> On 6/8/05, Lorenzo Thurman <[EMAIL PROTECTED]> wrote: > Can someone provide me with pointers on how I can be sure my Apache > installation is as secure as possible? I've been running Linux for several > years now and an Apache web server for the last few. I follow guidelines on > how to set it up and secure it, but I'd really be interested in ways that I > can audit my installation for potential failings. Is there some application I > can run that will tell me how well its setup?
If you are running an up-to-date version of Apache, and you haven't made any huge errors in the config, you're probably good. emerge sync && glsa-check -l | grep '\[N\]' is your friend. The problems come when you want to serve more than just static files like html, jpg, etc. If you allow PHP/Perl/Python, make sure all the input is checked - many hacks take place because a badly written PHP page allows a user to run commands on the webserver. He can then download other exploits to go from apache or nobody. mod_security can help secure against SQL based attacks too. Calum -- http://calum.org/ -- [email protected] mailing list
