How to secure Apache ?

bonefry · #1 12th January 2006, 06:51 PM

Hi guys,

I am in charge of administering a RHEL version 3 server that hosts a couple of websites.
Unfortunately I am just a programmer that had nothing to do with Linux administration before.

While looking at the HTTPD logs, I discovered the following errors:

Code:

[Sun Jan 08 13:53:03 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/phpmyadmin
[Sun Jan 08 13:53:04 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/PMA
[Sun Jan 08 13:53:04 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/mysql
[Sun Jan 08 13:53:04 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/admin
[Sun Jan 08 13:53:04 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/db
[Sun Jan 08 13:53:04 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/dbadmin
[Sun Jan 08 13:53:04 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/web
[Sun Jan 08 13:53:05 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/admin
[Sun Jan 08 13:53:05 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/admin
[Sun Jan 08 13:53:05 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/admin
[Sun Jan 08 13:53:05 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/phpmyadmin2
[Sun Jan 08 13:53:05 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/mysqladmin
[Sun Jan 08 13:53:06 2006] [error] [client 85.75.58.103] File does not exist: /var/www/html/mysql-admin
......
......

It is clear that these are hacking attempts. Fortunately I never thought it was a good ideea to have phpmyadmin on my server, so I felt a relief seing the above attempts, but it got me wondering ...

What can I do to secure my Apache webserver better ?

The database is on a different server and only accepts connections from the webserver's IP and from my workstation.
I connect to both servers remotely using SSH, and the firewall is only accepting connections from a couple of IPs.
I also made sure the PHP scripts cannot be compromised with mysql injections.

But other than that, I have no ideea, and I started worrying after seeing those logs.
Maybe you guys can give me some points were I can improove.

GMalenko1 · #2 12th January 2006, 07:09 PM

I think there is a way in the httpd.conf file to ban different ips. I have to look it up.

kden604 · #3 16th January 2006, 04:03 AM

Quote:

Originally Posted by GMalenko1

I think there is a way in the httpd.conf file to ban different ips. I have to look it up.

There is a few different ways to ban people, but I prefer using the ModSecurity module for apache. It's available at http://modsecurity.org - you can also download rules for know bad boxes, general pre-setup blocks etc from http://gotroot.com and finally, i have my own home-brew auto-rules update script available at http://kendennis-rss.homeip.net/

ModSecurity is one of the more effect application firewalls for apache... when used in conjunction with general good security practices it "helps" to keep your box safer.

rayyes · #4 16th January 2006, 05:17 AM

-TURN OFF Autoindexing in httpd.conf !!! (this will deter 90% of script kiddies)
-Separate your files in 2 camps: those anyone can see, and the rest. For the rest put them in folders accessible only by YOU (or chown/chmod them so only you access them).
-Change all default passwords and do not use default usernames