Wednesday, 1 July 2009

Apache Security

As web servers go Apache is one I like allot, its stable and very light foot print is great. After install its ready to run no big mods needed, however on this that does need to be addressed is security of the account, it runs under.

I'm noticed that a number of people do not setup any user account for Apache leaving it to run under services, this can open up services to web hackers that can then read the list of running services and use this to find other exploits of the system.

Create an account with a name such as: apache, which runs the web server software. Since this account will never be used to log into for shell access, we do not need to create the normal user account login files

On Ubuntu this is done like so sudo groupadd apache && useradd apache -g apache -d /dev/null -s /sbin/nologin

before editing the apache2.conf I would recommend you make a but up of the file
cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.dontmessthisup

Now add the user to the apache2.conf file for Apache to use.
sudo nano /etc/apache2/apache2.conf

add the following lines to the apache2.conf
User apache
Group apache

save and close the file and then you'll need to restart Apache to take affect
sudo /etc/init.d/apache2 restart

Another good security tip for websites that have transactions and other internet sales related activity is to change the logging to use syslog this can be done by editing apache2.conf to change the ErrorLog line from;

ErrorLog /var/log/apache2/error.log

To syslog

ErrorLog syslog:local7

This will log to syslog now as local7
You will need to add a few lines to syslog.conf for it to handle the new logging information.

Again I recommended you create a copy of the syslog.conf before editing it.
cp /etc/syslog.conf /etc/syslog.conf.dontmessthisup

Now to edit the syslog
sudo nano /etc/syslog.conf

At the bottom of the file add the following lines
#Apache Logging
local7.* /var/log/apache2/error.log

you'll need to restart the syslog for the change to take affect
sudo /etc/rc2.d/S10sysklogd restart

you can now test the syslog by creating a message into the log
logger -p local7.debug "this is working"

we can now check the log
cat /var/log/apache2/error.log

You should now see your test line something like this
server root: this is working

Reblog this post [with Zemanta]

No comments: