Securing a web server?
Results 1 to 10 of 10

Thread: Securing a web server?

  1. #1
    Junior Member
    Join Date
    Mar 2002
    Posts
    6

    Question Securing a web server?

    I'm setting up a web server using Apache for the first time. The more I read on how to set it up I also read about how to break in. This leaves me apprehensive about the whole thing. Does anyone have any general "rules of thumb" or good website for securing my machine? I run Redhat v7.2.

  2. #2
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,209
    You might want to scan through the AO archives, because, if my memory serves me correctly, this has already been discussed a few times. Some people here don't take kindly to questions being asked if they've already been discussed. My suggestion would be to always check the archives before you post.

    AJ

  3. #3
    Junior Member
    Join Date
    Mar 2002
    Posts
    6
    I don't take kindly to people who don't take kindly 'round har.

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Very basically... run the thing with least priviledges possible (run as a nonsense user such as "nobody" - I believe linux runs it as the user "httpd" or something similiar which, strangely enough, also has ownership of a few files, etc), in a chroot'd/sandboxed area, etc. Also, if the box has to be RedSplat, make sure it's behind a good firewall (probably a good idea in any case). Always good to start with hardening the O/S first, though.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  5. #5
    Senior Member
    Join Date
    Aug 2001
    Posts
    410
    Run only the processes that you need running.

    After reading draziw's post, I remembered Bastille Linux, and SE Linux.

    Bastille Linux :
    The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems, with support on the way for Debian, SuSE, TurboLinux and HP-UX. We attempt to provide the most secure, yet usable, system possible.

    Security-Enhanced Linux
    The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).
    savIRC :: The Multi-Platform IRC Client v. 1.8 [Released 9.04.02]

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    689
    My suggestion is also to update your pHp module due to the recent major exploit found in it. Remove any modules that you will not use, for example, I dont use perl so i have no use for it.
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Yeah, as ThePreacher says... keeping patches/applications up-to-date is always a good thing (and can be a fulltime job all on its own).
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  8. #8
    Junior Member
    Join Date
    Mar 2002
    Posts
    6
    Thanks for the advice!

  9. #9
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    Can I just point out something kinda irrelevant to the subject for anyone that looks at this. The Mic did an excellent job of asking his question. He said what program (Apache) and what OS (Redhat 7.2) he was running. He also asked a specific question. Please remember this when you make a post. Apache can run on NT, and there are other webservers for Linux. Only telling one of those two, the question could not correctly be answered.

    Anyway, make sure you check the apache website also. I belive that they have information on how to properly set it up.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  10. #10
    Senior Member
    Join Date
    Oct 2001
    Posts
    638
    Here's a few tips off the top of my head.

    1) Set the user to something like apache or httpd not nobody.

    2) Use the <Directory> tag to set the permissions of all your directories.

    3) Change the default error pages (they display the version of apache you're running to everyone).

    4) Learn how to use SSL virtual hosts.

    5) Turn off Server Side Includes if you don't need them (or at least the #exec command)

    6) Don't put your html/docs in with your CGI scripts

    7) Secure your CGI scripts (one of the most vulnerable points of Apache)

    Anyway, make sure you check the apache website also. I belive that they have information on how to properly set it up.
    ditto.
    OpenBSD - The proactively secure operating system.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •