Default Apache security??

Default Apache security??

Post by Wipe_ou » Mon, 25 Mar 2002 04:32:08



Hi..

How secure is a default apache installation on redhat 7.2??

is there anything I should be aware of before I connect my web server to the
internet??

Thanks..

 
 
 

Default Apache security??

Post by D. Stimit » Mon, 25 Mar 2002 05:59:17



> Hi..

> How secure is a default apache installation on redhat 7.2??

> is there anything I should be aware of before I connect my web server to the
> internet??

> Thanks..

I believe there is a php update to stop php attacks, see
ftp://updates.redhat.com. Apache itself I think has a good reputation,
the only real flaws are things attached to it, for example, cgi modules
might be a hole, whereas apache itself probably is not. In any case, you
will have to have an updated php if you use php.



 
 
 

1. Apache Security Tips: Protect server files by default/Symlinks

Hi!

The Apache Documentation mentions a problem that if someone creates a
link to the root directory clients are allowed to walk through the
entire filesystem:

  1.# cd /; ln -s / public_html
  2.Accessing http://localhost/~root/

It's suggested to use

<Directory />
     Order deny,allow
     Deny from all
 </Directory>

This will forbid default access to filesystem locations. Add appropriate
<Directory> blocks to allow access only in those areas you wish. For
example,

 <Directory /usr/users/*/public_html>
     Order deny,allow
     Allow from all
 </Directory>
 <Directory /usr/local/httpd>
     Order deny,allow
     Allow from all
 </Directory>

in order to overcome this problem.

<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>

<Directory /9gig/home/WWW>
Options Indexes FollowSymLinks
AllowOverride Limit
order allow,deny
allow from all
</Directory>

The FollowSymLinks Option reintroduces the problem! If some user
accidentially or on purpose creates a link to the root directory
everybody can walk the entire filesystem...
I guess the problem is the following:

FollowSymLinks
     The server will follow symbolic links in this directory. Note: even
though the server
     follows the symlink it does not change the pathname used to match
against
     <Directory> sections.

So what can I do to allow SymLinks inside my DocumentRoot but still
protect the rest of the filesystem?

  Thanks for answering this newbie question!
  Kai

2. booting HP printer with JetDirect from linux

3. Apache Security Question - How to disable default web service, use virtual sites only

4. lilo.conf problems?

5. Default OS security....

6. redirecting from certain domains

7. Default Security profiles

8. help! problem with printer(bj200) under linux.2.0.30

9. changing default security settings RH8.0

10. Security Defaults cannot be changed properly

11. RedHat 5.1 default security.

12. Default security flags

13. Security Mechanism Default