Amendments to the general configuration of apache as the safety analysis of a site
Points to consider:
1 - Delete the info.php
2 - Do listing
directories 3 - Avoid http TRACE method
4 - Disable server-status or the server info
======= ======== 1 ============
delete the file, not to give info on how it is installed and compiled my PHP
========= ======== 2 ==========
For example these directories:
Alias / icons / "/ var / www / icons /"
"/var/www/icons"> \u0026lt;Directory
# Options Indexes MultiViews Options-Indexes MultiViews AllowOverride None
Order allow, deny Allow from all
\u0026lt;/ Directory>
\u0026lt;Directory /var/www/html/turismocarretera/css/>
Options-Indexes \u0026lt;/ Directory> \u0026lt;Directory
/var/www/html/turismocarretera/images/>
Options-Indexes \u0026lt;/ Directory>
As you can see we add we add the "-" (minus or hyphen)Indexes to
================== ========= 3 Apache version 2.0.52
This works for each virtual host or
website or domain to add these lines in each virtual host
NOTE: Regardless of whether on the same server multiple virtual hosts h, change the label of the rewrite log file
# Directive to avoid
TRACE method mod_rewrite.c> \u0026lt;IfModule
RewriteEngine On RewriteCond% {REQUEST_METHOD} ^ TRACE RewriteRule
.* - [F]
RewriteLog RewriteLogLevel 9 "/ var / log / httpd / rewrite_granturismo.v8.log "
\u0026lt;/ IfModule>
In the newer Apache, httpd-2.2.3-43
no need to put in each virtual host, but in the settings section of the Apache, section 2.
# To avoid http method
TraceEnable off
Result:
So we prove that the TRACE method is disabled
alienaLX
alexa @: ~ $ telnet 200.4.1.14 Trying
static.granturismo.com.ar 80. .. Connected to static.granturismo.com.ar
. Escape character is'^]'.
Tipeamos
method:
TRACE / HTTP/1.1
and then the virtual host name or host
webpage: static.granturismo.com.
there ar several Enters give until it appears
http response if you give us:
HTTP/1.1 200 OK HTTP/1.1 400
or
not serve, you should see 403, which is FORBIDDEN or HTTP/1.1 405 Method Not Allowed
============= ============== 4
To deny the script server-status, denying it Deny All
with /server-status> \u0026lt;Location
SetHandler server-status Order deny, allow Deny from all
# ; Allow from.
example.com \u0026lt;/ Location> Also
should be put on the board of ExtendedStatus
Off apache, to not show information, version, etc, etc
# ExtendedStatus controls whether Apache will generate "full" status # information
(ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when to the "server-status" handler is street. The default is Off. Off
#
ExtendedStatus
-------------------------------------------
---------------- On jboss: jmx-console
making safe, put password, a login screen
0 comments:
Post a Comment