13 Tsaro na Sabar Yanar Gizo na Apache da Tukwici masu ƙarfi


Dukanmu mun saba da sabar gidan yanar gizon Apache, sanannen sabar gidan yanar gizo ce don ɗaukar fayilolin gidan yanar gizon ku ko gidan yanar gizon ku akan yanar gizo. Anan akwai wasu hanyoyin haɗin gwiwa waɗanda zasu iya taimaka muku saita sabar gidan yanar gizon Apache akan akwatin Linux ɗinku.

  1. Shigar da Sabar Yanar Gizo ta Apache
  2. Shigar da Gidan Yanar Gizonku a cikin Akwatin Linux ɗinku

Anan a cikin wannan koyawa, zan rufe wasu manyan shawarwari don kiyaye sabar gidan yanar gizon ku. Kafin kayi amfani da waɗannan canje-canje a cikin sabar gidan yanar gizon ku, yakamata ku sami wasu mahimman bayanai na sabar Apache.

  1. Tsarin Tushen Tushen: /var/www/html ko /var/www
  2. Babban fayil ɗin Kanfigareshan: /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora) da /etc/apache2/apache2.conf (Debian/Ubuntu).
  3. Tsoffin tashar tashar HTTP: 80 TCP
  4. Tsohuwar tashar HTTPS: 443 TCP
  5. Gwada saitunan fayil ɗin Kanfigareshan ku da daidaitawa: httpd -t
  6. Samar da fayilolin Log na Sabar Yanar Gizo: /var/log/httpd/access_log
  7. Kuskure Shiga fayilolin Sabar Yanar Gizo: /var/log/httpd/error_log

1. Yadda ake boye Apache Version da OS Identity daga Kurakurai

Lokacin da kuka shigar da Apache tare da tushe ko kowane mai sakawa kunshin kamar yum, yana nuna sigar sabar gidan yanar gizon ku ta Apache da aka shigar akan sabar ku tare da tsarin aiki na sabar ku a cikin Kurakurai. Hakanan yana nuna bayanin game da samfuran Apache da aka shigar a cikin sabar ku.

A cikin hoton da ke sama, zaku iya ganin Apache yana nuna sigar sa tare da OS da aka shigar a cikin sabar ku. Wannan na iya zama babbar barazanar tsaro ga sabar gidan yanar gizon ku da kuma akwatin Linux ɗin ku ma. Don hana Apache don kada ya nuna waɗannan bayanan ga duniya, muna buƙatar yin wasu canje-canje a babban fayil ɗin sanyi na Apache.

Buɗe fayil ɗin sanyi tare da editan vim kuma bincika ServerSignature, ta tsohuwa Kunnawa. Muna buƙatar Kashe waɗannan sa hannun uwar garken kuma layi na biyu ServerTokens Prod yana gaya wa Apache don dawo da Apache kawai azaman samfuri a cikin jagorar amsawar uwar garken akan kowane buƙatun shafi, Yana kashe OS, manyan da ƙananan bayanan sigar.

# vim /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora)
# vim /etc/apache2/apache2.conf (Debian/Ubuntu)
ServerSignature Off
ServerTokens Prod
# service httpd restart (RHEL/CentOS/Fedora)
# service apache2 restart (Debian/Ubuntu)

2. Kashe Lissafin Lissafi

Ta tsohuwa Apache jera duk abubuwan da ke cikin tushen tushen Takardu a cikin rashi fayil ɗin fihirisa. Da fatan za a duba hoton da ke ƙasa.

Za mu iya kashe lissafin adireshi ta amfani da umarnin Zaɓuɓɓuka a cikin fayil ɗin sanyi don takamaiman jagorar. Don haka muna buƙatar yin shigarwa a cikin httpd.conf ko fayil apache2.conf.

<Directory /var/www/html>
    Options -Indexes
</Directory>

3. Ci gaba da sabunta Apache akai-akai

Ƙungiyar haɓaka Apache tana ci gaba da aiki akan lamuran tsaro da fitar da sabunta sigar sa tare da sabbin zaɓuɓɓukan tsaro. Don haka ana ba da shawarar koyaushe don amfani da sabuwar sigar Apache azaman sabar gidan yanar gizon ku.

Don duba nau'in Apache: Kuna iya duba sigar ku ta yanzu tare da umarnin httpd -v.

# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built:   Aug 13 2013 17:29:28

Kuna iya sabunta sigar ku tare da umarni mai zuwa.

# yum update httpd
# apt-get install apache2

Hakanan ana ba da shawarar ci gaba da sabunta Kernel da OS ɗin ku zuwa sabbin abubuwan da suka dace idan ba ku gudanar da kowane takamaiman aikace-aikacen da ke aiki kawai akan takamaiman OS ko Kernel.

4. Kashe Modulolin da ba dole ba

Yana da kyau koyaushe don ƙananan damar kasancewa wanda aka azabtar da kowane harin yanar gizo. Don haka ana ba da shawarar a kashe duk waɗannan samfuran da ba a amfani da su a halin yanzu. Kuna iya jera duk samfuran sabar gidan yanar gizo da aka haɗa, ta amfani da umarni mai zuwa.

# grep LoadModule /etc/httpd/conf/httpd.conf

# have to place corresponding `LoadModule' lines at this location so the
# LoadModule foo_module modules/mod_foo.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
....

A sama akwai jerin kayayyaki waɗanda aka kunna ta tsohuwa amma galibi ba a buƙata: mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex. Don kashe takamaiman tsarin, zaku iya saka \# a farkon layin kuma sake kunna sabis ɗin.

5. Gudun Apache azaman Mai amfani da Ƙungiya daban

Tare da tsoho shigarwa Apache yana gudanar da tsari tare da mai amfani ba ko daemon. Don dalilai na tsaro ana ba da shawarar gudanar da Apache a cikin asusunsa mara gata. Misali: http-web.

# groupadd http-web
# useradd -d /var/www/ -g http-web -s /bin/nologin http-web

Yanzu kuna buƙatar gaya wa Apache don gudanar da wannan sabon mai amfani kuma don yin haka, muna buƙatar yin shigarwa a /etc/httpd/conf/httpd.conf kuma sake kunna sabis ɗin.

Bude /etc/httpd/conf/httpd.conf tare da editan vim kuma bincika kalmar User da Group kuma a can za ku buƙaci saka sunan mai amfani da sunan rukuni don amfani.

User http-web
Group http-web

6. Yi amfani da Bada da Ƙarƙatawa don Ƙuntata samun dama ga kundayen adireshi

Za mu iya ƙuntata samun dama ga kundayen adireshi tare da zaɓukan Bada da Kin a cikin fayil na httpd.conf. Anan a cikin wannan misalin, za mu kasance da amintaccen tushen adireshin, don hakan ta saita mai zuwa a cikin fayil ɗin httpd.conf.

<Directory />
   Options None
   Order deny,allow
   Deny from all
</Directory>

  1. Zaɓuɓɓuka Babu - Wannan zaɓin ba zai ƙyale masu amfani su kunna kowane fasali na zaɓi ba.
  2. Ƙin oda, ba da izini - Wannan shine tsari wanda za a aiwatar da umarnin Kin da Ba da izini. Anan za ta fara “ ƙaryata” kuma “ba izini” na gaba.
  3. Kiyayi daga kowa - Wannan zai hana buƙatar kowa zuwa tushen directory, babu wanda zai iya samun dama ga tushen directory.

7. Yi amfani da mod_security da mod_evasive Modules don Tsare Apache

Waɗannan samfuran guda biyu “mod_security” da “mod_evasive” shahararrun samfuran Apache ne dangane da tsaro.

Inda mod_security ke aiki azaman bangon wuta don aikace-aikacen gidan yanar gizon mu kuma yana ba mu damar saka idanu kan zirga-zirga a kan ainihin lokaci. Hakanan yana taimaka mana don kare gidajen yanar gizon mu ko sabar gidan yanar gizon mu daga hare-haren ƙarfi. Kuna iya kawai shigar da mod_security akan sabar ku tare da taimakon masu shigar da fakitin tsoho.

$ sudo apt-get install libapache2-modsecurity
$ sudo a2enmod mod-security
$ sudo /etc/init.d/apache2 force-reload
# yum install mod_security
# /etc/init.d/httpd restart

mod_evasive yana aiki da kyau sosai, yana ɗaukar buƙatu ɗaya don aiwatarwa da sarrafa shi sosai. Yana hana hare-haren DDOS yin lalata da yawa. Wannan fasalin mod_evasive yana ba shi damar sarrafa ƙarfi na HTTP da harin Dos ko DDos. Wannan tsarin yana gano hare-hare ta hanyoyi uku.

  1. Idan buƙatun da yawa sun zo shafi ɗaya cikin ƴan lokuta kaɗan a cikin daƙiƙa guda.
  2. Idan kowane yaro ya aiwatar da ƙoƙarin yin buƙatu fiye da 50 na lokaci ɗaya.
  3. Idan kowane IP har yanzu yana ƙoƙarin yin sabbin buƙatun lokacin da aka sanya baƙaƙen sa na ɗan lokaci.

mod_evasive za a iya shigar kai tsaye daga tushen. Anan, muna da jagorar shigarwa da saitin waɗannan samfuran waɗanda zasu taimaka muku saita waɗannan samfuran Apache a cikin akwatin Linux ɗinku.

  1. Kare Apache ta amfani da Mod_Security da Mod_evasive

8. Kashe bin Apache na Alamar Haɗin kai

Ta hanyar tsoho Apache yana bin hanyoyin haɗin gwiwa, za mu iya kashe wannan fasalin tare da FollowSymLinks tare da umarnin Zabuka. Kuma don yin haka muna buƙatar shigar da shigarwa mai zuwa a cikin babban fayil ɗin sanyi.

Options -FollowSymLinks

Kuma, idan kowane mai amfani ko gidan yanar gizon yana buƙatar kunna FollowSymLinks, za mu iya kawai rubuta doka a cikin fayil ɗin .htaccess daga gidan yanar gizon.

# Enable symbolic links
Options +FollowSymLinks

Lura: Don ba da damar sake rubuta dokoki a cikin fayil .htaccess AllowOverride All ya kamata ya kasance a cikin babban tsari a duniya.

9. Kashe Side Server ya haɗa da CGI Kisa

Za mu iya kashe gefen uwar garke ya haɗa da (mod_include) da aiwatar da CGI idan ba a buƙata ba kuma don yin haka muna buƙatar canza babban fayil ɗin sanyi.

Options -Includes
Options -ExecCGI

Za mu iya yin wannan don wani kundin adireshi kuma tare da tag na Directory. Anan A cikin wannan misalin, muna kashe Haɗa da aiwatar da fayilolin Cgi don directory /var/www/html/web1.

<Directory "/var/www/html/web1">
Options -Includes -ExecCGI
</Directory>

Anan akwai wasu ƙima masu iya kunnawa ko kashe su tare da umarnin Zaɓuka.

  1. Duk Zaɓuɓɓuka - Don kunna duk zaɓuɓɓuka lokaci ɗaya. Wannan ita ce ƙimar tsoho, Idan ba kwa son saka kowane ƙima a sarari a cikin fayil ɗin Apache conf ko .htaccess.
  2. Zaɓuɓɓuka sun haɗa da NOEXEC - Wannan zaɓi yana ba da damar ɓangaren uwar garken ya haɗa ba tare da aiwatar da izinin aiwatar da umarni ko fayilolin cgi ba.
  3. Zaɓuɓɓuka MultiViews - Yana ba da damar shawarwarin abun ciki da yawa tare da tsarin tattaunawa mod_negotiation.
  4. Zaɓuɓɓuka SymLinksIfOwnerMatch - Yayi kama da FollowSymLinks. Amma, wannan zai biyo baya ne kawai lokacin da mai shi ya kasance iri ɗaya tsakanin hanyar haɗin yanar gizon da ainihin kundin adireshi wanda aka haɗa shi.

10. Iyakance Girman Buƙatun

Ta hanyar tsoho Apache ba shi da iyaka akan jimillar girman buƙatun HTTP watau mara iyaka kuma lokacin da ka ƙyale manyan buƙatun akan sabar gidan yanar gizo mai yuwuwar ka iya zama wanda aka azabtar da Kisan harin sabis. Za mu iya iyakance girman buƙatun umarnin Apache LimitRequestBody tare da alamar shugabanci.

Kuna iya saita ƙimar a cikin bytes daga 0 (mara iyaka) zuwa 2147483647 (2GB) waɗanda aka ba da izini a cikin jikin buƙata. Kuna iya saita wannan iyaka gwargwadon buƙatun rukunin yanar gizonku, a ɗauka cewa kuna da rukunin yanar gizon da kuke ba da damar yin lodawa kuma kuna son iyakance girman abubuwan da aka loda don wani kundin adireshi.

Anan a cikin wannan misalin, user_uploads directory ne wanda ya ƙunshi fayilolin da masu amfani suka loda. Muna sanya iyaka na 500K don wannan.

<Directory "/var/www/myweb1/user_uploads">
   LimitRequestBody 512000
</Directory>

11. Kare hare-haren DDOS da Hardening

To, gaskiya ne cewa ba za ku iya kare gidan yanar gizonku gaba ɗaya daga hare-haren DDos ba. Anan akwai wasu umarni waɗanda zasu iya taimaka muku samun iko akai.

  1. TimeOut : Wannan umarnin yana ba ku damar saita adadin lokacin da uwar garken zai jira wasu abubuwan da suka faru kafin su ƙare. Matsakaicin ƙimar sa shine 300 seconds. Yana da kyau a kiyaye wannan ƙimar ƙasa akan waɗannan rukunin yanar gizon waɗanda ke ƙarƙashin harin DDOS. Wannan ƙimar gaba ɗaya ta dogara da irin buƙatar da kuke samu akan gidan yanar gizon ku. Lura: Yana iya haifar da matsaloli tare da zuwan rubutun CGI.
  2. MaxClients : Wannan umarnin yana ba ku damar saita iyaka akan haɗin da za a yi aiki a lokaci guda. Kowane sabon haɗin gwiwa za a yi layi bayan wannan iyaka. Akwai shi tare da Prefork da Ma'aikaci duka MPM. Tsohuwar darajarsa ita ce 256.
  3. KeepAliveTimeout : Yawan lokacin da uwar garken zai jira buƙatu na gaba kafin rufe haɗin. Ƙimar ta asali shine daƙiƙa 5.
  4. LimitRequestFields: Yana taimaka mana mu saita iyaka akan adadin filayen taken HTTP da za a karɓa daga abokan ciniki. Ƙimar ta tsoho ita ce 100. Ana ba da shawarar rage wannan ƙimar idan hare-haren DDos suna faruwa a sakamakon yawancin buƙatun buƙatun http.
  5. LimitRequestFieldSize : Yana taimaka mana mu saita iyakar girman kan taken Buƙatun HTTP.

12. Kunna Apache Logging

Apache yana ba ku damar shiga ba tare da shigar da OS ɗin ku ba. Yana da kyau a ba da damar shiga Apache, domin yana ba da ƙarin bayani, kamar umarnin da masu amfani suka shigar waɗanda suka yi hulɗa da sabar gidan yanar gizon ku.

Don yin haka kuna buƙatar haɗa da mod_log_config module. Akwai manyan umarni guda uku masu alaƙa da shiga tare da Apache.

  1. TransferLog: Ƙirƙirar fayil ɗin log.
  2. LogFormat : Ƙayyadaddun tsarin al'ada.
  3. CustomLog : Ƙirƙiri da tsara fayil ɗin log.

Hakanan zaka iya amfani da su don wani gidan yanar gizon da kake yin Virtual Hosting kuma don haka kana buƙatar saka shi a cikin sashin runduna mai kama-da-wane. Misali, a nan ne tsarin gidan yanar gizona na kama-da-wane tare da kunna shiga.

<VirtualHost *:80>
DocumentRoot /var/www/html/example.com/
ServerName www.example.com
DirectoryIndex index.htm index.html index.php
ServerAlias example.com
ErrorDocument 404 /story.php
ErrorLog /var/log/httpd/example.com_error_log
CustomLog /var/log/httpd/example.com_access_log combined
</VirtualHost>

13. Tabbatar da Apache tare da Takaddun shaida na SSL

A ƙarshe, amma ba ƙaramar takaddun shaida ta SSL ba, zaku iya amintar da duk sadarwar ku ta hanyar rufaffiyar hanyar Intanet tare da takardar shaidar SSL. A ce kuna da gidan yanar gizon da mutane ke shiga ta hanyar tabbatar da shaidar Shigarsu ko kuma kuna da gidan yanar gizon E-Commerce inda mutane ke ba da bayanan bankin su ko bayanan zare kudi da katin kiredit don siyan kayayyaki, ta hanyar tsohuwa uwar garken gidan yanar gizon ku ta aiko da waɗannan bayanan a sarari - text tsari amma lokacin da kuke amfani da takaddun shaida na SSL zuwa gidajen yanar gizonku, Apache yana aika duk wannan bayanin a cikin rufaffen rubutu.

Kuna iya siyan takaddun shaida na SSL daga masu samar da SSL daban-daban kamar namecheap.com. Idan kuna gudanar da ƙaramin kasuwancin gidan yanar gizo kuma ba ku son siyan takardar shaidar SSL har yanzu kuna iya sanya takardar shedar sanya hannu ga kanku zuwa gidan yanar gizonku. Apache yana amfani da tsarin mod_ssl don tallafawa takardar shaidar SSL.

# openssl genrsa -des3 -out example.com.key 1024
# openssl req -new -key example.com.key -out exmaple.csr
# openssl x509 -req -days 365 -in example.com.com.csr -signkey example.com.com.key -out example.com.com.crt

Da zarar an ƙirƙiri takardar shaidar ku da sanya hannu. Yanzu kuna buƙatar ƙara wannan a cikin saitin Apache. Buɗe babban fayil ɗin sanyi tare da editan vim kuma ƙara layukan masu zuwa kuma sake kunna sabis ɗin.

<VirtualHost 172.16.25.125:443>
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/example.com.crt
        SSLCertificateKeyFile /etc/pki/tls/certs/example.com.key
        SSLCertificateChainFile /etc/pki/tls/certs/sf_bundle.crt
        ServerAdmin [email 
        ServerName example.com
        DocumentRoot /var/www/html/example/
        ErrorLog /var/log/httpd/example.com-error_log
        CustomLog /var/log/httpd/example.com-access_log common
</VirtualHost>

Bude burauzar ku, rubuta https://example.com, kuma za ku sami damar ganin sabuwar takardar shaidar da ta sanya hannu.

Waɗannan ƴan shawarwarin tsaro ne waɗanda zaku iya amfani da su don amintar shigar da sabar yanar gizo ta Apache. Don ƙarin shawarwarin tsaro da dabaru masu amfani, duba takaddun kan layi na hukuma na Apache HTTP Server.