httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Barrera A." <Br...@Ivn.cl>
Subject Re: [users@httpd] recommendations for checking website security holes?
Date Mon, 04 Apr 2005 13:24:23 GMT

Aman Raheja wrote:
> 2.0.53 is indeed the latest version, with fix to known vulnerabilities.
> The security depends on what you are using. So you might want to check 
> per module, that is enabled, what security threats you might face. For 
> ex, if you have cgi enabled, it depends a lot on the programmers to 
> ensure security, since the programs might be prone to buffer overflows. 
> You might want to check for cross site scripting and other known web 
> security issues. I would start looking in google with web security, 
> apache security, and the like keywords to find more info.
> Apache docs also have security info: 
> http://httpd.apache.org/docs-2.0/misc/security_tips.html
> HTH
> - Aman Raheja
> 
> Pete Eakle wrote:
> 
>> Sorry, I forgot to mention this.  We will be running on Fedora Linux,
>> Core 2, and Apache 2.0.53.  I believe we installed the latest Apache,
>> so I don't know if the 'updates in place' issue will apply to us yet.
>>

You might to check (as a base) for some stuff like :

- Apache/php to latest version
- (optional) php running with safe_mode on
- php running with register_globals_off
- (optional) have SElinux enabled and enforcing
- /tmp , /var/tmp , /dev/shm and other temp dirs, with noexec priv.
- A firewall permitting only new and stablished packets, and havind 
syncookies enabled.
- Sometimes is nice to "hide" versions of your programs. This wont make 
your box unhackeable, but it will bore some script kiddies as they dont 
know with what ther are messing with
- Try to use chrooted and suexec'd services... but that kinda complex 
some times..
and so on.






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message