apache server security configuration

Posted by tzul at 2020-02-27

I accidentally downloaded a PPT from the 360 emergency response center of ISC conference this year. At the end of this year, there was a directory for experts in the field of attack and defense to register for examination. A large part of it is the security of middleware, including Apache, IIS, Tomcat, Weblogic, etc. later, I will explain the security configuration of these middleware and the above examination requirements. (I seldom touch this before, so I can only count as a learning record.)

Apache assessment content:

1. Apache server permission configuration

2. Apache server file parsing vulnerability

3. Apache server log file audit method

4. Configuration of web directory permission of Apache server

Next, I will give an example speech for the above requirements!

Question 1: Apache server permission configuration

The permission configuration here refers to which IP is restricted and which IP is allowed to access the Apache server.

The configuration file is in the httpd.conf file in the Apache \ conf directory

DocumentRoot  "C:\phpmystudy\WWW"

<Directory />

    Options +Indexes +FollowSymLinks +ExecCGI

    AllowOverride All

    Order allow,deny

    Allow from all

    Require all granted


Here is the initial state. The most important is the configuration under order allow, deny. It can be seen that our configuration here is allow from all, so anyone can access our web server, but we have modified it to only allow IP access at the beginning of 10.10, as follows

Order allow,deny

Allow from 10.10

We can see that when we access the server, there will be access prohibition, which implements the configuration of permissions.

    Order allow,deny

    Allow from 192.168

If you want to access the intranet, only IP access of the intranet segment is allowed here

But in fact, the network segment is not added here, which will cause our web host to fail to log in to the web service

Here's a demonstration. We just want to log in the web host, but no other host can log in

    Order allow,deny

    Allow from 127.0

    Deny from all

Here, only hosts can access it, and other hosts can't log in. The Apache server permission configuration is over..

Problem 2: Apache server file parsing vulnerability

This should be very old-fashioned. It's a parsing vulnerability.

Apache parses file names from the back to the front until it meets a file type it knows. Therefore, if there is a file named in a format like webshell.php.test in the web directory, Apache will parse it forward because it does not know the file type. Test. When it parses to. PHP, it knows it, so it will parse it into a PHP file.

In fact, I didn't make use of it successfully when I reappeared. The reason is very simple. At present, this parsing vulnerability is only applicable to Apache that parses PHP in module mode, and Apache that parses PHP in fastcgi mode is not affected. And the phpmy system I tested was the fastcgi method I used.

Defense methods:

Apache configuration file. It is forbidden to execute. PHP. This file is added to the configuration file

<Files ~ "\.(php.|php3.)">

Order Allow,Deny

Deny from all


Question 3: Apache server log file audit method

There are two log files here, one is access.log and the other is error.log. This is in the windows environment. In fact, in the beginning, access.log was not opened due to configuration problems. The configuration is also in the httpd.conf file under the Apache \ conf directory

##CustomLog "logs/access.log" common


#CustomLog "logs/access.log" combined

Just delete the previous comment~

Then access.log will be generated

::1 - - [07/Nov/2017:15:23:55 +0800] "GET / HTTP/1.1" 200 369

::1 - - [07/Nov/2017:15:23:55 +0800] "GET / HTTP/1.1" 200 369 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"

Here is a screenshot of Apache log of my website server

Generally, we will write a custom script to audit the log file or download the log audit software with mature technology on the market. If this is a Linux server and the word / etc / passwd appears in the log file, it can indicate to some extent that someone has access to your key file, and it also reflects that your website may have been broken by someone, or a large number of SQL injection statements appear. These hacking behaviors can help you audit the security of a website.

Error.log records the server's runtime errors

[Tue Nov 07 15:23:33.541825 2017] [mpm_winnt:notice] [pid 3232:tid 636] AH00455: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45 configured -- resuming normal operations

[Tue Nov 07 15:23:33.542826 2017] [mpm_winnt:notice] [pid 3232:tid 636] AH00456: Server built: Jul  1 2016 16:42:20

[Tue Nov 07 15:23:33.542826 2017] [core:notice] [pid 3232:tid 636] AH00094: Command line: 'D:\\Server\\phpstudy\\Apache\\bin\\httpd.exe -d D:/Server/phpstudy/Apache'

[Tue Nov 07 15:23:33.548828 2017] [mpm_winnt:notice] [pid 3232:tid 636] AH00418: Parent: Created child process 8984

[Tue Nov 07 15:23:35.457435 2017] [mpm_winnt:notice] [pid 8984:tid 676] AH00354: Child: Starting 150 worker threads.

Question 4: configuration of web directory permission of Apache server

In the process of digging holes, there are often such vulnerabilities as directory disclosure. In fact, such vulnerabilities are caused by configuration problems of middleware.

The ability to traverse directories does cause many security problems, so how to configure the permissions of web directories?

In fact, this is similar to the first problem. The first problem is the permission configuration of the server. Here is the access restriction of a directory configuration. Also, add the permission configuration to the directory in the httpd.comf file under the Apache \ conf directory

<Directory "C:\phpmystudy\WWW\test">

    Order allow,deny

    deny from all


Here, the test directory is set as no one is allowed to access

In this way, the problem of directory disclosure is avoided.

cognitive snap

At last, I suddenly think of a problem, how to prohibit a directory from running PHP script files, which should still be very useful now. If there is a file upload vulnerability, then the script files are prohibited from running by this method, so as to protect the server.

There are many methods, such as forbidding access to the current directory. Here is a direct way to forbid the execution of PHP script

Here we simulate the next file upload, and then we upload our PHP script through the file arbitrary upload vulnerability, and found that it can be executed, and then hang the kitchen knife, and pass it to Malaysia to continue..

The defense method here is to add the following information to vhosts.conf under the Apacheconf directory

<Directory "C:\phpmystudy\WWW\upload">

php_flag engine off


This means that the PHP script execution function is turned off in the current directory

Another visit has become blank!

If there are any improper points in the above, please point out~