119.html