I was given the task to setup, configure, and manage an external facing apache web server.

So I turned to my trusty Ubuntu Server 9.10 x86 CD, installed it and then ran the updates. Yes, I put LAMP on there.

After all was said and done, I grabbed my trusty internal-only php uploader script. Unfortunately it’s not fully secure – I actually had someone attack my “honeypot” site successfully by exploiting this script and a lax apache install. What makes this script so bad for use on the outside is it’s need for chmod 777 privileges. Yuck.

A good way to stop people from finding bad things to run is to hide indexing from the site (directory listing). Another is to stop executables from running in that directory.

Open up the sites-enabled configuration of apache
nano /etc/apache2/sites-enabled/000-default

Under the first virtualhost area, edit for your directory:

<VirtualHost *:80>
ServerAdmin webmaster@localhost

DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

<Directory /var/www/upload_files/>
AllowOverride None
Options IncludesNOEXEC
Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi .gif .pdf .jpg .png .tif .tiff .wmv .mpg .mp3 .mp4 .avi .txt .html .exe .xml .*
</Directory>

Then restart apache
apache2ctl restart