提高CentOS上Apache2服务器的安全性是一个多方面的过程,涉及多个配置步骤和安全措施。以下是一些关键的步骤和建议:
sudo yum update -y
/etc/httpd/conf/httpd.conf
),禁用不需要的模块以减少潜在的安全风险。# 禁用 mod_ssl 和 mod_rewrite 模块
<IfModule mod_ssl.c>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine Off
</IfModule>
sudo yum install mod_ssl -y
sudo openssl req -x509 -newkey rsa:2048 -keyout /etc/pki/tls/private/apache-selfsigned.key -out /etc/pki/tls/certs/apache-selfsigned.crt
sudo vi /etc/httpd/conf.d/ssl.conf
# 在配置文件中添加或修改以下内容
LoadModule ssl_module modules/mod_ssl.so
VirtualHost *:443
ServerName yourdomain.com
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/pki/tls/private/apache-selfsigned.key
firewalld
来限制只允许HTTP和HTTPS流量通过。sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
adm
, lp
, sync
等。sudo passwd -dl <username>
sudo passwd -dl root
ServerTokens Prod
ServerSignature Off
mod_security
和 mod_evasive
模块,提供Web应用防火墙功能。sudo yum install mod_security mod_evasive -y
sudo vi /etc/httpd/conf.d/security2.conf
# 添加安全规则
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecAuditLog /var/log/httpd/security_audit.log
tail -f /var/log/httpd/access_log
tail -f /var/log/httpd/error_log
sudo setsebool -P httpd_can_network_connect 1
sudo setsebool -P httpd_can_sendmail 1
通过上述措施,可以显著提高CentOS上Apache2服务器的安全性,保护服务器免受未经授权的访问和攻击。