Differences between version 10 and previous revision of ApacheNotes.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 10 | Last edited on Monday, June 7, 2004 5:26:13 am | by AndyHoener | Revert |
| Older page: | version 1 | Last edited on Monday, July 28, 2003 11:31:00 am | by PerryLorier | Revert |
@@ -1,4 +1,33 @@
-Apache was originally the [NCSA] httpd. However this server languished, and people had patches around to extend httpd to do what they needed or to fix bugs. Eventually a group of people got together and collated all the patches into one server which was "a patchy server" or the
"Apache server
".
+[
Apache]
was originally the [NCSA] httpd. However this server languished, and people had patches around to extend httpd to do what they needed or to fix bugs. Eventually a group of people got together and collated all the patches into one server which was "a patchy server", hence
"Apache".
-Apache is one of the critical components of [LAMP] (Linux/Apache/Mysql
/Php
).
+Apache is one of the critical components of [LAMP] ([
Linux]
/[
Apache]
/[MySQL]
/[PHP]
).
+
+----
+
+!!Security in Apache
+
+Apache recently featured in a list of security problems ([http://isc.sans.org/top20.html]). Apache is no more inherently insecure than any other web-based application, however in can been installed and configured to be insecure. Points to note when installing, configuring and mantaining Apache include:
+
+!!![CGI] scripts
+
+[CGI] scripts are probably the biggest problem. Upload and CGI directories need to be distinct (so people can't upload ''improved'' CGI scripts and as small as possible.
+
+Apache2 makes it easier to run different scripts as different users, rather than as the user that apache is running as.
+
+!!!Chroot prisons
+Chroot prisons limit the damage than can be done should an application be compromised. See [chroot(2)] for details. Apache2 has better support for this.
+
+See also: [HowToSecureProgramsHOWTO], [HowToSecurityQuickstartHOWTO], [HowToSecurityHOWTO] and [http://httpd.apache.org/docs/misc/security_tips.html]
+
+!!!Installation
+If you're going to compile and install apache from source, use [http://www.apachetoolbox.com/]
+
+!!!Firewalling apache.
+You probably should firewall the apache user from connecting out to the InterNet unless you know that they actually have to. Doing this prevents a lot of exploits that people will attempt against your website. The same idea can be applied to other services.
+ iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump LOG
+ iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump REJECT
+
+----
+UserSubmittedNotes
+if you want to log before rejecting, doesn't the order matter? with --insert in the above example, this would seem to reject before it logs and therefore not log at all?
.
----
