Home
Main website
Display Sidebar
Hide Ads
Recent Changes
View Source:
ApacheNotes
Edit
PageHistory
Diff
Info
LikePages
You are viewing an old revision of this page.
View the current version
.
[Apache] was originally the [NCSA] httpd. However this server languished, and people had patches around to extend httpd to do what they needed or to fix bugs. Eventually a group of people got together and collated all the patches into one server which was "a patchy server", hence "Apache". Apache is one of the critical components of [LAMP] ([Linux]/[Apache]/[MySQL]/[PHP]). ---- !!Security in Apache Apache recently featured in a list of security problems ([http://isc.sans.org/top20.html]). Apache is no more inherently insecure than any other web-based application, however in can been installed and configured to be insecure. Points to note when installing, configuring and mantaining Apache include: !!![CGI] scripts [CGI] scripts are probably the biggest problem. Upload and CGI directories need to be distinct (so people can't upload ''improved'' CGI scripts and as small as possible. Apache2 makes it easier to run different scripts as different users, rather than as the user that apache is running as. !!!Chroot prisons Chroot prisons limit the damage than can be done should an application be compromised. See [chroot(2)] for details. Apache2 has better support for this. See also: [HowToSecureProgramsHOWTO], [HowToSecurityQuickstartHOWTO], [HowToSecurityHOWTO] and [http://httpd.apache.org/docs/misc/security_tips.html] !!!Installation If you're going to compile and install apache from source, use [http://www.apachetoolbox.com/] !!!Firewalling apache. You probably should firewall the apache user from connecting out to the InterNet unless you know that they actually have to. Doing this prevents a lot of exploits that people will attempt against your website. The same idea can be applied to other services. iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump REJECT iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump LOG
2 pages link to
ApacheNotes
:
UserSubmittedNotes
Apache