7.2. Modules

Modules are an important component for configuring an Apache service. They are loaded according to the instructions in the /etc/httpd/conf/httpd.conf file. These look similar to the following:

 <IfDefine HAVE_PERL> LoadModule perl_module  modules/libperl.so </IfDefine>

In the first entry, a check is made for whether the HAVE_PERL parameter is set. If it is, the LoadModule command loads the modules/libperl.so module, which is necessary for interpreting Perl scripts.

The next instruction block adds modules:

 <IfDefine HAVE_PERL> AddModule mod_perl.c </IfDefine>

By default, all installed modules or the modules included in the distribution are loaded. But this is not an efficient arrangement, because the distribution's developer cannot possibly know what modules a particular user may need. The following main script-support modules can be loaded:

perl_module Perl
php_module PHP
php3_module PHP version 3
php4_module PHP version 4
python_module Python

These modules present the biggest danger for Web servers, because they allow execution of scripts, which can be used to carry out a break-in. For example, a hacker can exploit a bug in a PHP script to execute commands on the server. Well-designed sites use only one Web programming language, and you should load only the module necessary to support the corresponding language.

I recommend using PHP for programming Web pages; this language is flexible in its configuration and can provide great security. My experience has led me to believe that hackers prefer using Perl for creating rootkits. (A rootkit is a collection of utilities that allows execution of commands and covers the hacker's tracks in the compromised machine.) But this is only my opinion. A competent Perl programmer can easily write a program that is both secure and difficult to compromise. A well-protected program can be written in any language, even the most security deficient . On the other hand, a program full of security holes can be written in the most security-efficient language. This depends only on the programmer and his or her level of knowledge and skills.

Modules that are not used should be disabled; this will greatly limit opportunities for break-ins. Remember, a running program is an administrator's enemy and a potential door a hacker can use to enter the system.

Review the modules that are loaded, and delete or comment out those that are not necessary. This will increase the security of the Web server by more than 50%. Why is this so? Although Python is seldom used by hackers, Perl and PHP are popular among them. As mentioned earlier, any program is a potential entry point into the system. Disabling one of the two programs (PHP or Perl) cuts the number of the potential doorways in half.