Product SiteDocumentation Site

5.8. Apache を安全にする

FIXME: Add content: modules provided with the normal Apache installation (under /usr/lib/apache/X.X/mod_*) and modules that can be installed separately in libapache-mod-XXX packages.
内部でのみ使用したいのであって、外部の人にアクセスしてもらいたくないならば (試験用であるとか、doc-central アーカイブにアクセス したいためであるとか...)、 Apache サーバへのアクセスを制限できます。これを行うには /etc/apache/http.confListen または BindAddress ディレクティブを使います。
Listen を使うなら:
Listen 127.0.0.1:80
BindAddress を使うなら:
BindAddress 127.0.0.1
そして /etc/init.d/apache restart で apache を再起動してください。 すると apache が loopback インターフェイスにしか応答しないことが わかるでしょう。
いずれの場合も、Apache によって提供される機能をすべて使っているのでなければ、 dhttpd のような Debian で提供されている他のウェブサーバを 見てみたくなるかもしれません。
http://httpd.apache.org/docs/misc/security_tips.html は Apache ウェブサーバについて行われるべきセキュリティ対策に関する情報を提供しています (Debian では同じ情報が apache-doc パッケージで提供されて います)。
More information on further restricting Apache by setting up a chroot jail is provided in 第 B.7.3 節「Chroot environment for Apache.

5.8.1. Disabling users from publishing web contents

The default Apache installation in Debian permits users to publish content under the $HOME/public_html. This content can be retrieved remotely using an URL such as: http://your_apache_server/~user.
If you do not want to permit this you must change the /etc/apache/http.conf configuration file commenting out (in Apache 1.3) the following module:
LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
If you are using Apache 2.0 you must remove the file /etc/apache2/mods-enabled/userdir.load or restrict the default configuration by modifying /etc/apache2/mods-enabled/userdir.conf.
However, if the module was linked statically (you can list the modules that are compiled in running apache -l) you must add the following to the Apache configuration file:
Userdir disabled
An attacker might still do user enumeration, since the answer of the web server will be a 403 Permission Denied and not a 404 Not available. You can avoid this if you use the Rewrite module.

5.8.2. ログファイルのパーミッション

Apache logfiles, since 1.3.22-1, are owned by user 'root' and group 'adm' with permissions 640. These permissions are changed after rotation. An intruder that accessed the system through the web server would not be able (without privilege escalation) to remove old log file entries.

5.8.3. Published web files

Apache files are located under /var/www. Just after installation the default file provides some information on the system (mainly that it's a Debian system running Apache). The default webpages are owned by user root and group root by default, while the Apache process runs as user www-data and group www-data. This should make attackers that compromise the system through the web server harder to deface the site. You should, of course, substitute the default web pages (which might provide information you do not want to show to outsiders) with your own.