Apache Security Default Install Permissions
ive recently installed apache2 on my Ubuntu machine and have a few questions about security and user permissions. I know how to listen on other ports, hide indexes with -Indexes and how to create/disable new Virtual Hosts on the same machine, but there is a lot of user options already preset in the standard install config I am unsure about.
can anyone explain exactly what this file is allowing users to do on the system? ive spent alot of time looking up on the Apache help开发者_StackOverflow中文版 guides and docs but its very touch and go, as most of what I really need is to understand what is happening here first. please help.
cat /etc/apache2/sites-available/default
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
If there was a security problem in Ubuntu default Apache configs Canonical would fix it.
That being said there are ways to harden your install. Most importantly you should think about installing mod_security. What if far more damaging than Apache, is logic that it exposes. PHP is often misconfigured so you should run PHPSecInfo and remove as much red and yellow as possible.
Any web app vulnerability scanner worth while is going to complain about being able to see directory listings so -Indexes
. Is necessary on a production system.
Having your log files in a predictable location can be used to gain remote code execution using an Advanced LFI attack.
You should also follow the principal of "least privilege access". If you don't need a /cgi-bin, then remove it.
精彩评论