Mailing List Archive

Apart from doing a lot of tweaks on the config side, you might want to
consider using a security scanner like Nessus. http://www.nessus.org/
. Of course the scanner is no good if you do not keep the plugins
updated.
Also try a google search. The very first hit I got (securing apache)
is http://www.securityfocus.com/infocus/1694 . A bit outdated but im
sure much of it still applies.

On 6/8/05, Lorenzo Thurman <lorenzo@thethurmans.com> wrote:
> Can someone provide me with pointers on how I can be sure my Apache
> installation is as secure as possible? I've been running Linux for several
> years now and an Apache web server for the last few. I follow guidelines on
> how to set it up and secure it, but I'd really be interested in ways that I
> can audit my installation for potential failings. Is there some application
> I can run that will tell me how well its setup?
> Thanks
>
>
>
>
>
>
>
>
> "There are 10 types of people in this world: those who understand binary,
> those who don't"
>
> --Unknown
>


--
"Knowledge is the only wealth that grows as you spend it, and
diminishes as you save it."
-- ancient Sanskrit saying

--
gentoo-security@gentoo.org mailing list

> On 6/8/05, Lorenzo Thurman <lorenzo@thethurmans.com> wrote:
> Can someone provide me with pointers on how I can be sure my Apache installation is as secure as possible? I've been running Linux for several years now and an Apache web server for the last few. I follow guidelines on how to set it up and secure it, but I'd really be interested in ways that I can audit my installation for potential failings. Is there some application I can run that will tell me how well its setup?


If you are running an up-to-date version of Apache, and you haven't made any huge errors in the config, you're probably good.
emerge sync && glsa-check -l | grep '\[N\]' is your friend.
The problems come when you want to serve more than just static files like html, jpg, etc.

If you allow PHP/Perl/Python, make sure all the input is checked - many hacks take place because a badly written PHP page allows a user to run commands on the webserver.
He can then download other exploits to go from apache or nobody.

mod_security can help secure against SQL based attacks too.

Calum

--
http://calum.org/
--
gentoo-security@gentoo.org mailing list

On Wednesday 08 June 2005 15:57, Lorenzo Thurman wrote:
> Can someone provide me with pointers on how I can be sure my Apache
> installation is as secure as possible? I've been running Linux for
> several years now and an Apache web server for the last few. I follow
> guidelines on how to set it up and secure it, but I'd really be
> interested in ways that I can audit my installation for potential
> failings. Is there some application I can run that will tell me how
> well its setup?

obvious bit: do not run apache as root.

not so obvious bit: chrooting your apache[+mysql] installation and using some
role-based access controls (like selinux's or grsecurity's) would be a great
deal of help to contain potential damage done by break-ins.

regards,
pedro venda.

--

Pedro João Lopes Venda
email: pjvenda < at > arrakis.dhis.org
http://arrakis.dhis.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lorenzo Thurman wrote:
> Can someone provide me with pointers on how I can be sure my Apache
> installation is as secure as possible? I've been running Linux for
> several years now and an Apache web server for the last few. I follow
> guidelines on how to set it up and secure it, but I'd really be
> interested in ways that I can audit my installation for potential
> failings. Is there some application I can run that will tell me how well
> its setup?
> Thanks
>
>
>
> "There are 10 types of people in this world: those who understand
> binary, those who don't"
>
> --Unknown
>
>

Something I always do on my servers is make GCC and compiler tools such
as /usr/bin/(gcc|g++) etc., in a "programming" group. Then set the
executable chmod 750. This way unless I add a user to programming
group, they can't compile things. This stop a LOT of worms/apache hacks
as they upload code and then compile it.

I also set my tmp dir to noexec so anything that got dumped in their
can't be run. Depending on how you run you site, that could be done on
your htdocs dir too. To set noexec, add it to your fstab. For example,

/dev/ida/disc0/part3 /tmp reiserfs noatime,noexec 0 0

Remove any unused modules, especially proxy. If you're not using SSL
disable that too. As it could be exploited if a OpenSSL hole is found.

Maybe change "ServerSignature" to Email on commonapache2.conf. This
will hide the version of apache and OS. Just another thing to slow
someone down.

And as suggested, run Nessus against it.

Hope this helps,
- --
Greg Watson
Security and Technology Manager
Department of Military & Veterans Affairs
GPG: 0C5B3510 Keyservers: ldap://certserver.pgp.com, pgp.dtype.org
Fingerprint: 6DC2 9DE6 98E6 A401 33EC 3F70 C95C 794A 0C5B 3510
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD4DBQFCpxbryVx5SgxbNRARAkWFAJjqgGnE7SeI7d+NOFVWqPu9xNhGAKCm5FzE
LZ486typ45X/eQoQJzDPOg==
=V3bo
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list