Securing a web server?

[The Mic]

I'm setting up a web server using Apache for the first time. The more I read on how to set it up I also read about how to break in. This leaves me apprehensive about the whole thing. Does anyone have any general "rules of thumb" or good website for securing my machine? I run Redhat v7.2.

[avdven]

You might want to scan through the AO archives, because, if my memory serves me correctly, this has already been discussed a few times. Some people here don't take kindly to questions being asked if they've already been discussed. My suggestion would be to always check the archives before you post.

AJ

[The Mic]

I don't take kindly to people who don't take kindly 'round har.

[draziw]

Very basically... run the thing with least priviledges possible (run as a nonsense user such as "nobody" - I believe linux runs it as the user "httpd" or something similiar which, strangely enough, also has ownership of a few files, etc), in a chroot'd/sandboxed area, etc. Also, if the box has to be RedSplat, make sure it's behind a good firewall (probably a good idea in any case). Always good to start with hardening the O/S first, though.

[gstudios]

Run only the processes that you need running.

After reading draziw's post, I remembered Bastille Linux, and SE Linux.

Bastille Linux :
The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems, with support on the way for Debian, SuSE, TurboLinux and HP-UX. We attempt to provide the most secure, yet usable, system possible.

Security-Enhanced Linux
The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

[ThePreacher]

My suggestion is also to update your pHp module due to the recent major exploit found in it. Remove any modules that you will not use, for example, I dont use perl so i have no use for it.

[draziw]

Yeah, as ThePreacher says... keeping patches/applications up-to-date is always a good thing (and can be a fulltime job all on its own).

[The Mic]

Thanks for the advice!

[souleman]

Can I just point out something kinda irrelevant to the subject for anyone that looks at this. The Mic did an excellent job of asking his question. He said what program (Apache) and what OS (Redhat 7.2) he was running. He also asked a specific question. Please remember this when you make a post. Apache can run on NT, and there are other webservers for Linux. Only telling one of those two, the question could not correctly be answered.

Anyway, make sure you check the apache website also. I belive that they have information on how to properly set it up.

[smirc]

Here's a few tips off the top of my head.

1) Set the user to something like apache or httpd not nobody.

2) Use the <Directory> tag to set the permissions of all your directories.

3) Change the default error pages (they display the version of apache you're running to everyone).

4) Learn how to use SSL virtual hosts.

5) Turn off Server Side Includes if you don't need them (or at least the #exec command)

6) Don't put your html/docs in with your CGI scripts

7) Secure your CGI scripts (one of the most vulnerable points of Apache)

Anyway, make sure you check the apache website also. I belive that they have information on how to properly set it up.

ditto.