httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Gifford <sgiff...@suspectclass.com>
Subject Re: [users@httpd] Security
Date Wed, 16 Mar 2005 03:26:33 GMT
"Jay O'Brien" <jayobrien@att.net> writes:

> I have apache 1.3.33 running on a FreeBSD machine, behind a Linksys 
> BEFSR41 firewall that has port 80, and only port 80, opened to the 
> FreeBsd box. The Win XP Pro machines on the same LAN can access the 
> FreeBSD machine via ftp but as only port 80 is open to the internet, 
> no one else can get to the FreeBSD machine except via Port 80.
>
> What should I do to handle security issues? Am I open to hacking in 
> any way? 

Keep your Apache and FreeBSD up-to-date, installing any security
updates from your vendor.

More importantly, be very careful what Web applications you install;
make sure they have an excellent security record, and audit them
carefully for a secure coding style.  If you write your own, make sure
you write them very carefully, and have another person review the code
for security flaws.  Think hard about how people could cause your
applications to misbehave, and make it impossible.  Code defensively,
and use language features to help you (like perl's taint mode).  Make
sure your code isn't vulnerable to cross-site scripting attacks.
Learn about attacks on other applications, and make sure your script
isn't vulnerable to them.

If you don't have anybody available who is a security expert, take
some time to learn about secure coding practices, or hire an expert to
audit your code.

Tools like mod_chroot and BSD jails can also help limit the damage
that a breakin can cause.

----ScottG.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message