Apache is the world's most popular [[httpd|HTTP server]], its enormous popularity has also led to the eponymous foundation that now serves as host to a raft of open source projects, all licensed under the [[License:ASF2.0|Apache License]].

See the [[Apache.org|Apache Organization]] project for details on other Apache Projects.

[[SourceLabs]] includes Apache httpd in its "Self Support for Linux and Open Source Java":http://www.sourcelabs.com offering.

Apache is the world's most popular [[httpd|HTTP server]], its enormous popularity has also led to the eponymous foundation that now serves as host to a raft of open source projects, all licensed under the [[License:ASF2.0|Apache License]]. License]]..

See the [[Apache.org|Apache Organization]] project for details on other Apache Projects.

Apache is the world's most popular [[httpd|HTTP server]], its enormous popularity has also led to the eponymous foundation that now serves as host to a raft of open source projects, all licensed under the [[License:ASF2.0|Apache License]].. License]].

See the [[Apache.org|Apache Organization]] project for details on other Apache Projects.

Apache is the world's most popular [[httpd|HTTP server]], its enormous popularity has also led to the eponymous foundation that now serves as host to a raft of open source projects, all licensed under the [[License:ASF2.0|Apache License]].

See the [[Apache.org|Apache Organization]] project for details on other Apache Projects.

Apache is the world's most popular [[httpd|HTTP server]], its enormous popularity has also led to the eponymous foundation that now serves as host to a raft of open source projects, all licensed under the [[License:ASF2.0|Apache [[ASF2.0|Apache License]].

Apache is the world's most popular [[httpd|HTTP server]], its enormous popularity has also led to HTTP server,

being quite possibly the eponymous foundation that now serves as host to a raft best around in terms of open source projects, all licensed under the [[ASF2.0|Apache License]].

functionality, efficiency, security and speed.

Apache is the world's most popular HTTP server,

being quite possibly the best around in terms of

functionality, efficiency, security and speed.

(gb2312)最实用的WWW服务器

<h3>Basic Security</h3>

Simple access of unauthorized users can happen in several ways: insiders who once had authorized access (for employees, for example), bad passwords, operating system holes, or tools used in conjunction with Apache (MySQL or PHP, for example) that may have flawed security.

Statistically speaking, 70% of intrusions come from insiders. To prevent these situations, when a user is removed, also remove the account. Keeping track of the activity performed by that user is also useful.

<h3>Users and System Security</h3>

It’s advisable not to let people have access from the inside on the Web host. The machine should only allow web services alone. The access will be given on areas that house premium Web services for paying customers. These will always be protected by passwords. A problem with these is that they aren’t always very strong, although a strong encryption system is used.

<h3>Denial of Service</h3>

A Denial of Service Attack is an actions especially directed to incapacitate the hardware, software or both on a given web server, as a result rendering the system unreachable and therefore not being able to serve legitimate users. DOS attacks are persistent and important problems. Many attacks are quick, easy and generate immediate, noticeable result.

A web administrator should expect frequent DOS attacks; they are the most common type. A serious vulnerability Apache had, was discovered in April 2001. An attacker could send a custom URL via web browser making Apache to hang: drive target’s processor to 100% utilization. Attackers could perform this in one of these ways: a GET request consisting on 8,184 characters, HEAD request consisting of 8,182 A characters, an ACCEPT of 8,182 / characters. This problem was patched in version 1.3.20.

<h3>Total System Seizure</h3>

The security settings should not allow for the attackers to seize control of the web host. Yet it happens very often, all over the world. The two main reasons for this happening relate to: inadequate planning of initial web host configuration, and the inability of keeping the system patched and up-to-date.

<h3>Hints and tips on security issues in setting up a web server</h3>

<ul>

<li>

<h4>Permissions on Server Root Directories</h4>

Typically Apache is started by the root user and it switches to the user defined by the User directive to serve hits. The administrator must take care that it is protected from modifications by non-root users (also the directories and their parents).

</li>

<li>

<h4>Server Side Includes (SSI)</h4>

SSI presents with several risks: increased load on the server, risks similar to those associated with CGI scripts in general (can execute script or program under the permissions of the user and group Apache runs as)

</li>

<li>

<h4>CGI</h4>

CGI scripts can run essentially arbitrary commands on the system with the permissions of the web server. All the scripts will run as the same user, so they have potential to conflict.

</li>

<li><h4>Protecting System Settings</h4>

To stop users from setting up .htaccess files which override security features already configured, in the server configuration file this must be put:

AllowOverride None

</li>

<li>

<h4>Misc</h4>

Other security settings include: forbidding default access to file-system locations, watching the logs regularly and, most important, keeping the software up-to-date to the latest versions and patches.

</li>

</ul>

<h3>Basic Security</h3>

Simple access of unauthorized users can happen in several ways: insiders who once had authorized access (for employees, for example), bad passwords, operating system holes, or tools used in conjunction with Apache (MySQL or PHP, for example) that may have flawed security.

Statistically speaking, 70% of intrusions come from insiders. To prevent these situations, when a user is removed, also remove the account. Keeping track of the activity performed by that user is also useful.

<h3>Users Users and System Security</h3> Security

It’s advisable not to let people have access from the inside on the Web host. The machine should only allow web services alone. The access will be given on areas that house premium Web services for paying customers. These will always be protected by passwords. A problem with these is that they aren’t always very strong, although a strong encryption system is used.

<h3>Denial Denial of Service</h3> Service

A Denial of Service Attack is an actions especially directed to incapacitate the hardware, software or both on a given web server, as a result rendering the system unreachable and therefore not being able to serve legitimate users. DOS attacks are persistent and important problems. Many attacks are quick, easy and generate immediate, noticeable result.

A web administrator should expect frequent DOS attacks; they are the most common type. A serious vulnerability Apache had, was discovered in April 2001. An attacker could send a custom URL via web browser making Apache to hang: drive target’s processor to 100% utilization. Attackers could perform this in one of these ways: a GET request consisting on 8,184 characters, HEAD request consisting of 8,182 A characters, an ACCEPT of 8,182 / characters. This problem was patched in version 1.3.20.

<h3>Total Total System Seizure</h3> Seizure

The security settings should not allow for the attackers to seize control of the web host. Yet it happens very often, all over the world. The two main reasons for this happening relate to: inadequate planning of initial web host configuration, and the inability of keeping the system patched and up-to-date.

<h3>Hints Hints and tips on security issues in setting up a web server</h3> server

<ul>

<li>

<h4>Permissions Permissions on Server Root Directories</h4> Directories

Typically Apache is started by the root user and it switches to the user defined by the User directive to serve hits. The administrator must take care that it is protected from modifications by non-root users (also the directories and their parents).

</li>

<li>

<h4>Server Server Side Includes (SSI)</h4> (SSI)

SSI presents with several risks: increased load on the server, risks similar to those associated with CGI scripts in general (can execute script or program under the permissions of the user and group Apache runs as)

</li>

<li>

<h4>CGI</h4> CGI

CGI scripts can run essentially arbitrary commands on the system with the permissions of the web server. All the scripts will run as the same user, so they have potential to conflict.

</li>

<li><h4>Protecting Protecting System Settings</h4> Settings

To stop users from setting up .htaccess files which override security features already configured, in the server configuration file this must be put:

AllowOverride None

</li>

<li>

Other security settings include: forbidding default access to file-system locations, watching the logs regularly and, most important, keeping the software up-to-date to the latest versions and patches.

</li>

</ul>

<h3>Basic Security</h3> Basic Security

Simple access of unauthorized users can happen in several ways: insiders who once had authorized access (for employees, for example), bad passwords, operating system holes, or tools used in conjunction with Apache (MySQL or PHP, for example) that may have flawed security.

Statistically speaking, 70% of intrusions come from insiders. To prevent these situations, when a user is removed, also remove the account. Keeping track of the activity performed by that user is also useful.

Users and System Security

It’s advisable not to let people have access from the inside on the Web host. The machine should only allow web services alone. The access will be given on areas that house premium Web services for paying customers. These will always be protected by passwords. A problem with these is that they aren’t always very strong, although a strong encryption system is used.

Denial of Service

A Denial of Service Attack is an actions especially directed to incapacitate the hardware, software or both on a given web server, as a result rendering the system unreachable and therefore not being able to serve legitimate users. DOS attacks are persistent and important problems. Many attacks are quick, easy and generate immediate, noticeable result. A web administrator should expect frequent DOS attacks; they are the most common type. A serious vulnerability Apache had, was discovered in April 2001. An attacker could send a custom URL via web browser making Apache to hang: drive target’s processor to 100% utilization. Attackers could perform this in one of these ways: a GET request consisting on 8,184 characters, HEAD request consisting of 8,182 A characters, an ACCEPT of 8,182 / characters. This problem was patched in version 1.3.20.

Total System Seizure

The security settings should not allow for the attackers to seize control of the web host. Yet it happens very often, all over the world. The two main reasons for this happening relate to: inadequate planning of initial web host configuration, and the inability of keeping the system patched and up-to-date.

Hints and tips on security issues in setting up a web server

Permissions on Server Root Directories

Typically Apache is started by the root user and it switches to the user defined by the User directive to serve hits. The administrator must take care that it is protected from modifications by non-root users (also the directories and their parents).

Server Side Includes (SSI)

SSI presents with several risks: increased load on the server, risks similar to those associated with CGI scripts in general (can execute script or program under the permissions of the user and group Apache runs as)

CGI

CGI scripts can run essentially arbitrary commands on the system with the permissions of the web server. All the scripts will run as the same user, so they have potential to conflict.

Protecting System Settings

To stop users from setting up .htaccess files which override security features already configured, in the server configuration file this must be put:

AllowOverride None

Other security settings include: forbidding default access to file-system locations, watching the logs regularly and, most important, keeping the software up-to-date to the latest versions and patches.

Basic Security

Simple access of unauthorized users can happen in several ways: insiders who that had once had authorized access (for employees, for example), bad passwords, operating system holes, or and tools used in conjunction with Apache (MySQL or PHP, for example) that may have flawed security.

Statistically are flawed. Also, statistically speaking, 70% of intrusions come from insiders. To prevent these situations, when a user is removed, also remove the account. Keeping track of the activity performed by that user is also useful.

Users and System Security

It’s advisable not to let people have access from the inside on the Web host. The machine should only allow web services alone. The access will be given on areas that house premium Web services for paying customers. These will always be protected by passwords. A problem with these is that they aren’t always very strong, although a strong encryption system is used.

Denial of Service

A Denial of Service Attack is an actions especially directed to incapacitate the hardware, software or both on a given web server, as a result rendering the system unreachable and therefore not being able to serve legitimate users. DOS attacks are persistent and important problems. Many attacks are quick, easy and generate immediate, noticeable result. A web administrator should expect frequent DOS attacks; they are the most common type. A serious vulnerability Apache had, was discovered in April 2001. An attacker could send a custom URL via web browser making Apache to hang: drive target’s processor to 100% utilization. Attackers could perform this in one of these ways: a GET request consisting on 8,184 characters, HEAD request consisting of 8,182 A characters, an ACCEPT of 8,182 / characters. This problem was patched in version 1.3.20.

Total System Seizure

The security settings should not allow for the attackers to seize control of the web host. Yet it happens very often, all over the world. The two main reasons for this happening relate to: inadequate planning of initial web host configuration, and the inability of keeping the system patched and up-to-date.

Hints and tips on security issues in setting up a web server

Permissions on Server Root Directories

Typically Apache is started by the root user and it switches to the user defined by the User directive to serve hits. The administrator must take care that it is protected from modifications by non-root users (also the directories and their parents).

Server Side Includes (SSI)

SSI presents with several risks: increased load on the server, risks similar to those associated with CGI scripts in general (can execute script or program under the permissions of the user and group Apache runs as)

CGI

CGI scripts can run essentially arbitrary commands on the system with the permissions of the web server. All the scripts will run as the same user, so they have potential to conflict.

Protecting System Settings

To stop users from setting up .htaccess files which override security features already configured, in the server configuration file this must be put: &lt;Directory /&gt;

AllowOverride None &lt;/Directory&gt;

Other security settings include: forbidding default access to file-system locations, watching the logs regularly and, most important, keeping the software up-to-date to the latest versions and patches.

Simple access of unauthorized users can happen in several ways: insiders that had once authorized access (for employees, for example), bad passwords, operating system holes, and tools used in conjunction with Apache (MySQL or PHP, for example) are flawed. Also, statistically speaking, 70% of intrusions come from insiders. To prevent these situations, when a user is removed, also remove the account. Keeping track of the activity performed by that user is also useful.

Users and System Security

It’s advisable not to let people have access from the inside on the Web host. The machine should only allow web services alone. The access will be given on areas that house premium Web services for paying customers. These will always be protected by passwords. A problem with these is that they aren’t always very strong, although a strong encryption system is used.

Denial of Service

A Denial of Service Attack is an actions especially directed to incapacitate the hardware, software or both on a given web server, as a result rendering the system unreachable and therefore not being able to serve legitimate users. DOS attacks are persistent and important problems. Many attacks are quick, easy and generate immediate, noticeable result. A web administrator should expect frequent DOS attacks; they are the most common type. A serious vulnerability Apache had, was discovered in April 2001. An attacker could send a custom URL via web browser making Apache to hang: drive target’s processor to 100% utilization. Attackers could perform this in one of these ways: a GET request consisting on 8,184 characters, HEAD request consisting of 8,182 A characters, an ACCEPT of 8,182 / characters. This problem was patched in version 1.3.20.

Total System Seizure

The security settings should not allow for the attackers to seize control of the web host. Yet it happens very often, all over the world. The two main reasons for this happening relate to: inadequate planning of initial web host configuration, and the inability of keeping the system patched and up-to-date.

Hints and tips on security issues in setting up a web server

Permissions on Server Root Directories

Typically Apache is started by the root user and it switches to the user defined by the User directive to serve hits. The administrator must take care that it is protected from modifications by non-root users (also the directories and their parents).

Server Side Includes (SSI)

SSI presents with several risks: increased load on the server, risks similar to those associated with CGI scripts in general (can execute script or program under the permissions of the user and group Apache runs as)

CGI

CGI scripts can run essentially arbitrary commands on the system with the permissions of the web server. All the scripts will run as the same user, so they have potential to conflict.

Protecting System Settings

To stop users from setting up .htaccess files which override security features already configured, in the server configuration file this must be put: &lt;Directory /&gt;

AllowOverride None &lt;/Directory&gt;

Other security settings include: forbidding default access to file-system locations, watching the logs regularly and, most important, keeping the software up-to-date to the latest versions and patches.