Apache Security Default Install Permissions

ive recently installed apache2 on my Ubuntu machine and have a few questions about security and user permissions. I know how to listen on other ports, hide indexes with -Indexes and how to create/disable new Virtual Hosts on the same machine, but there is a lot of user options already preset in the standard install config I am unsure about.

can anyone explain exactly what this file is allowing users to do on the system? ive spent alot of time looking up on the Apache help开发者_StackOverflow中文版 guides and docs but its very touch and go, as most of what I really need is to understand what is happening here first. please help.

cat /etc/apache2/sites-available/default

<VirtualHost *:80>
 ServerAdmin webmaster@localhost

 DocumentRoot /var/www
 <Directory />
  Options FollowSymLinks
  AllowOverride None
 </Directory>
 <Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 </Directory>

 ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 <Directory "/usr/lib/cgi-bin">
  AllowOverride None
  Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
  Order allow,deny
  Allow from all
 </Directory>

 ErrorLog /var/log/apache2/error.log

 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 LogLevel warn

 CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

If there was a security problem in Ubuntu default Apache configs Canonical would fix it.

That being said there are ways to harden your install. Most importantly you should think about installing mod_security. What if far more damaging than Apache, is logic that it exposes. PHP is often misconfigured so you should run PHPSecInfo and remove as much red and yellow as possible.

Any web app vulnerability scanner worth while is going to complain about being able to see directory listings so -Indexes. Is necessary on a production system.

Having your log files in a predictable location can be used to gain remote code execution using an Advanced LFI attack.

You should also follow the principal of "least privilege access". If you don't need a /cgi-bin, then remove it.