In many Web server products, Apache is the most widely used product, but also a very safe design procedures. However, as with other applications, Apache has a security flaw. This paper aimed to discuss the three security vulnerabilities, including: use HTTP protocol for the denial of service attacks (denial of service), 3 buffer overflow attacks as well as being the attacker access to root privileges. Note: The reasonable Apache configuration to protect against a variety of attacks, but at the network level denial of service attacks is not to adjust the configuration of the Apache to prevent. This involved the use of HTTP (application layer) protocol for the denial of service attacks.
Apache's main flaw
鈽?HTTP denial of service
Attacker by some means so that the server refused to HTTP response. This makes Apache on the system resources (CPU time and memory) requirements of the surge, ultimately cause the system slows down or even completely paralyzed.
鈽?Buffer Overflow
Attacker uses a number of programming defects, make the program a departure from normal procedure. Uses static allocation of memory stored request data, an attacker can send a long request to a buffer overflow. For example, some written in Perl gateway script processing user requests. Once the buffer overflow, an attacker can execute malicious commands or the system of their downtime.
鈽?attacker access to root privileges
Root privileges generally run Apache (parent process), through which an attacker access to root privileges, and then control the entire system.
Get the latest Apache
Using the most secure version of the Apache Web server, for strengthening the security is essential.
You can get Apache Apache http://www.apache.org the official website of the latest version.
Protection profile
Apache Web server has three main configuration files, they are generally located in / usr / local / apache / conf directory. These three documents are: httpd.con, srm.conf and access.conf. These files are the Apache's control center, requiring an understanding of the three profiles. httpd.conf file is the main configuration file; srm.conf allows you to fill in additional resource file; access.conf set file access permissions. The configuration of these files can refer to http://httpd.apache.org/docs/mod/core.html
Server access control
access.conf file contains instructions to allow any user access control Apache directory. Should deny from all as the initialization command, then use the allow from directive to open access. You can allow certain domains from, IP address or IP segment access. For example:
order deny, allow
deny from all
allow from sans.org
Password protection
Use. Htaccess file, a directory can be given access to a user. System administrators need to use the httpd.conf file or srm.conf AccessFileName command to open the directory access control. The following is a. Htaccess sample file:
AuthName PrivateFiles
AuthType Basic
AuthUserFile / path / to / httpd / users
require foo <--- a valid user name
Then, use the following command fill add a user:
# Htpasswd-c / path / to / httpd / users foo
Apache log files
System administrators can use the log format commands to control the log file. Use LogFormat "% a% l" command, you can send HTTP requests to the browser's IP address and host name records to a log file. For security reasons, you should at least verify that the failure of WEB users to add files in http.conf LogFormat "% 401u" command can achieve this goal. The directive also a number of other parameters, the user can refer to the Apache documentation.鍙﹀锛孉pache鐨勯敊璇棩蹇楁枃浠跺浜庣郴缁熺鐞嗗憳鏉ヨ涔熸槸闈炲父閲嶈鐨勶紝閿欒鏃ュ織鏂囦欢涓寘鎷湇鍔″櫒鐨勫惎鍔ㄣ?鍋滄浠ュ強CGI鎵ц澶辫触绛変俊鎭?
瀹夊叏鐩稿叧鐨勬寚浠?br />
鍦ˋpache閰嶇疆鏂囦欢涓紝鏈変竴浜涘畨鍏ㄧ浉鍏崇殑鎸囦护鍙互浣跨敤銆傝繖浜涙寚浠ょ殑璇︾粏鐢ㄦ硶鍙互鍙傝?http://httpd.apache.org/docs/mod/directives.html銆?br />
浣跨敤浠ヤ笅鎸囦护鍙互甯姪浣犲噺灏忔嫆缁濇湇鍔$殑濞佽儊锛?br />
LimitRequestbody: 鏁板瓧鍙傛暟锛屾帶鍒禜TTP璇锋眰鐨勫ぇ灏忋?
LimitRequestFields: 鏁板瓧鍙傛暟锛屾帶鍒惰姹傚ご鐨勬暟鐩?
KeepAlive: 璁剧疆杩炴帴鐨勭敓瀛樻湡銆?br />
KeepAliveTimeout: 闄愬埗绛夊緟璇锋眰鐨勬椂闂淬?
浣跨敤浠ヤ笅鎸囦护鍙互甯姪浣犲彨鍤g紦鍐插尯婧㈠嚭鐨勫嵄闄╋細
LimitRequestFieldSize: 闄愬埗姣忎釜璇锋眰澶寸殑澶у皬銆?br />
LimitRequestLine: 闄愬埗姣忎釜璇锋眰琛岀殑澶у皬銆?br />
CGI(ommon Gateway Interface,閫氱敤缃戝叧鎺ュ彛)鐨勫畨鍏ㄥ▉鑳?br />
CGI鐨勫畨鍏ㄦ?闈炲父閲嶈锛屾敾鍑昏?鍙互鍒╃敤CGI鐨勭己闄疯幏寰楃郴缁熶俊鎭?鎵ц绯荤粺鍛戒护銆佸崰鐢ㄧ郴缁熻祫婧愩?濡傛灉涓?釜CGI绋嬪簭浣跨敤闈欐?鍒嗛厤鐨勫唴瀛橈紝灏卞彲鑳戒负缂撳啿鍖烘孩鍑烘敾鍑绘彁渚涙満浼氥?涓轰簡鍑忓皯杩欑椋庨櫓锛岀▼搴忓憳搴旇鍦–GI浠g爜涓娇鐢ㄥ姩鎬佸垎閰嶅唴瀛樸?闄や簡CGI缂栧啓浜哄憳搴旇娉ㄦ剰澶栵紝绯荤粺绠$悊鍛樺彲浠ラ噰鍙栧CGI杩涜灏佽(渚嬪锛歴uEXEC鎴栬?CGI Wrap)鐨勫姙娉曞姞寮篊GI鐨勫畨鍏ㄦ?銆傞?杩囪繖绉嶆柟寮忓彲浠ヤ娇CGI绋嬪簭浠ユ煇涓嫭绔嬬殑鐢ㄦ埛鏉冮檺杩愯锛屽嵆浣垮彂鐢熺紦鍐插尯婧㈠嚭锛屼篃鍙奖鍝嶉偅涓敤鎴风殑鐩綍/鏂囦欢銆?br />
perl鏄竴绉嶅姛鑳介潪甯稿己澶х殑鑴氭湰璇█銆備富瑕佺敤浜庢枃鏈殑澶勭悊锛岀▼搴忓憳杩樺彲浠ラ?杩噋erl鑴氭湰浣跨敤绯荤粺璋冪敤銆傚鏋滅▼搴忕紪鍐欑殑涓嶅ソ锛屽氨浼氫负鏀诲嚮鑰呴棷鍏ユ湇鍔″櫒澶у紑鏂逛究涔嬮棬銆傚洜姝わ紝浣跨敤perl鑴氭湰涓?畾瑕佸皬蹇冿紝浠ュ厤鍑虹幇姝ょ被婕忔礊銆傚湪perl鑴氭湰涓紝澶勭悊璇锋眰鏁版嵁涔嬪墠锛屾渶濂借兘澶熻皟鐢ㄤ笓闂ㄧ殑妫?煡渚嬬▼瀵硅緭鍏ョ殑鍚堟硶鎬ц繘琛屾鏌ャ?闄ゆ涔嬪锛岃繕瑕佺‘淇滱pache涓嶆槸浠oot鐨勬潈闄愯繍琛岀殑锛孭erl鑴氭湰琚檺鍒跺湪鏌愪釜鐗瑰畾鐨勭洰褰曚笅杩愯銆?br />
SSI(Server-Side Includes)鐨勫畨鍏?br />
浣跨敤SSI锛岀▼搴忓憳鍙互寤虹珛涓?簺甯哥敤鐨勪緥绋嬶紝鍦ㄩ渶瑕佹椂鎶婅繖浜涗緥绋嬪寘鍚繘浠栦滑鐨勪唬鐮佷腑銆係SI杩樺厑璁告湁鏉′欢鍦版墽琛屽閮ㄧ▼搴忥紝鏀诲嚮鑰呭彲鑳藉埄鐢ㄨ繖涓潯浠惰鏈嶅姟鍣ㄦ墽琛屼粬浠殑鎭舵剰绋嬪簭銆傚湪access.conf鏂囦欢涓娇鐢↖ncludesNoEXEC鎸囦护锛屽彲浠ュ叧闂墽琛孲SI鏂囦欢鐨勫姛鑳姐?涓嶈繃杩欐潯鎸囦护浼氶?鎴愭湇鍔″櫒涓嶆墽琛孋GI鑴氭湰鎴栬?绋嬪簭銆?br />
鍏跺畠瀹夊叏宸ュ叿
浣跨敤TCP Wrappers鍜孴ripwire鍙互涓轰綘鐨勭郴缁熸彁渚涢澶栫殑淇濇姢銆備綘鍙互浣跨敤TCP Wrappers鏉ユ帶鍒禩elnet鎴栬?FTP鐨勮闂潈闄愩?Tripwire鏄竴涓暟鎹畬鏁存?妫?祴宸ュ叿锛屽彲浠ュ府鍔╃郴缁熺鐞嗗憳鐩戣绯荤粺鏄惁琚敼鍔ㄨ繃锛屼綘鍙互鍦═ripwire鐨勯厤缃枃浠朵腑缂栧埗鐗瑰畾鐨勭瓥鐣ワ紝鐩戣Web鏈嶅姟鍣ㄧ殑閰嶇疆鏂囦欢銆佹暟鎹拰CGI鏂囦欢鏄惁琚慨鏀广?
Summary
Apache鏄竴涓紭绉?殑姝剸鏈嶅姟鍣紝铏界劧Apache鐨勫紑鍙戣?闈炲父娉ㄩ噸鍏跺畨鍏ㄦ?锛屼絾鏄敱浜嶢pache闈炲父搴炲ぇ锛岄毦鍏嶄細瀛樺湪瀹夊叏闅愭偅銆侫pache鐨勫畨瑁呯淮鎶や腑闇?娉ㄦ剰浠ヤ笅闂锛?br />
鈽呮鏌ユ枃浠跺拰鐩綍鐨勬潈闄愭槸鍚︽伆褰撱?
鈽卙ttpd.conf銆乻rm.conf鍜宎ccess.conf鐨勮缃槸鍚﹂?褰?br />
鈽呬娇鏈嶅姟鍣ㄦ棩蹇楁枃浠惰兘澶熻褰曞敖鍙兘璇︾粏鐨勪俊鎭?
鈽呭鏌愪簺闇?鐗瑰埆淇濇姢鐨勭洰褰曚娇鐢ㄥ瘑鐮佷繚鎶?.htaccess)銆?br />
鈽呭CGI鑴氭湰鎴栬?绋嬪簭杩涜灏佽銆?br />
鈽呭鏋淐GI浣跨敤Perl缂栧啓锛岃璇︾粏妫?煡鍏跺畨鍏ㄦ?
鈽呮鏌SI鎸囦护
鈽呬娇鐢═CP Wrappers鍜孴ripwire銆?br />
相关链接:
Recommend Server Applications
"Nobunaga's Ambition 13 Heaven," the enemy in depth and around point reinforcements, waste Chaim
Forbes: Goodbye, ALIBABA?
How To Make VB Do Not Echo In The Text Box
free DOWNLOAD wmv to 3gp converter
Ipod Touch Video Format
LUAN Yun-Feng Reoccurrence Of Gold And President Of Crazy
"ASUS Case" actress Huang Ching: I just hurry up
Ultimate registry operations - lock registry
Wizard Multimedia Creation Tools
Why THE title escape
free download mp4 to 3gp
EVALUATE Java And JavaScript
Converter flv to mp3
Blue Wave eras invited to attend the China SHIPBUILDING Heavy Industry "transfer mode" Expert Group
No comments:
Post a Comment