On Thu, 2002-08-01 at 03:40, Todd Lyons wrote: > Oden Eriksson wrote on Wed, Jul 31, 2002 at 11:08:30PM +0200 : > > > > > What I'd like to see for Mandrake is it as quick and > > > easy as possible for anybody to get it to do what they > > > want it to do (obviously while being very sensitive to > > > security issues). > > Yes..., it's a very sensible tightrope to walk, either usable and less > > secure, or not, I don't know how to accomplish both, maybe someone else does? > > That's pretty easy. The world's most secure preconfigured apache > server: > > [root@fiji /var/www]# vdir -a www > total 12 > drwxr-xr-x 2 root root 4096 Jul 31 19:36 . > drwx------ 23 root root 4096 Jul 31 19:36 .. > -rw-r--r-- 1 root root 63 Jul 31 19:36 index.html > [root@fiji /var/www]# cat www/index.html > <META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://google.com";> > [root@fiji /var/www]# vdir cgi-bin > total 0 > > Useful? No. Secure? Yes.
That's not secure. It relies on a browser obeying a redirect and it doesn't stop someone requesting /cgi-bin/something or /somethingelse.html. A much more secure default would be to bind Apache to only listen to requests from the localhost (which is one of the steps that Bastille does). You'd then need to specifically open it up to listen to requests from the internet. Whether that is what people installing Apache would want is a different matter altogether. Though would encourage them to actually look at httpd.conf before putting it on the internet. ian.
