FIXME: 增加内容: 有关 Apache 正常安装时提供的模块(在 /usr/lib/apache/X.X/mod_* 处) 和可能被安装的在 ibapache-mod-XXX 软件包中的模块.
You can limit access to the Apache server if you only want to use it internally (for testing purposes, to access the doc-central archive, etc.) and do not want outsiders to access it. To do this use the Listen
or BindAddress
directives in /etc/apache/http.conf
.
使用监听:
Listen 127.0.0.1:80
使用地址绑定:
BindAddress 127.0.0.1
然后通过 /etc/init.d/apache restart
重启 Apache, 您会发现它只监听回送接口.
无论如何, 如果您并不使用 Apache 提供的全部功能, 您可以考虑一下 Debian 中提供的其它 web 服务器, 如dhttpd.
在 Debian 中缺省的 Apache 安装允许用户在 $HOME/public_html
目录下发布 web 内容. 此内容可以远程通过形如 http://your_apache_server/~user 的 URL 检索到.
If you do not want to permit this you must change the
/etc/apache/http.conf
configuration file commenting out (in Apache 1.3) the following module:
LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
If you are using Apache 2.0 you must remove the file /etc/apache2/mods-enabled/userdir.load
or restrict the default configuration by modifying /etc/apache2/mods-enabled/userdir.conf
.
However, if the module was linked statically (you can list the modules that are compiled in running
apache -l
) you must add the following to the Apache configuration file:
Userdir disabled
An attacker might still do user enumeration, since the answer of the web server will be a 403 Permission Denied and not a 404 Not available. You can avoid this if you use the Rewrite module.
Apache logfiles, since 1.3.22-1, are owned by user 'root' and group 'adm' with permissions 640. These permissions are changed after rotation. An intruder that accessed the system through the web server would not be able (without privilege escalation) to remove old log file entries.
Apache files are located under /var/www
. Just after installation the default file provides some information on the system (mainly that it's a Debian system running Apache). The default webpages are owned by user root and group root by default, while the Apache process runs as user www-data and group www-data. This should make attackers that compromise the system through the web server harder to deface the site. You should, of course, substitute the default web pages (which might provide information you do not want to show to outsiders) with your own.