Wednesday, August 4, 2010

Apache Maintenance


In many Web server products, Apache is the most widely used product, but also a very safe design procedures. However, as with other applications, Apache has a security flaw. This paper aimed to discuss the three security vulnerabilities, including: use HTTP protocol for the denial of service attacks (denial of service), 3 buffer overflow attacks as well as being the attacker access to root privileges. Note: The reasonable Apache configuration to protect against a variety of attacks, but at the network level denial of service attacks is not to adjust the configuration of the Apache to prevent. This involved the use of HTTP (application layer) protocol for the denial of service attacks.

Apache's main flaw

鈽?HTTP denial of service

Attacker by some means so that the server refused to HTTP response. This makes Apache on the system resources (CPU time and memory) requirements of the surge, ultimately cause the system slows down or even completely paralyzed.

鈽?Buffer Overflow

Attacker uses a number of programming defects, make the program a departure from normal procedure. Uses static allocation of memory stored request data, an attacker can send a long request to a buffer overflow. For example, some written in Perl gateway script processing user requests. Once the buffer overflow, an attacker can execute malicious commands or the system of their downtime.

鈽?attacker access to root privileges

Root privileges generally run Apache (parent process), through which an attacker access to root privileges, and then control the entire system.

Get the latest Apache

Using the most secure version of the Apache Web server, for strengthening the security is essential.

You can get Apache Apache http://www.apache.org the official website of the latest version.

Protection profile

Apache Web server has three main configuration files, they are generally located in / usr / local / apache / conf directory. These three documents are: httpd.con, srm.conf and access.conf. These files are the Apache's control center, requiring an understanding of the three profiles. httpd.conf file is the main configuration file; srm.conf allows you to fill in additional resource file; access.conf set file access permissions. The configuration of these files can refer to http://httpd.apache.org/docs/mod/core.html

Server access control

access.conf file contains instructions to allow any user access control Apache directory. Should deny from all as the initialization command, then use the allow from directive to open access. You can allow certain domains from, IP address or IP segment access. For example:

order deny, allow

deny from all

allow from sans.org

Password protection

Use. Htaccess file, a directory can be given access to a user. System administrators need to use the httpd.conf file or srm.conf AccessFileName command to open the directory access control. The following is a. Htaccess sample file:

AuthName PrivateFiles

AuthType Basic

AuthUserFile / path / to / httpd / users

require foo <--- a valid user name

Then, use the following command fill add a user:

# Htpasswd-c / path / to / httpd / users foo

Apache log files

System administrators can use the log format commands to control the log file. Use LogFormat "% a% l" command, you can send HTTP requests to the browser's IP address and host name records to a log file. For security reasons, you should at least verify that the failure of WEB users to add files in http.conf LogFormat "% 401u" command can achieve this goal. The directive also a number of other parameters, the user can refer to the Apache documentation.鍙﹀锛孉pache鐨勯敊璇棩蹇楁枃浠跺浜庣郴缁熺鐞嗗憳鏉ヨ涔熸槸闈炲父閲嶈鐨勶紝閿欒鏃ュ織鏂囦欢涓寘鎷湇鍔″櫒鐨勫惎鍔ㄣ?鍋滄浠ュ強CGI鎵ц澶辫触绛変俊鎭?

瀹夊叏鐩稿叧鐨勬寚浠?br />
鍦ˋpache閰嶇疆鏂囦欢涓紝鏈変竴浜涘畨鍏ㄧ浉鍏崇殑鎸囦护鍙互浣跨敤銆傝繖浜涙寚浠ょ殑璇︾粏鐢ㄦ硶鍙互鍙傝?http://httpd.apache.org/docs/mod/directives.html銆?br />
浣跨敤浠ヤ笅鎸囦护鍙互甯姪浣犲噺灏忔嫆缁濇湇鍔$殑濞佽儊锛?br />
LimitRequestbody: 鏁板瓧鍙傛暟锛屾帶鍒禜TTP璇锋眰鐨勫ぇ灏忋?

LimitRequestFields: 鏁板瓧鍙傛暟锛屾帶鍒惰姹傚ご鐨勬暟鐩?

KeepAlive: 璁剧疆杩炴帴鐨勭敓瀛樻湡銆?br />
KeepAliveTimeout: 闄愬埗绛夊緟璇锋眰鐨勬椂闂淬?

浣跨敤浠ヤ笅鎸囦护鍙互甯姪浣犲彨鍤g紦鍐插尯婧㈠嚭鐨勫嵄闄╋細

LimitRequestFieldSize: 闄愬埗姣忎釜璇锋眰澶寸殑澶у皬銆?br />
LimitRequestLine: 闄愬埗姣忎釜璇锋眰琛岀殑澶у皬銆?br />
CGI(ommon Gateway Interface,閫氱敤缃戝叧鎺ュ彛)鐨勫畨鍏ㄥ▉鑳?br />
CGI鐨勫畨鍏ㄦ?闈炲父閲嶈锛屾敾鍑昏?鍙互鍒╃敤CGI鐨勭己闄疯幏寰楃郴缁熶俊鎭?鎵ц绯荤粺鍛戒护銆佸崰鐢ㄧ郴缁熻祫婧愩?濡傛灉涓?釜CGI绋嬪簭浣跨敤闈欐?鍒嗛厤鐨勫唴瀛橈紝灏卞彲鑳戒负缂撳啿鍖烘孩鍑烘敾鍑绘彁渚涙満浼氥?涓轰簡鍑忓皯杩欑椋庨櫓锛岀▼搴忓憳搴旇鍦–GI浠g爜涓娇鐢ㄥ姩鎬佸垎閰嶅唴瀛樸?闄や簡CGI缂栧啓浜哄憳搴旇娉ㄦ剰澶栵紝绯荤粺绠$悊鍛樺彲浠ラ噰鍙栧CGI杩涜灏佽(渚嬪锛歴uEXEC鎴栬?CGI Wrap)鐨勫姙娉曞姞寮篊GI鐨勫畨鍏ㄦ?銆傞?杩囪繖绉嶆柟寮忓彲浠ヤ娇CGI绋嬪簭浠ユ煇涓嫭绔嬬殑鐢ㄦ埛鏉冮檺杩愯锛屽嵆浣垮彂鐢熺紦鍐插尯婧㈠嚭锛屼篃鍙奖鍝嶉偅涓敤鎴风殑鐩綍/鏂囦欢銆?br />
perl鏄竴绉嶅姛鑳介潪甯稿己澶х殑鑴氭湰璇█銆備富瑕佺敤浜庢枃鏈殑澶勭悊锛岀▼搴忓憳杩樺彲浠ラ?杩噋erl鑴氭湰浣跨敤绯荤粺璋冪敤銆傚鏋滅▼搴忕紪鍐欑殑涓嶅ソ锛屽氨浼氫负鏀诲嚮鑰呴棷鍏ユ湇鍔″櫒澶у紑鏂逛究涔嬮棬銆傚洜姝わ紝浣跨敤perl鑴氭湰涓?畾瑕佸皬蹇冿紝浠ュ厤鍑虹幇姝ょ被婕忔礊銆傚湪perl鑴氭湰涓紝澶勭悊璇锋眰鏁版嵁涔嬪墠锛屾渶濂借兘澶熻皟鐢ㄤ笓闂ㄧ殑妫?煡渚嬬▼瀵硅緭鍏ョ殑鍚堟硶鎬ц繘琛屾鏌ャ?闄ゆ涔嬪锛岃繕瑕佺‘淇滱pache涓嶆槸浠oot鐨勬潈闄愯繍琛岀殑锛孭erl鑴氭湰琚檺鍒跺湪鏌愪釜鐗瑰畾鐨勭洰褰曚笅杩愯銆?br />
SSI(Server-Side Includes)鐨勫畨鍏?br />
浣跨敤SSI锛岀▼搴忓憳鍙互寤虹珛涓?簺甯哥敤鐨勪緥绋嬶紝鍦ㄩ渶瑕佹椂鎶婅繖浜涗緥绋嬪寘鍚繘浠栦滑鐨勪唬鐮佷腑銆係SI杩樺厑璁告湁鏉′欢鍦版墽琛屽閮ㄧ▼搴忥紝鏀诲嚮鑰呭彲鑳藉埄鐢ㄨ繖涓潯浠惰鏈嶅姟鍣ㄦ墽琛屼粬浠殑鎭舵剰绋嬪簭銆傚湪access.conf鏂囦欢涓娇鐢↖ncludesNoEXEC鎸囦护锛屽彲浠ュ叧闂墽琛孲SI鏂囦欢鐨勫姛鑳姐?涓嶈繃杩欐潯鎸囦护浼氶?鎴愭湇鍔″櫒涓嶆墽琛孋GI鑴氭湰鎴栬?绋嬪簭銆?br />
鍏跺畠瀹夊叏宸ュ叿

浣跨敤TCP Wrappers鍜孴ripwire鍙互涓轰綘鐨勭郴缁熸彁渚涢澶栫殑淇濇姢銆備綘鍙互浣跨敤TCP Wrappers鏉ユ帶鍒禩elnet鎴栬?FTP鐨勮闂潈闄愩?Tripwire鏄竴涓暟鎹畬鏁存?妫?祴宸ュ叿锛屽彲浠ュ府鍔╃郴缁熺鐞嗗憳鐩戣绯荤粺鏄惁琚敼鍔ㄨ繃锛屼綘鍙互鍦═ripwire鐨勯厤缃枃浠朵腑缂栧埗鐗瑰畾鐨勭瓥鐣ワ紝鐩戣Web鏈嶅姟鍣ㄧ殑閰嶇疆鏂囦欢銆佹暟鎹拰CGI鏂囦欢鏄惁琚慨鏀广?

Summary

Apache鏄竴涓紭绉?殑姝剸鏈嶅姟鍣紝铏界劧Apache鐨勫紑鍙戣?闈炲父娉ㄩ噸鍏跺畨鍏ㄦ?锛屼絾鏄敱浜嶢pache闈炲父搴炲ぇ锛岄毦鍏嶄細瀛樺湪瀹夊叏闅愭偅銆侫pache鐨勫畨瑁呯淮鎶や腑闇?娉ㄦ剰浠ヤ笅闂锛?br />
鈽呮鏌ユ枃浠跺拰鐩綍鐨勬潈闄愭槸鍚︽伆褰撱?

鈽卙ttpd.conf銆乻rm.conf鍜宎ccess.conf鐨勮缃槸鍚﹂?褰?br />
鈽呬娇鏈嶅姟鍣ㄦ棩蹇楁枃浠惰兘澶熻褰曞敖鍙兘璇︾粏鐨勪俊鎭?

鈽呭鏌愪簺闇?鐗瑰埆淇濇姢鐨勭洰褰曚娇鐢ㄥ瘑鐮佷繚鎶?.htaccess)銆?br />
鈽呭CGI鑴氭湰鎴栬?绋嬪簭杩涜灏佽銆?br />
鈽呭鏋淐GI浣跨敤Perl缂栧啓锛岃璇︾粏妫?煡鍏跺畨鍏ㄦ?

鈽呮鏌SI鎸囦护

鈽呬娇鐢═CP Wrappers鍜孴ripwire銆?br />





相关链接:



Ulead SmartSaver Pro 3.0 CHEATS bit through (c)



mxf converter



Magical MATERIAL: Magic tulips



converter flv to mp3



Tissot wave through the "Dakar"



What Dealers need to support?



Brief Desktop



C LANGUAGE library function (G class letters) - 1



SIP protocol is how the AGREEMENT is better than H.323? (2)



Easy E-Mail Clients



China does not Thereby adversely affecting the timing of 3G licenses as early as 4 years will be hug



Guide GAMES Sports



free download wmv to 3gp converter



PMP Exam Questions



free download mp4 to 3gp



New Search Or Lookup Tools



FMCG Distributors And How The Difficulties Faced By Self-improvement



No comments:

Post a Comment