A recent study conducted by the market research firm IDC estimates that one-third of the server market will consist of Linux systems by the year 2008. With the growing trend toward Linux deployments, we're seeing a corresponding increase in the number of Web sites running on the Linux-based Apache Web server. If you're running Apache in your environment or are considering its implementation, you'll benefit from these five Apache security tips:
- Verify your distribution. Don't assume that a Google search will turn up an appropriate Apache distribution. When you need to download the latest release, be sure to obtain it through an
- authorized mirror site. Even that's not enough, however. In fact, an attacker once managed to compromise the apache.org site itself. Therefore, it's critical that you use a tool like PGP to verify the digital signature of the release.
- Keep Apache patched. Once you've installed Apache, it's critical that you keep up with security patches. Failure to do so could leave you vulnerable to high-profile exploits that storm the Internet. Fortunately, there are several easy ways to keep updated. Read our tip on keeping Apache patched to learn more about the Apache Server Announcements list, Linux package management systems and the RedHat up2date service.
- Avoid using .htaccess files. Many Apache installations are managed by multiple administrators and content managers. A solution commonly implemented for shared management is the use of .htaccess files to provide flexible delegation of access control authority to users other than the administrator. However, these files also place quite a bit of security control outside of a centralized security function -- by their very nature they allow users other than security professionals to alter access control permissions. Those users might not be familiar with the importance of granular access controls and might inadvertently take actions that undermine the security of your system. Therefore, it's a good idea to avoid using this type of access control system unless absolutely necessary. For more on this topic, read our tip Banish .htaccess from your Apache Server .
- Monitor your logs. Apache provides a comprehensive logging facility that offers administrators a comprehensive hindsight look at server activity. Apache provides several different logs, but the most significant to security professionals is the Access Log. This flexible facility allows for quite a bit of customization, making it easy for you to log as much or as little information as you're able to effectively analyze. At a minimum, you should log unsuccessful authentication attempts and system-generated errors. The analysis task may be facilitated through the use of free tools like AWStats. It's important to note that log monitoring is an after-the-fact analysis. You'll be able to look back and determine attacks (and attack attempts) on your server but it's unlikely you'll be able to interpret the log quickly enough to react to an emerging situation. In cases where proactivity is required, you should consider the use of an intrusion prevention system such as Lucid Security's ipAngel, winner of Information Security magazine's 2003 Best Emerging Technology award.
- Manage file system permissions. We've already discussed the importance of managing access to files through the use (or non-use) of .htaccess files. It's equally important that you protect the Apache server from unauthorized modification through file system permissions. In particular, you should ensure that only the root user can modify files stored within the /usr/local/apache (or whatever directory you choose as the root directory for Apache). It's also important to ensure that your log files may only be modified by root to prevent users from covering their tracks.
With these basic principles in mind, you'll be well on your way to maintaining a secure Apache installation!
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the author of the About.com Guide to Databases.
This was first published in December 2004