httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jay O'Brien <jayobr...@att.net>
Subject Re: [users@httpd] Security
Date Thu, 17 Mar 2005 07:53:47 GMT
Scott Gifford wrote:

> "Jay O'Brien" <jayobrien@att.net> writes:
> 
> 
>>I have apache 1.3.33 running on a FreeBSD machine, behind a Linksys 
>>BEFSR41 firewall that has port 80, and only port 80, opened to the 
>>FreeBsd box. The Win XP Pro machines on the same LAN can access the 
>>FreeBSD machine via ftp but as only port 80 is open to the internet, 
>>no one else can get to the FreeBSD machine except via Port 80.
>>
>>What should I do to handle security issues? Am I open to hacking in 
>>any way? 
> 
> 
> Keep your Apache and FreeBSD up-to-date, installing any security
> updates from your vendor.
> 
> More importantly, be very careful what Web applications you install;
> make sure they have an excellent security record, and audit them
> carefully for a secure coding style.  If you write your own, make sure
> you write them very carefully, and have another person review the code
> for security flaws.  Think hard about how people could cause your
> applications to misbehave, and make it impossible.  Code defensively,
> and use language features to help you (like perl's taint mode).  Make
> sure your code isn't vulnerable to cross-site scripting attacks.
> Learn about attacks on other applications, and make sure your script
> isn't vulnerable to them.
> 
> If you don't have anybody available who is a security expert, take
> some time to learn about secure coding practices, or hire an expert to
> audit your code.
> 
> Tools like mod_chroot and BSD jails can also help limit the damage
> that a breakin can cause.
> 
> ----ScottG.
> 

Scott, 

Thanks for the response. As it is, the only "web app" I'm running is 
count.cgi; Everthing is very simple html built in Mozilla Composer. I 
don't even know how to spell poil, much less do I know the language. 

There's only one user, me, and no one else can connect using ssh, ftp, 
or any other protocol as only port 80 is open through the external NAT 
in the router. 

It seems to me that I'm pretty well protected, just with the hardware 
router. I was hoping to get some specific comments that cover what I'm 
doing.

Jay





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message