Security Hardening of an Apache Virtual Host
There are a number of steps to restrict access to an Apache virtual host. Access restriction is particularly important in a shared web hosting environment where potentially hundreds of different users have shell access.
- You can check individual requests by using a framework like:
- Remove all unnecessary modules from the web server configuration.
Run an IDS module http://www.modsecurity.org/
- Remove all unnecessary functionality from the virtual host configuration
Userdir (Use UserDir disabled
Run the Apache server as a non-priviliged user (for example, apache).
- Only process server side scripts (mod_php, mod_python, etc) if you know what you are doing. See ["Embedded_Apache_modules_vs_external_execution"] for a discussion.
Restrict access at the URL level:
# Deny all URLs by default. <Location /> # Deny all access by default Order Allow,Deny </Location> # Order of sections in configuration file is important!. <Location /goodstuff> # Deny all access by default Order Allow,Deny # Only allow trusted domains Allow from .xxx.anchor.net.au # Restrict to SSL mode SSLRequireSSL # Restrict to specific client certificates or request attributes.. # SSLRequire is very powerful even for non-SSL requests. # SSLRequire ... # Password protect AuthType Digest AuthName "Restricted data" AuthUserFile /home/pron/.htpasswd Require valid-user </Location>
Restrict access at the filename level:
<Files ~ "^\.ht"> Order Allow,Deny </Files>
Restrict access at the directory level:
<Directory /> Order Allow,Deny </Directory> # More specific directory paths take precedence. <Directory /home/pr0n> Order Allow,Deny # Restrict access....(see directives used in location example above) # blah blah </Directory>
- Restrict OS permissions: Use extended posix ACLs if you can. man acl(5).
setfacl -m u:apache:x,g::0,o:0 $HOME setfacl -R --physical -m u:apache:rx,g::0,o:0,d:u:apache:rx,m:rx,d:m:rx,d:o:0 "$HOME/public_html"
- Remove all unnecessary server side executables from the document root