Apache Security

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
    I am looking at setting up an apache server.  I was looking
around on the net from some articles on securing apache.  I came
across several, but this one seemed to be the best of the bunch:

Is what this author is suggesting technically sufficent as far as
securing Apache is concerned?  Anything wrong with with he is

Does anybody have a good read about recommended security config for
apache 1.3/2.0?


Re: Apache Security

Quoted text here. Click to load it

Basically what he says is: do not use CGIs or other "active" pages
on server side. That is (more or less) correct but just cut down
90% of what you can do.

Your call.


In 1968 it took the computing power of 2 C-64's to fly a rocket to the moon.
Now, in 1998 it takes the Power of a Pentium 200 to run Microsoft Windows 95.
Something must have gone wrong.

Re: Apache Security

Davide Bianchi wrote:

Quoted text here. Click to load it

Also the performance conf is setup for a low volume system running on
{something which isn't Linux}.

Given this and the lack of CGI, assuming he mean's what he says, there's not
much reason to use apache - monkeyd or thttpd would seem much more


Re: Apache Security

peeko wrote:
Quoted text here. Click to load it

If you do what he suggest then your system is limited in many ways,
but surely more secure. I prefer to check the CGI's and PHP's with
Nessus and Nikto. And check the bugtraqs so if a problem like the
one with phpBB appears then update as soon as I can.

Quoted text here. Click to load it



Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
bgSEC Seguridad y Consultoria de Sistemas

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: Apache Security

  The recommendations that page gives such as using a chroot() and
 avoiding unnecessary modules are good.

  But in a lot of cases CGI scripts, PHP, etc, are often required
 for particular users - if you can avoid them great, but if you need
 them then you need them.

  You might be interested in using mod_security to help protect your
 server from obviously malicous attacks.  There are a good few
 introductions to it.

  Mine:   http://www.debian-administration.org/?article=65


  And the website itself:  http://www.modsecurity.org /

  It does require some knowlege to setup, but once in place it can be
 adjusted to add new rules (much like SNORT, or any other rule-based
 IDS system) to cope with new threats.

  Highly recommended for Apache users with potentially untrusted
 local users and their CGI scripts / PHP scripts.


Site Timeline