Product SiteDocumentation Site

5.8. Asegurando Apache

FIXME: Add content: modules provided with the normal Apache installation (under /usr/lib/apache/X.X/mod_*) and modules that can be installed separately in libapache-mod-XXX packages.
Usted puede limitar el acceso a el servidor Apache si si usted quiere usar esto solo internamente (para objetivos de prueba, para tener acceso al archivodoc-central etc..) y si no quiere que extraños tengan esto. Para hacer esto use el Listen o BindAddress dirigidos en /etc/apache/http.conf.
Usando Listen:
Listen 127.0.0.1:80
Usando BindAddress:
BindAddress 127.0.0.1
Luego reinicie Apache con /etc/init.d/apache restart y vera que esto es de solo Audición en la interfaz loopback.
De todos modos, que usted no este usando todo lo funcionamiento suministrado por Apache, usted podria querer dar un vistazo a otro servicio de la web proporcionados en Debian como dhttpd.
La http://httpd.apache.org/docs/misc/security_tips.html proporciona información relacxionada con las medidas de seguridad que deben ser tomadas en el servidor web del Apache (esta misma información está suministrada en Debian por el paqueteapache-doc).
More information on further restricting Apache by setting up a chroot jail is provided in Sección B.7.3, “Chroot environment for Apache.

5.8.1. Disabling users from publishing web contents

The default Apache installation in Debian permits users to publish content under the $HOME/public_html. This content can be retrieved remotely using an URL such as: http://your_apache_server/~user.
If you do not want to permit this you must change the /etc/apache/http.conf configuration file commenting out (in Apache 1.3) the following module:
LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
If you are using Apache 2.0 you must remove the file /etc/apache2/mods-enabled/userdir.load or restrict the default configuration by modifying /etc/apache2/mods-enabled/userdir.conf.
However, if the module was linked statically (you can list the modules that are compiled in running apache -l) you must add the following to the Apache configuration file:
Userdir disabled
An attacker might still do user enumeration, since the answer of the web server will be a 403 Permission Denied and not a 404 Not available. You can avoid this if you use the Rewrite module.

5.8.2. Permisos para el archivo de registro

Apache logfiles, since 1.3.22-1, are owned by user 'root' and group 'adm' with permissions 640. These permissions are changed after rotation. An intruder that accessed the system through the web server would not be able (without privilege escalation) to remove old log file entries.

5.8.3. Published web files

Apache files are located under /var/www. Just after installation the default file provides some information on the system (mainly that it's a Debian system running Apache). The default webpages are owned by user root and group root by default, while the Apache process runs as user www-data and group www-data. This should make attackers that compromise the system through the web server harder to deface the site. You should, of course, substitute the default web pages (which might provide information you do not want to show to outsiders) with your own.