httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Watts <>
Subject Re: A fundamentally secure Apache server, any interest?
Date Mon, 16 Nov 2009 14:18:50 GMT
On Mon, 2009-11-16 at 08:42 -0500, Sweere, Kevin E CTR USAF AFRL/RYT
> Greetings,
> I work for the US Air Force.  We have a prototype that dramatically,
> fundamentally increases a web server's security.  
> We run an Apache server within a minimized, user-level-only, Linux variant
> only within RAM and from only a DVD (no harddrive).  With no shells, hackers
> have nowhere to go.  With no persistent memory, malware has no place to
> reside.  A simple reboot restores the website to a pristine state within
> minutes.  
> Because a LiveDVD holds the OS, apps and content, its best for static,
> non-interactive, low-volume, high-value, highly-targeted websites.  Any
> change means burning a new DVD, but this also makes testing easier and less
> noisy.  Logs are tricky to extract. 
> While it has worked well, some of us believe its usability drawbacks (e.g.
> limited ability to receive input from users, every change needs a new DVD)
> outweigh its great security benefits making it unmarketable (in govt or
> industry) and thus just another prototype to leave on the shelf.
> I'm curious what your group thinks.  Thanks in advance -- I don't quite know
> with whom to discuss this idea.
> Kevin Sweere

Hi Kevin,

The idea of a CD/DVD-ROM based webserver isn't new, I know we did some
internal research into it many years ago and came to the same
conclusions you have - the level of security offered seriously impedes
your ability to use/manage the server.

You also run into problems if your servers don't actually have an
optical drive (eg: Blades).

If I was looking for that level of assurance that my data hasn't been
tampered with, I'd be looking at using a mechanism of snapshoting your
webserver in some way such that a rollback is trivial. Linux LVM,
Solaris ZFS or even VMWare all offer this kind of snapshot and rollback.
I'd also be using TripWire or something similar to verify my content

Apache configured with minimum modules to simply serve static ASCII and
image files is about as secure at it gets for that type of content.
SELinux stops a rogue CGI from reading /etc/shadow, and mod_security
helps to block a lot of crud from ever generating a response from the

Read-Only web servers are certainly secure but by their nature, very
time-consuming to manage.


Mark Watts BSc RHCE MBCS
Senior Systems Engineer, Managed Services Manpower
QinetiQ - Delivering customer-focused solutions
GPG Key:

View raw message