httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] Center for Internet Security's Apache Benchmark Project Update
Date Tue, 06 Nov 2007 21:29:28 GMT
On Nov 6, 2007 4:06 PM, Ryan Barnett <Ryan.Barnett@breach.com> wrote:
> > -----Original Message-----
> > From: Dragon [mailto:dragon@crimson-dragon.com]
> > Sent: Tuesday, November 06, 2007 3:52 PM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] Center for Internet Security's Apache
> Benchmark
> > Project Update
> >
> [Ryan Barnett] There are now PDF and html versions -
> http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.pdf
> http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.mht
>
> For this first round of feedback, we are looking for the following main
> areas -

I'm not going to do a detailed review, but a few things that pop up in
a quick scan:

- 2.2 has a much smaller default config file than the other versions.
Your suggestion to start from a blank config file is good for someone
wanting to learn apache, but not that great from a security
perspective. Some of the apache configuration directives have default
values that are LESS secure than the value used in the 2.2 default
config.

- You should use "Options None" rather than "Options -this -that
-theotherthing".

- Section 1.9 is confusing and not secure. You should make clear that
ScriptAlias should be used ONLY IF your are mapping content that would
not normally be accessible from the web (because it is outside the
DocumentRoot for example). It is the most secure solution in that
case, since it is impossible to disable script execution without also
disabling access ot the content. SetHandler/AddHandler should be used
for content that lives in a normal-web-accessible directory.

-1.10 could mention the TraceEnable directive. The <LimitExcept ...>
thing is also a little dangerous because it might override other
access controls. It should be used with care.

-1.13 the recommended KeepAliveTimeout is probably too high. You
should also mention firewall controls that could be used. (Restricting
the number of connections per IP is often helpful.) Also, AcceptFilter
can help against DoS attacks on supported systems and MaxClients can
limit their effects.

-1.17 Your logrotation script should use USR1 rather than HUP.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message