httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Hackers hacking my Apache HTTP Server?
Date Tue, 02 Sep 2003 07:33:36 GMT
Post in plain text please...

First, congratulations on getting apache running - hours of fun await
you.

Second, it's good you are concerned about security, however, I detect a
little confusion in your post. Read on...

Hackers try to break into computers - i.e. the physical box. They are
trying to get access to the data in order to steal it, vandalise it or
do whatever they want with it. The way they break in is by exploiting a
weakness in an *application* which the computer is running. Apache is an
application which serves webpages (it's a webserver!). Other
applications are mail agents (e.g. sendmail, exim, etc.), domain name
servers, FTP servers and so on. All these applications are vulnerable
because they connect your computer to the internet. They have to listen
to requests coming in from the web and respond accordingly. In the case
of apache, the requests are for web-pages and apache responds by sending
the file asked for.

Regarding the firewall, that won't help secure your webserver, as Jeff
pointed out. The reason is that all the applications listen on different
"ports" - apache uses port 80, mail on port 25, FTP on port 21 etc. A FW
acts by blocking access to ports, that is it works at the TCP/IP layer.
In order for your webserver to work you have to have port 80 open on the
FW. The FW can't tell the difference between legitimate requests and
hack-attacks (they are all just requests to port 80). Luckily, apache
can :-) 

A well-crafted application will analyse very carefully all requests that
it receives and will be protected against any trickery in those requests
- apache is a very well-crafted application. For example, a common trick
is the "buffer overflow". Some applications define a fixed size for the
amount of data that can come in on a request. If the hacker knows this,
he can prepare a request which consists of a bunch of random data which
exactly fills this fixed size, followed by a little program which he
writes. When the request is received, the random junk fills the buffer
and then the hacker program overflows into main memory where it can be
executed. Typically, it will set up an account for him so he can log in!
Apache is very well-protected against buffer overflows (and other
exploits). 

If you look back over the changes log for apache (look in the download
directory of your local mirror) you will see that apache has undergone
many refinements to block potential security holes before they are ever
exploited (pro-active security). Note also, that many of the security
advisories relate to third-party modules and not specifically to the
apache core code.

Personally, I have been running a commercial, enterprise-scale apache
webserver for 5 years and have never had a break-in. I upgrade the
server whenever a new version is published and thus we are always one
step ahead of any hacker.

Remember, however, that as soon as you connect your computer to the
internet, anyone can send messages to it (TCP/IP packets, to be exact).
There is always the possibility that some bright spark, it the future,
will come up with an unforseen exploit. This is true of every single
application that you run on your computer, but I would have more
confidence in apache than in any other application you care to mention.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 






-----Original Message-----
From: David [mailto:amdawong@starhub.net.sg]
Sent: Montag, 1. September 2003 06:35
To: HTTP Server Users
Subject: [users@httpd] Hackers hacking my Apache HTTP Server?


Hi guys,
 
I am a complete newbie to HTTP server. 
 
After some reading from online tutorials and docs from the Apache site,
I managed to get the server up and running.
I now can host my own website and I am happy with it.
 
However, I have read a lot about hackers hacking into people's
webservers. I do not what webserver they are able to hack into.
I do not know how they do it and that is why I am a little concern here.
How secure is the Apache HTTP Server ? 
If the HTTP server is not secure, will installing a firewall(i.e. free
ones like ZoneAlarm) help ? 
 
Warmest Regards
David
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
présent e-mail est un message privé et personnel, sans rapport avec
l'activité boursière de la SWX Swiss Exchange.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message