Running Apache as a User

From Zanecorpwiki

Jump to: navigation, search

It's always a good idea to run Apache as a user so on the off chance that Apache is compromised, the cracker does not gain root access. Apache is very reliable and I've never actually seen it cracked, but running as a user is so easy there's no reason not to do it.

The only 'trick' is only root can bind to ports at or below 1024, so Apache has to be set to listen on a high port. In an effort to be as offensive as possible using only numbers, our default high port is 42069 (and 42070 for SSL). For most sites, just point/configure to connect directly to the high port. On production machines, use the firewall to redirect the high port(s) to 80 (and 443 for SSL).

For iptables, the commands are: 

#to route from 80 to a highport on same machine
iptables -I INPUT -p tcp --dport 80 -j ACCEPT #open port 80
iptables -t nat -I PREROUTING -p tcp -d 192.168.100.100 --dport 80 -j DNAT --to 42069 #yes, juvenile, but free
iptables -I INPUT -p tcp --dport 42069 -j ACCEPT #don't forget to open the high port to
#iptables -I INPUT -p tcp --dport 42069 -j ACCEPT

Without the last command, one couldn't connect to 42069 directly. In most cases the IP address (192.168.100.100 in the example) would be public. To enable SSL, run the same commands with port 443 for 80 and 42070 (or whatever) for 42069.

Also remember that all your web files must be readable by the apache user, and any upload directories or other things written must be writable.

Retrieved from "http://www.zanecorp.com/wiki/index.php/Running_Apache_as_a_User"