Here will see how to secure our apache web server, how protect from some unexpected attacks.
In order to run apache webserver through a firewall, the ports 80(HTTP) and 443(HTTPS) TCP/IP must be opened.
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
By default, Apache web server is protected by SElinux in targerred mode. In order to allow apache to be executed through SElinux the following parameters can be configured.
# settsebool -P httpd_enable_cgi 1
Allow cgi scripts to be executed through the webserver
# setsebool -P httpd_enable_home_dirs 1
By default, SElinux does not allow to access to user’s home directories through the web server. This directive makes it possible, but first the home directories must be labelled as web server:
# Chcon -R -t httpd_sys_content_t ~user/public_html
In addition, if some system directory is going to be accessed through the web server, first must be labelled as SElinux http file. For example, if the directory /secwww is going to be used as a webserver DocumentRoot;
# chcon -R -u system_u /secwww # chcon -R -t httpd_sys_content_t /secwww
Host Access Security
In httpd.conf file the directives allow and deny can regulate access to different areas of the web server based on host names or IP addresses.
<Directory /var/www/html/web> .... Order deny,allow Deny from all Allow from .foxutech.com Allow from 192.168.0.0/24 .... </Directory>
The line ‘Order deny,allow’ means that first deny directives are applied and the allow directives. In this case access is denied to all less hosts on .foxutech,com or in 192.168.0.0/24 LAN.
User Access security
Access to different areas of the web server can be regulated through username and password.
<Directory /var/www/html/technos> .... AuthType Basic AuthName “Password Protected Technos” AuthUserFile /etc/httpd/technopass Require user xxx yyy .... </Directory>
This configuration will allow access only to the users xxx and yyy to technos web area. When connection is made against technos web area the web server asks for a username.password that will be authenticated against the password file on /etc/httpd/technopass. In order to create xxx and yyy accounts the command htpasswd can be used.
# htpasswd -c /etc/httpd/technopass xxx Password : # htpasswd -c /etc/httpd/technopass yyy Password:
Where, -c option on htpasswd must be used if the authentication file does not exist (if is the first user that we are creating)
Executable files in Apache
The ScriptAlias directive can be used to enable web directives with executables CGI files. The Following ScriptAlias directive links the default cgi-bin directory to /var/www/cgi-bin.
ScriptAlias /cgi-bin/”/var/www/cgi-bin” <Directory /var/www/cgi-bin> AllowOverride None Options None Order allow,deny Allow from all </Directory>
Remember to change the SElinux context for this directory to allow SElinux to execute the script through Apache.
# chcon -t httpd_sys_script_exec_t /var/www/cgi-bin
Makes sure the apache can execute cgi scripts through SElinux
# setsebool -P httpd_enable_cgi 1
Limiting Resources and Rejecting DoS attackes
There are some configuration parameters that can be used to limit the system resources that apache can take from the system in order to minimize the impact of a DoS attack.
# StartServers: Number of server processes to start when httpd is started. More httpd process are started of required until reach ‘MaxClinets’ limit
# ServerLimit: maximum values for maxClinets for the lifetime of the server. Is limits the maximum number of the simultaneous client that can connect to the web server.
#MaxClients: maximum number of server processes allows to start. It limits the maximum number of simultaneous httpd process on the web server. The MaxClicnts directive sets the limit of simultaneous requests that can be service, if there are requests past the maxiclients that will be queued.