Very Computer

Hi..

Is Apache 1.3.x immune to viruses like Nimda and others like that by
default??

If not what shoul I do to make sure it is??

Thanks

Yes.  (Assuming a sufficiently restrictive interpretation of "others
like that".)

--
Joshua Slive

Apache HTTP Server Users Mailing List: http://httpd.apache.org/userslist.html

Which viruses is Apache susceptible to??

http://httpd.apache.org/userslist.html

The "I wrote a stupid CGI program that gives remote access" virus.

I would answer these questions more seriously if they showed some sign
of being researched before hand.

--
Joshua Slive

Apache HTTP Server Users Mailing List: http://httpd.apache.org/userslist.html

The amount of research has been scary...I have read so much *over the
last while that I don't know if I am even on the right track anymore..

There are so many different opinions on what constitutes a secure setup and
it all written by complete "propeller heads" and mostly totally out of date
so the normal IT person has got no chance of getting anywhere..

Then I turn to newsgroups for help but if you write the questions in a way
that makes it sound like you have ANY clue then no-one answers you because
the figure that you probably know more than they do..so I figure put in a
simple one line question hoping that someone will offer up some form of
useful information..

Alas this is not the case...

Thanks anyway..

http://www.veryComputer.com/

Well, I think that tells you one fact for sure: running a secure site
is not easy.

Quote:> Then I turn to newsgroups for help but if you write the questions in a way
> that makes it sound like you have ANY clue then no-one answers you because
> the figure that you probably know more than they do..so I figure put in a
> simple one line question hoping that someone will offer up some form of
> useful information..
> Alas this is not the case...

The answer to your question is that "no apache is not vulnerable to
any of the worms that have been circulating lately".  But, of course,
nobody who knows what they are doing is going to tell you that apache
is not vulnerable to any worms/viruses.  There is just no way to know
what may be discovered tommorow.

--
Joshua Slive

Apache HTTP Server Users Mailing List: http://www.veryComputer.com/

Thanks..

It least its somthing I don't have to worry about for now..

http://www.veryComputer.com/

Not to defend the "propeller heads" too much (being fairly certain I am
amongst their number), but security only comes in two flavors:
  1. weak/non-existant
  2. complex, on-going process of track, patch, reconfigure, etc.

This is one of the reasons that Microsoft has such an abysmal record in
this area: "security" and "convenience" are opposite ends of a single
spectrum.  M$ wants to make things "convenient" (read: easy) for their
customers.  As a result, they ship easy-to-use, almost totally insecure
products.

If you want to make security "easier" (although not quite "simple"), here
are some time proven rules to keep in mind:

1. "That which is not explicitly permitted is prohibited".  In other
   words, start by turning off every feature, bell, whistle, etc. that
   comes with a piece of software (*any* software -- even Apache).
   This is especially true for any recently installed OS distros!  Start
   by editing /etc/inetd.conf and commenting out every damn service
   that you can't *prove* you need.  If you aren't running a particular
   server, you needn't worry about staying on top of the security updates.

2. Enable only those features that you know you will need *and* that
   you understand well enough to appreciate any security exposure.

3. Make sure you are on the updates mailing list for any server that you
   are running: today's secure server is tomorrow's open gateway for
   crackers.

4. With HTTP servers in particular, understand that any server-side
   programming (i.e. any servable page that wasn't purely static) is
   a potential security hole.  Read and understand how permissions
   flow from the server to a user written piece of code.  Learn to ask
   * what-if type questions.  It has been shown over (and over and over)
   that this is exactly what crackers do: they ask "what if I stick a
   funny number/character in here, and then I pull this lever and
   then I stuff a bomb in here?  Can I blow the server up?"  Sooner or
   later the answer is *always* "Yes".  If you are on the mailing list(s),
   you will learn sooner, rather than later, about patches to close the
   latest holes.

  Cheers!

  Peter Rowell
  Datahedron Software
  peter <who is at> datahedron <dot> com

If this project were to be any more open, bits would fall out.
    -- bert hubert

Quote:> Not to defend the "propeller heads" too much (being fairly certain I am
> amongst their number), but security only comes in two flavors:
>   1. weak/non-existant
>   2. complex, on-going process of track, patch, reconfigure, etc.

You missed the most important one:
   3. By good design and engineering practice.

Quote:> This is one of the reasons that Microsoft has such an abysmal record in
> this area: "security" and "convenience" are opposite ends of a single
> spectrum.

They can be.  But that doesn't excuse getting the worst of both worlds.

Quote:> 1. "That which is not explicitly permitted is prohibited".

Any *X permits far, far more than Windoze.  So why isn't it correspondingly
more vulnerable?

Quote:> (sound advice snipped)

--
Nick Kew

Available for contract work - Programming, Unix, Networking, Markup, etc.

[...]

: If you want to make security "easier" (although not quite "simple"), here
: are some time proven rules to keep in mind:

: 1. "That which is not explicitly permitted is prohibited".  In other
:   words, start by turning off every feature, bell, whistle, etc. that
:   comes with a piece of software (*any* software -- even Apache).
:   This is especially true for any recently installed OS distros!  Start
:   by editing /etc/inetd.conf and commenting out every damn service
:   that you can't *prove* you need.  If you aren't running a particular
:   server, you needn't worry about staying on top of the security updates.

While this is good advice, I do not believe you are going far enough.
It isn't enough to simply disable certain services, you shouldn't even
install them in the first place if you aren't going to be using them.
Services can't very well be exploited or accidentally started up if
they don't even exist.

[...]

Another very important concept that you left out is that security is
*always* relative and is acheivable only in depth. *Never* rely on
only one layer.

fpsm
--
| Fredrich P. Maney              my_last_name AT my_last_name DOT org |
|   Do NOT send me HTML formatted E-mail or copies of netnews posts!  |
|  Address in header is a spamtrap. Use one in signature for replies. |
|  Please review http://www.maney.org/fred/site/uce/ before emailing. |

See your point 3.

--
Rich Teer

President,
Rite Online Inc.

Voice: +1 (250) 979-1638
URL: http://www.rite-online.net