Apache Security - Ivan Ristic [17]
# cd /etc/rc3.d
# ln -s /usr/local/apache/bin/apachectl S85httpd
On Windows, Apache is configured to start automatically when you install from a binary distribution, but you can do it from a command line by calling Apache with the -k install command switch.
Testing the installation
To verify the startup has succeeded, try to access the web server using a browser as a client. If it works you will see the famous "Seeing this instead of the website you expected?" page, as shown in Figure 2-1. At the time of this writing, there are talks on the Apache developers' list to reduce the welcome message to avoid confusing users (not administrators but those who stumble on active but unused Apache installations that are publicly available on the Internet).
Figure 2-1. Apache post-installation welcome page
As a bonus, toward the end of the page, you will find a link to the Apache reference manual. If you are near a computer while reading this book, you can use this copy of the manual to learn configuration directive specifics.
Using the ps tool, you can find out how many Apache processes there are:
$ ps -Ao user,pid,ppid,cmd | grep httpd
root 31738 1 /usr/local/apache/bin/httpd -k start
httpd 31765 31738 /usr/local/apache/bin/httpd -k start
httpd 31766 31738 /usr/local/apache/bin/httpd -k start
httpd 31767 31738 /usr/local/apache/bin/httpd -k start
httpd 31768 31738 /usr/local/apache/bin/httpd -k start
httpd 31769 31738 /usr/local/apache/bin/httpd -k start
Using tail, you can see what gets logged when different requests are processed. Enter a nonexistent filename in the browser location bar and send the request to the web server; then examine the access log (logs are in the /var/www/logs folder). The example below shows successful retrieval (as indicated by the 200 return status code) of a file that exists, followed by an unsuccessful attempt (404 return status code) to retrieve a file that does not exist:
192.168.2.3 - - [21/Jul/2004:17:12:22 +0100] "GET /manual/images/feather.gif
HTTP/1.1" 200 6471
192.168.2.3 - - [21/Jul/2004:17:20:05 +0100] "GET /manual/not-here
HTTP/1.1" 404 311
Here is what the error log contains for this example:
[Wed Jul 21 17:17:04 2004] [notice] Apache/2.0.50 (Unix) configured
-- resuming normal operations
[Wed Jul 21 17:20:05 2004] [error] [client 192.168.2.3] File does not
exist: /usr/local/apache/manual/not-here
The idea is to become familiar with how Apache works. As you learn what constitutes normal behavior, you will learn how to spot unusual events.
Selecting modules to install
The theory behind module selection says that the smaller the number of modules running, the smaller the chances of a vulnerability being present in the server. Still, I do not think you will achieve much by being too strict with default Apache modules. The likelihood of a vulnerability being present in the code rises with the complexity of the module. Chances are that the really complex modules, such as mod_ssl (and the OpenSSL libraries behind it), are the dangerous ones.
Your strategy should be to identify the modules you need to have as part of an installation and not to include anything extra. Spend some time researching the modules distributed with Apache so you can correctly identify which modules are needed and which can be safely turned off. The complete module reference is available at http://httpd.apache.org/docs-2.0/mod/.
The following modules are more dangerous than the others, so you should consider whether your installation needs them:
mod_userdir
Allows each user to have her own web site area under the ~username alias. This module could be used to discover valid account usernames on the server because Apache responds differently when the attempted username does not exist (returning status 404) and when it does not have a special web area defined (returning 403).
mod_info
Exposes web server configuration as a web page.
mod_status
Provides real-time information about Apache, also as a web page.
mod_include
Provides simple scripting