tags:

views:

10

answers:

1
+1  Q: 

Apache Security Default Install Permissions

Hi guys, ive recently installed apache2 on my Ubuntu machine and have a few questions about security and user permissions. I know how to listen on other ports, hide indexes with -Indexes and how to create/disable new Virtual Hosts on the same machine, but there is a lot of user options already preset in the standard install config I am unsure about.

can anyone explain exactly what this file is allowing users to do on the system? ive spent alot of time looking up on the Apache help guides and docs but its very touch and go, as most of what I really need is to understand what is happening here first. please help.

cat /etc/apache2/sites-available/default

<VirtualHost *:80>
 ServerAdmin webmaster@localhost

 DocumentRoot /var/www
 <Directory />
  Options FollowSymLinks
  AllowOverride None
 </Directory>
 <Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 </Directory>

 ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 <Directory "/usr/lib/cgi-bin">
  AllowOverride None
  Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
  Order allow,deny
  Allow from all
 </Directory>

 ErrorLog /var/log/apache2/error.log

 # Possible values include: debug, info, notice, warn, error, crit,
 # alert, emerg.
 LogLevel warn

 CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>
A: 

If there was a security problem in Ubuntu default Apache configs Canonical would fix it.

That being said there are ways to harden your install. Most importantly you should think about installing mod_security. What if far more damaging than Apache, is logic that it exposes. PHP is often misconfigured so you should run PHPSecInfo and remove as much red and yellow as possible.

Any web app vulnerability scanner worth while is going to complain about being able to see directory listings so -Indexes. Is necessary on a production system.

Having your log files in a predictable location can be used to gain remote code execution using an Advanced LFI attack.

You should also follow the principal of "least privilege access". If you don't need a /cgi-bin, then remove it.

Rook  2010-09-30 19:33:31

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security