07nov08 updated 19feb09 / 2010-04-30 dpkg --get-selections > installed-software.txt apt-get autoremove dpkg --set-selections < installed-software.txt dselect //allow to unselect packages? apt-get install apache2 yum install apache OR IF YOU REALLY SCREW THINGS UP :), you can restore the default settings too! mkdir /test apt-get download apache2.2-common dpkg -x apache2.2-common*.deb /test cp /test/etc/apache2/* /etc/apache2/* OR YOU CAN REMOVE AND INSTALL APACHE2 AGAIN apt-get purge apache2-common cd /etc/apache2 rm -R * //be careful that you really are in /etc/apache2!!!! cd .. rmdir apache2 apt-get install apache2.2-common http://doc.ubuntu.com/ubuntu/serverguide/C/httpd.html http://httpd.apache.org/docs/trunk/configuring.html To modify any file from bash shell command prompt or ssh, use vi filename or nano filename STARTING AND STOPPING AND CONFIGURING APACHE Whenever you modify a configuration file you will have to run the following commands to reload the "default" config file and the (ubuntu specific) /etc/init.d/apache2 reload /etc/init.d/apache2 restart (combines stop & start commands) #NOTE that reload may give a result FAILED if apache/httpd isn't yet running, so try /etc/init.d/httpd start /etc/init.d/httpd reload To see the changes… or a slightly “nicer” command is to use the Apache control command: /usr/sbin/apache2ctl directive e.g. sudo apache2ctl graceful Directives: start / stop / graceful (restarts w/ aborting connections) / restart / status The configuration file is at (Ubuntu) /etc/apache2/apache2.conf Loglevel warn //You can configure how much logging and where to log LogFormat Log files at /var/log/apache2/access.log (error.log) ports.conf (Ubuntu) contains the configuration of what port(s) to listen to Listen 80 Listen 8080 Listen 443 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ENSURE APACHE IS NOT BEING RUN AS ROOT (if an attacker controls apache, they can modify the whole system) ps aux //shows you all processes from all users, is /usr/sbin/apache2 running from root? //in Centos the httpd web server has user "apache" groupadd www-data useradd -g www-data www-data In /etc/apache2/apache2.conf change to "User www-data Group www-data" (not root!) AND ENSURE THAT ONLY ROOT CAN ACCESS APACHE CONFIGURATION & BINARY/EXECUTABLE FILES chown -R root:root /usr/sbin/apache2 chmod -R o-rwx /usr/sbin/apache2 chown -R root:root /etc/apache2 chmod -R o-rwx /etc/apache2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - REDUCE THE AMOUNT OF INFO YOU GIVE WITH HTTP HEADERS (SERVERTOKENS) /etc/apache2/apache2.conf nano /etc/httpd/conf/httpd.conf Change your ServerTokens Full to Server Tokens Prod #ServerTokens Prod //most restrictive, response -> Server: Apache #ServerTokens Major //response -> Server: Apache/2 #ServerTokens Minor //response -> Server: Apache/2.0 #ServerTokens Min //response -> Server: Apache/2.0.55 #ServerTokens Os //response -> Server: Apache/2.0.55 (Ubuntu) #ServerTokens Full //response -> Server: Apache/2.0.55 (Ubuntu) PHP/5.1.4-1.dotdeb.2 mymod1/X.Y mymod2/W.Z ALSO, ServerSignature Off UseCanonicalName Off #Default: on #Server config, virtual host, directory, .htaccess #If UseCanonical-Name is on (the default), then the hostname and port used in the redirect #will be those set by ServerName and Port. If it is off, then the name and port used will be #the ones in the original request. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Lower the Timeout Value (seconds) to mitigate the effects of any Denial Of Service attacks Timeout 45 Limit the size of a request (again mitigating DoS) to whatever you allow file uploads to be. LimitRequestBody 1048576 //uploads/requests at most at 1 MB APACHE2, If you are running mod_dav (used with Subversion) LimitXMLRequestBody 10485760 //uploads at 10 MB - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Max number of Concurrent Requests MaxClients= max # of child processes to serve requests (each uses RAM & VSZ) MaxSpareServers MaxRequestsPerChild ThreadsPerChild ServerLimit MaxSpareThreads - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PERMISSIONS This is where most people hate Linux. It's the most stable and most secure BECAUSE you have to work hard to set the permissions right... but it isn't easy. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The root html serving directory is usually around: /var/www/html DON'T FORGET, YOUR APACHE/HTTPD USER MUST HAVE PERMISSIONS (execute permission for a directory allows opening/traversing it) sudo chown -R root:apache /var/www/html sudo chmod -R 550 /var/www/html (This removes the default permission of "everyone" being able to read/execute) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - You may need to ensure that the DAV is on for apache, a2enmod dav_fs //installs the dav_fs module in apache DAV On - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PREVENT BROWSING ROOT AND FILE FOLDERS /etc/apache2/sites-available/default (ubuntu / apache2) /etc/httpd/conf/httpd.conf Ensure files outside of the web root are not shared Order Deny,Allow Deny from all Options None AllowOverride None Order Allow,Deny Allow from all #Directory does not appear to support AuthType the same as Location - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Turn off default options Options -Indexes -Includes -ExecCGI -FollowSymLinks -Multiviews Indexes=Directory Browsing, Includes=ServerSideIncludes(.shtml, .stm, .shtm), ExecCGI=CGI execution, FollowSymLinks=FollowingSymbolicLinks, Multiviews=if address is /dirname but it doesn't exist, it will find a matching dirname.htm or .php (Or if you don't need anything, "Options None") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - EXAMPLE mkdir /var/www/html/web touch /var/www/html/web/file1.html touch /var/www/html/web/file2.html chgrp root:apache /var/www/html/web/* chmod 440 /var/www/html/web/* nano /etc/httpd/conf/httpd.conf (add the Virtual Host area?) Options Indexes FollowSymLinks Order Allow,Deny Allow from all browse to http://domain.com/web (Note that if you use http://domain.com/ you will get a FORBIDDEN error as Root browsing is off (-Indexes) ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PREVENT UNNEEDED MODULES FROM LOADING Look in httpd.conf for LoadModule. To disable a module you can add a # at the beginning (comment it out). To search for modules run:grep LoadModule httpd.conf Some typically enabled but unneeded: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex. http://httpd.apache.org/docs/2.0/mod/ mod_proxy A forward proxy provides access to internal clients that are restricted by a firewall, or improves caching A reverse proxy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PER DIRECTORY / LOCATION PERMISSIONS (throught the main config file) http://httpd.apache.org/docs/2.0/sections.html When applying directives to objects that reside in the filesystem, use or . sections operate completely outside the filesystem. An exception is , which is an easy way to apply a configuration to the entire server." Since several different URLs may map to the same filesystem location, such access controls may by circumvented. The URL may use wildcards In a wild-card string, `?' matches any single character, and `*' matches any sequences of characters. Apache 1.2 and above: Extended regular expressions can also be used, with the addition of the ~ character. For example: would match URLs that contained the substring "/extra/data" or "/special/data" is identical to Location but takes a regular expression as an argument instead of a simple string... NOTE: the following example uses regular expressions... AuthType Basic AuthName "Trac Environment" //this name appears on the popup box AuthUserFile /projects/projects.password //file of authorized users, htpasswd --help Require valid-user //requires any user to be authenticated NOTE YOUR APACHE USER, E.G. WWW-DATA, MUST HAVE READ ACCESS TO THE PASSWORD FILE!!!!! You can also create a groups file and if it is required in the above "default" or vhosts.conf then it will only allow users access to the resource if they are in the group, and if they are the user/password combination as in the password file. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - HANDLER YOU WILL HAVE TO ENSURE THAT YOUR "LOCATION" refers to some content, a "handler" http://httpd.apache.org/docs/2.0/handler.html Handlers can either be built into the server or included in a module, or they can be added with the Action directive default-handler: Send the file using the default_handler(), which is the handler used by default to handle static content. (core) send-as-is: Send file with HTTP headers as is. (mod_asis) cgi-script: Treat the file as a CGI script. (mod_cgi) imap-file: Parse as an imagemap rule file. (mod_imap) server-info: Get the server's configuration information. (mod_info) server-status: Get the server's status report. (mod_status) type-map: Parse as a type map file for content negotiation. (mod_negotiation) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - .HTACCESS The purpose of .htaccess files is to provide a means to configure Apache for users who cannot modify the main configuration file (usually httpd.conf) .htaccess is a Unix/Linux based file for Apache web servers that allows you to change access permissions on a per directory basis. When an .htaccess file is in the root directory, it will affect all directories below it. If you place it in a subdirectory it will affect all the files of that directory (and below). NOTE: any .htaccess file in the root directory will override those in subdirectories. Allowing .htaccess files will make Apache look for them upon every access to your server. Since parent directories are searched as well, this will take some (small) amount of time, and can impact your server's performance. You must place the .htaccess file in the directory where you want it to take effect. Example: /var/www/html/www.example.com/admin/.htaccess AuthType Basic AuthName "Authentication Required" AuthUserFile /etc/htpasswds/.htpasswd.example.com Require valid-user Order deny,allow Most servers have this option disabled, however, some do not. This could leave to a security risk. Most of the time a directory list will appear if you do not have a Default index file in it. EXAMPLES #to hide everyrthing: IndexIgnore * #to hide images IndexIgnore *.gif *.jpg *.png *.swf IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* #prevent directory listings Options -Indexes #show directory listings Options +Indexes #to hide/prevent access to the .htaccess file order allow,deny deny from all order deny,allow deny from all allow from all order deny,allow deny from all - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - HOW CAN I DISABLE .HTACCESS TO IMPROVE PERFORMANCE OF APACHE? AllowOverride is valid only in sections specified without regular expressions, not in , or sections. Syntax: AllowOverride All|None|directive-type [directive-type] ... Default: AllowOverride All (Ubuntu / apache2 keeps this file in /etc/apache2/sites-available/default ) In your server config modify the top-level block: # ... other directives AllowOverride None - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ACCESS ALLOWED ONLY TO A SPECIFIC SUBNET (or ip address) Order Deny,Allow Deny from all Allow from 176.16.0.0/16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Note that for Parallels (Virtuozzo?) Virtual Servers they have virtual hosts - after you configure your domains (which will give you ftp access to the www files): /var/www/vhosts//conf/ you will have to create a vhost.conf file that when you run the management script will be included via an include statement (therefore your vhosts.conf should NOT include a /Virtual directory clause) PRODUCT_ROOT_D/admin/sbin/websrvmng --reconfigure-vhost --vhost-name= /usr/local/psa/admin/sbin/websrvmng -u --vhost-name= Restart your server and then type: "more /etc/www/hosts//conf/httpd.include" To see the "include vhosts.conf" line at the end... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - htpasswd /usr/local/apache/passwd/passwords username AuthType Basic AuthName "By Invitation Only" AuthUserFile /usr/local/apache/passwd/passwords Require user firstuser seconduser this will prompt them with a box saying "By Invitation Only" and will lookup the response in the passwords file - only allowing users first/second create a group file (example of the contents) authors: rich daniel allan AuthType Basic AuthName "Apache Admin Guide Authors" AuthUserFile /usr/local/apache/passwd/passwords AuthGroupFile /usr/local/apache/passwd/groups Require group authors Note that in addition to specifically listing the users to whom you want to grant access, you can specify that any valid user should be let in. This is done with the valid-user keyword: Require valid-user http://httpd.apache.org/docs/1.3/howto/auth.html#basic http://www.petefreitag.com/item/505.cfm - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - VIRTUAL HOSTS httpd.conf, or create your own virtual host section In the first line, change ip.address.of.host.some_domain.com to your server's IP address. Change the ServerName to a valid DNS name # ServerAdmin webmaster@host.some_domain.com # DocumentRoot /www/docs/host.some_domain.com # ServerName host.some_domain.com # ErrorLog logs/host.some_domain.com-error_log # CustomLog logs/host.some_domain.com-access_log common # #NameVirtualHost 12.34.56.78:80 #NameVirtualHost 12.34.56.78 Listen 12331