Benutzer-Werkzeuge

Webseiten-Werkzeuge


linux:security:apache_absichern

Apache absichern

In diesem How To geht es um grundlegende Einstellungen zur Absicherung
des auf Linux weit verbreiteten Apache Webservers.
Am Ende der Konfiguration wird Apache nicht mehr so auskunftfreudig und deutlich restriktiver sein.
Für eine standard LAMP Server Installation siehe hier.

/etc/apache2/conf.d/security
ServerSignature Off
ServerTokens Prod

The first one, ServerSignature Off, tells apache not to display the server version on error pages, or other pages it generates.
The second one ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.

Vorher:

Nachher:

Aus https://injustfiveminutes.wordpress.com/2013/03/06/securing-apache-tip-1-minimize-banner-information/

Restrict file system access

Disable access to the entire file system except for the directories that are explicitly allowed later.

<Directory /> 
      AllowOverride None 
      Order Deny,Allow 
      Deny from all 
</Directory> 

PHP display_errors

/etc/php5/apache2/php.ini
display_errors = Off 
expose_php = Off

Restrict file extensions

Under some circumstances, some specific files types must exist in the DocumentRoot directory but they don’t have to be accesible on the web server. Common examples are:

.htaccess Configuration file per directory-basis
.htpasswd   Manage user files for basic authentication
.svn*       Subversion control files
.bak        Backup files
/CSV/       CSV control files

Include the following directives in your httpd.conf or your virtual host config file to restrict access to these type of files:

  <Files ~ "^\.ht"> 
  Order allow,deny 
  Deny from all 
  </Files> 
  <FilesMatch "(\.bak$|\.BAK$)"> 
  Order Allow,Deny 
  Deny from all 
  </FilesMatch> 
  <DirectoryMatch /CVS/> 
  Order Allow,Deny 
  Deny from all 
  </DirectoryMatch> 
  <DirectoryMatch \.svn>
  Order allow,deny
  Deny from all
  </DirectoryMatch>

Aus https://injustfiveminutes.wordpress.com/2013/03/12/securing-apache-tip3-restrict-file-extensions/

Lower the Timeout value

By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.

/etc/apache2/apache2.conf
Timeout 45 

Aus http://www.petefreitag.com/item/505.cfm

Directory Options

<Directory /var/www/>
    Options -Indexes FollowSymLinks MultiViews -ExecCGI
    #AllowOverride None
    Order allow,deny
    allow from all
</Directory>

Indexes beeinflusst, ob Besucher die Ordnerstruktur betrachten können.
ExecCGI erlaubt / verbietet CGI.
AllowOverride None verbietet Veränderungen innerhalb des Ordners über .htaccess Dateien.

linux/security/apache_absichern.txt · Zuletzt geändert: 2014/06/03 16:32 von Madic