Securing Apache
Cross Site Scripting
global rewrite rule to block common cross site scripting attacks:
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F,NS]
Block Bad Requests
RewriteCond %{THE_REQUEST} "^((GET|POST|HEAD) [^/]|CONNECT)" [NC]
RewriteRule .* - [F,NS]
The RewriteRule catches requests such as GET x, which are used to obtain information about a server (to exploit its vulnerabilities). All GET, POST and HEAD requests should begin with / in the URL. If they do not, they are most likely an attempted exploit. It also rejects CONNECT requests attempting to use the server as a proxy.
PHP
Hopefully, we will never need register globals or transparent SIDs. Register globals is a huge and long standing PHP security risk, and automatic session IDs make it easy to hijack someone's session (because the session id is reported to the next website they click to). Allowing urls in fopen is a big vulnerability to cross site scripting attacks.
/etc/php4/apache/php.ini:
session.use_trans_sid = off
register_globals = off
allow_url_fopen = off
alternately, in apache configs:
php_admin_flag register_globals 0
php_admin_flag session.use_trans_sid 0
php_admin_flag allow_url_fopen 0
To really lock down PHP, you can disable the functions which most often cause problems. This only works in the global php.ini file, you can't enable and disable functions in a per site basis.
/etc/php4/apache/php.ini:
disable_functions = escapeshellarg, escapeshellcmd, exec, passthru,
proc_open, proc_close, proc_get_status, proc_nice, proc_terminate,
shell_exec, system, apache_child_terminate, apache_get_modules,
apache_get_version, apache_getenv, apache_lookup_uri, apache_note,
apache_request_headers, apache_reset_timeout, apache_response_headers,
apache_setenv, getallheaders, virtual, popen, pclose
Other Ideas
- prevent access to any file which ends in ~. Some text editors create these files as backups, but if you edit a config file with a password in it then anyone can view the page.
|
