Apache 安全配置与防护
Apache Security Configuration and Hardening
概述 (Overview)
Apache服务器的安全配置是保护Web应用免受攻击的关键环节。本文将详细介绍Apache的安全加固措施,包括服务器信息隐藏、访问控制、安全模块配置、防火墙集成等核心技术。
Apache server security configuration is a critical aspect of protecting web applications from attacks. This article will detail Apache's security hardening measures, including server information hiding, access control, security module configuration, firewall integration, and other core technologies.
1. 服务器信息隐藏 (Server Information Hiding)
1.1 隐藏Apache版本信息 (Hiding Apache Version Information)
# 隐藏服务器版本信息
ServerTokens Prod
# 关闭服务器签名
ServerSignature Off
# 隐藏服务器Banner
# (需要mod_security模块)
SecServerSignature "Microsoft-IIS/10.0"
1.2 移除不必要的模块 (Removing Unnecessary Modules)
# 列出已加载的模块
apache2ctl -M
# 禁用不必要的模块
sudo a2dismod autoindex
sudo a2dismod status
sudo a2dismod info
sudo a2dismod negotiation
2. 访问控制和权限管理 (Access Control and Permission Management)
2.1 目录访问控制 (Directory Access Control)
# 基本访问控制
<Directory "/var/www/html">
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# 限制特定目录访问
<Directory "/var/www/html/admin">
Require ip 192.168.1.0/24
Require ip 10.0.0.5
</Directory>
# 禁止访问敏感目录
<Directory "/var/www/html/.git">
Require all denied
</Directory>
# 基于用户认证的访问控制
<Directory "/var/www/html/secure">
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
2.2 文件访问控制 (File Access Control)
# 禁止访问配置文件
<Files "*.conf">
Require all denied
</Files>
# 禁止访问备份文件
<FilesMatch "\.(bak|backup|old|orig|save|swp|tmp)$">
Require all denied
</FilesMatch>
# 禁止访问版本控制文件
<FilesMatch "^\.">
Require all denied
</FilesMatch>
# 保护敏感文件
<Files "wp-config.php">
Require all denied
</Files>
3. 请求限制和防护 (Request Limitation and Protection)
3.1 限制请求大小 (Limiting Request Size)
# 限制HTTP请求行长度
LimitRequestLine 8190
# 限制HTTP请求头字段数
LimitRequestFields 100
# 限制HTTP请求头字段大小
LimitRequestFieldSize 8190
# 限制HTTP请求体大小 (100MB)
LimitRequestBody 104857600
3.2 限制HTTP方法 (Limiting HTTP Methods)
# 限制HTTP方法
<LimitExcept GET POST HEAD>
Require all denied
</LimitExcept>
# 或者明确允许特定方法
<Limit GET POST PUT DELETE>
Require all granted
</Limit>
<LimitExcept GET POST PUT DELETE>
Require all denied
</LimitExcept>
4. Mod_Security配置 (Mod_Security Configuration)
4.1 基本Mod_Security配置 (Basic Mod_Security Configuration)
# 启用Mod_Security
LoadModule security2_module modules/mod_security2.so
# 基本配置
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecResponseBodyLimit 524288
SecRequestBodyLimitAction Reject
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:1001,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
4.2 OWASP核心规则集 (OWASP Core Rule Set)
# 加载OWASP CRS规则
IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load
# CRS基本配置
SecAction \
"id:900000,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.paranoia_level=1"
# 启用特定规则
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* \
"@rx (?i)(?:\b(?:s(?:e(?:lect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*?\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|.*?\b(?:c(?:har|oncat|ollat|rrent)_|distinct\b|load_file|or\b.{1,100}?\b.{1,100}?\blike|group\b.{1,100}?\bby\b.{1,100}?\bhaving|union\b.{1,100}?\bselect|order\b.{1,100}?\bby\b.{1,100}?\b\w{2}\())|u(?:nion\b.{1,100}?\bselect|full\b.{1,100}?\bouter\b.{1,100}?\bjoin|cast\b.{1,100}?\b\w{2}\())|i(?:n(?:to\b.{1,100}?\b(?:dump|out)file|sert\b.{1,100}?\binto|stanceof\b.{1,100}?\b\w{2}\())|a(?:nd\b.{1,100}?\b(?:like\b|between\b|regexp\b)|ll\b.{1,100}?\bfrom\b|s(?:cii\b|sert\b))|e(?:x(?:ec\b|ecute\b)|xists\b)|\bcoalesce\b|\bgroup\b.{1,100}?\bby\b.{1,100}?\b\w{2}\())" \
"id:942100,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'SQL Injection Attack Detected',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248/66',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.3.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}'"
5. 防火墙集成 (Firewall Integration)
5.1 Fail2Ban配置 (Fail2Ban Configuration)
# /etc/fail2ban/jail.local 配置
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3
bantime = 3600
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/access.log
maxretry = 1
bantime = 86400
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/error.log
maxretry = 2
bantime = 3600
[apache-nohome]
enabled = true
port = http,https
filter = apache-nohome
logpath = /var/log/apache2/access.log
maxretry = 2
bantime = 3600
5.2 Fail2Ban过滤器 (Fail2Ban Filters)
# /etc/fail2ban/filter.d/apache-auth.conf
[Definition]
failregex = ^.*\[.*\] \[.*\] \[.*\] .* (client )?<[HOST]> .* (denied|failed) .*$
^.*\[.*\] \[.*\] \[.*\] .* user .* (not found|password mismatch|auth failed) .*$
ignoreregex =
6. 安全头配置 (Security Headers Configuration)
6.1 HTTP安全头 (HTTP Security Headers)
# 安全头配置
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
6.2 隐藏敏感头信息 (Hiding Sensitive Headers)
# 移除敏感头信息
Header unset Server
Header unset X-Powered-By
Header unset X-AspNet-Version
Header unset X-AspNetMvc-Version
7. 文件系统安全 (File System Security)
7.1 目录权限设置 (Directory Permission Settings)
# 设置Apache目录权限
sudo chown -R www-data:www-data /var/www/html
sudo chmod -R 755 /var/www/html
# 设置配置文件权限
sudo chown root:root /etc/apache2
sudo chmod 755 /etc/apache2
sudo chown root:root /etc/apache2/*.conf
sudo chmod 644 /etc/apache2/*.conf
# 设置日志文件权限
sudo chown www-data:adm /var/log/apache2/*.log
sudo chmod 640 /var/log/apache2/*.log
7.2 限制符号链接 (Restricting Symbolic Links)
# 限制符号链接
<Directory "/var/www/html">
Options -FollowSymLinks +SymLinksIfOwnerMatch
</Directory>
8. 安全监控脚本 (Security Monitoring Scripts)
8.1 安全检查脚本 (Security Check Script)
#!/bin/bash
# security-check.sh
check_security() {
echo "=== Apache Security Check ==="
# 检查服务器令牌设置
echo "1. Server Tokens:"
grep -i "ServerTokens" /etc/apache2/apache2.conf /etc/apache2/conf-enabled/security.conf 2>/dev/null || echo "Not configured"
# 检查服务器签名设置
echo
echo "2. Server Signature:"
grep -i "ServerSignature" /etc/apache2/apache2.conf /etc/apache2/conf-enabled/security.conf 2>/dev/null || echo "Not configured"
# 检查加载的模块
echo
echo "3. Loaded Modules (potential security risks):"
apache2ctl -M | grep -E "(autoindex|info|status)" || echo "No risky modules found"
# 检查目录权限
echo
echo "4. Directory Permissions:"
find /var/www -type d -perm 777 2>/dev/null | head -5 || echo "No world-writable directories found"
# 检查文件权限
echo
echo "5. File Permissions:"
find /var/www -type f -name "*.conf" -o -name "*.sql" -o -name "*.bak" 2>/dev/null | head -5 || echo "No sensitive files found in web root"
# 检查错误日志中的安全事件
echo
echo "6. Recent Security Events in Error Log:"
grep -i -E "(denied|forbidden|unauthorized|attack|injection)" /var/log/apache2/error.log | tail -5 || echo "No recent security events found"
}
check_security
8.2 漏洞扫描脚本 (Vulnerability Scan Script)
#!/bin/bash
# vulnerability-scan.sh
scan_vulnerabilities() {
local target=${1:-localhost}
echo "=== Apache Vulnerability Scan ==="
echo "Target: $target"
echo
# 检查服务器版本信息泄露
echo "1. Server Version Information:"
curl -I -s http://$target | grep -i server || echo "Server header not exposed"
# 检查是否启用了目录列表
echo
echo "2. Directory Listing Check:"
curl -s http://$target/ | grep -i "index of" && echo "WARNING: Directory listing enabled!" || echo "Directory listing disabled"
# 检查常见敏感文件
echo
echo "3. Sensitive Files Check:"
sensitive_files=(".git/" ".svn/" "config.php" "wp-config.php" ".htaccess" "backup.sql")
for file in "${sensitive_files[@]}"; do
response=$(curl -s -o /dev/null -w "%{http_code}" http://$target/$file)
if [ "$response" = "200" ]; then
echo "WARNING: Accessible sensitive file - $file"
fi
done
# 检查HTTP方法
echo
echo "4. HTTP Methods Check:"
methods=$(curl -s -X OPTIONS http://$target -I | grep -i allow | cut -d' ' -f2-)
if echo "$methods" | grep -E "(PUT|DELETE|TRACE)" > /dev/null; then
echo "WARNING: Potentially dangerous methods enabled: $methods"
else
echo "Safe methods only: $methods"
fi
echo
echo "Scan completed!"
}
scan_vulnerabilities $1
9. 安全加固脚本 (Security Hardening Script)
9.1 自动安全加固脚本 (Automatic Security Hardening Script)
#!/bin/bash
# security-harden.sh
harden_apache() {
echo "=== Apache Security Hardening ==="
# 1. 隐藏服务器信息
echo "1. Hiding server information..."
if ! grep -q "ServerTokens Prod" /etc/apache2/conf-enabled/security.conf 2>/dev/null; then
echo "ServerTokens Prod" | sudo tee -a /etc/apache2/conf-enabled/security.conf
fi
if ! grep -q "ServerSignature Off" /etc/apache2/conf-enabled/security.conf 2>/dev/null; then
echo "ServerSignature Off" | sudo tee -a /etc/apache2/conf-enabled/security.conf
fi
# 2. 禁用不必要的模块
echo "2. Disabling unnecessary modules..."
modules_to_disable=("autoindex" "status" "info" "negotiation")
for module in "${modules_to_disable[@]}"; do
if [ -f "/etc/apache2/mods-enabled/${module}.load" ]; then
sudo a2dismod $module
echo "Disabled module: $module"
fi
done
# 3. 设置安全头
echo "3. Setting security headers..."
security_headers_conf="/etc/apache2/conf-available/security-headers.conf"
cat > $security_headers_conf << 'EOF'
# Security Headers
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header unset Server
Header unset X-Powered-By
EOF
sudo a2enconf security-headers
# 4. 设置文件权限
echo "4. Setting file permissions..."
sudo chown -R www-data:www-data /var/www
sudo find /var/www -type d -exec chmod 755 {} \;
sudo find /var/www -type f -exec chmod 644 {} \;
# 5. 重启Apache应用更改
echo "5. Restarting Apache..."
sudo systemctl restart apache2
echo
echo "Apache security hardening completed!"
echo "Please verify the changes and test your applications."
}
harden_apache
小结 (Summary)
通过本文学习,你应该掌握:
- Apache服务器信息隐藏技术
- 访问控制和权限管理配置
- 请求限制和防护措施
- Mod_Security模块的配置和使用
- Fail2Ban与Apache的集成
- HTTP安全头的配置方法
- 文件系统安全设置
- 安全监控和漏洞扫描脚本
- 自动化安全加固方案
Apache的安全配置是一个持续的过程,需要根据最新的安全威胁和最佳实践不断更新。在下一篇文章中,我们将详细介绍Apache的SSL/TLS配置技术。