> Hello, > > I'm a newbie and just got Fedora 3 core installed. Does anyone know of > an online tutorial for configuring a secure webserver using Fedora? I'm > planning on using it to demo and test some database projects I'm > working on for school. I'm using a separate firewall to do port > forwarding to the webserver box and I have mysql & php installed.
Depends on what you mean by "secure." Putting the server behind a firewall is good for shielding the OS from a variety of attacks, but by its very nature a web server must deal with HTTP traffic. Incorrect HTTP is a common method of attacking a web server; good ones will side-step such attacks most of the time, but even apache has its occasional vulnerability. The really big issue is the code you will write or install to drive your database application. It too has to hold up under the stress of a bad HTTP attack. It also must avoid giving someone opportunities to exploit. I highly recommend "CGI Programming with Perl" from O'Reilly. Even if you don't code in Perl you need to understand the security concepts presented, such as not piping user input through the shell. Perl offers many useful add-on modules for writing CGI code, stuff that has been around for years and scrubbed clean. A completely different take on "secure" would be a web server capable of encrypted sessions. This is the SSL protocol. There are special versions of Apache you can install that provide this capability. It relies on OpenSSL, and to be useful you must register your server certificate at a well-known certificate authority, such as Verisign. If you decide to use PHP or something like it, be aware that it poses aditional security risks. Whatever you use, to have a secure system you must monitor security issues constantly and install patches as soon as they become available. It has to be an obsession. Good luck, and have fun! Gary Dunn Honolulu [EMAIL PROTECTED]
