Securing Apache

RVR777 · 03-04-2007, 07:38 PM

Hi,

I have a server where some people upload old or bad coded scripts, that allow an external attacker to run arbitrary commands as the apache user (www-data), that use all the cpu, memory and network.

What can I do to prevent this to happen?

Thanks

trickykid · 03-04-2007, 07:52 PM

Well, you need to do one of two things.. either educate the users you allow on your server to not upload horrible scripts and or kick their connection if they continue to use such scripts. If it's your server, it's your rules, not theirs.

RVR777 · 03-05-2007, 10:39 AM

But there is nothing I can do to prevent this to happen? If it was a big hosting, there is no way to trace every user script...

Maybe something could be modified or configured, to prevent this things?

trickykid · 03-05-2007, 10:44 PM

Quote:

Originally Posted by RVR777

Maybe something could be modified or configured, to prevent this things?

Their script.. like I said, you can't just secure the apache server itself if it's the scripts they are using. You can disallow cgi scripts from within apache, that'd be one way to secure your machine but it will break everyone's scripts, which sounds to me like a good idea if their scripts are allowing remote execution or arbitrary commands as the apache user.. either educate, disable accounts or deal with users uploading and using crap code.. it's your choice, you're the sysadmin.

Rainer Hubovsky · 03-06-2007, 02:57 AM

In a shared hosting environment I would recommend the use of suexec:

"The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server"
-> http://httpd.apache.org/docs/2.0/suexec.html

If you offer PHP, have a look at suphp:
"suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter."
-> http://www.suphp.org/Home.html

Further, you can 'jail' your apache-server and put it under a chroot-jail.
a) "The objective of makejail is to help an administrator creating and updating a chroot jail with short configuration files."
-> http://www.floc.net/makejail

b) "mod_chroot makes running Apache in a secure chroot environment easy. You don't need to create a special directory hierarchy containing /dev, /lib, /etc."
-> http://core.segfault.pl/~hobbit/mod_chroot/

lg.
Rainer