Dave DeGear <[EMAIL PROTECTED]> said:
> I've got my telnet and ftp servers working ok and would like to try
playing
> with Apache. If I install the latest Apache rpm files should I
worry
> immediately about any security problems with this. I'd like to
have it running
> while I'm learning but not if I introduce too many security
leaks. :-( Has
> anyone gone through this recently? I've never run a web server
before.
>
> ...Dave
>
I've played a little bit with Apache. If you download the latest
version, it should be reasonably secure. Just remember that your
telnet or ftp may have security holes as well. That would open up
your web server to an attack via ftp or telnet. Also, if you are
planning on running any cgi programs, you may open yourself up that
way. You can also misconfigure Apache and open it up.
There is a book that I read called "Maximum Linux Security" It has a
rather large section devoted to securing Apache, I read through the
chapter as I was playing with the configuration files. It is a good
resource.
Oh one more thing...
I would reccomend you ditch telnet and install OpenSSL and OpenSSH.
SSH (secure shell) works similarly to telnet, however, it employs
encryption so people cannot use a traffic sniffer to get your
passwords. It can also use public key encryption for authentication
which prevents spoofing attacks that telnet is vulnerable to. If you
plan on logging into your server remotely, SSH is a much better
alternative to telnet. SSH also allows you to foreward ports from a
local computer to a remote computer. This allows you to make
encrypted "tunnels" that you can run other protocols through
these "tunnels" and the data will be encrypted by SSH. As far as ftp
goes, just remember that the passwords are sent in plain text. For a
web server you should probably disable anonymous ftp access.
Dan
