RE: Security for webserver behind router?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thanos Tsouanas Sent: Wednesday, January 19, 2005 11:46 PM To: freebsd-questions@freebsd.org Subject: Re: Security for webserver behind router? Just how much secure do you want to be? You can run apache chrooted in its directory. That basically means, that if apache is installed at /var/www/ , you can set it so that it isn't aware of anything that's not under /var/www/ So, even if a security hole is found on apache, and someone does manage to break in, they won't be able to do much to the system, nor gain information about it, but will only be able to deal with /var/www/* ... Not true. Naturally this is more of an academic discussion since the vast majority of cracks are perpetuated against Windows. If they get access to the CGI directory they can launch attacks against the loopback address 127.0.0.1 and thus have access to all services on the server, including the ones that are behind the firewall. They can also attack other hosts on the same subnet and compromise those then head back to the apache box. They can fill the disk up and if /var/tmp is on there then things might stop working. And of course, if the server isn't configured all that well they might find a script that some cronjob is executing, that is located down in the chrooted directory and install their stuff there. If security is all that matters, you might want to have a look at OpenBSD's approach, which runs a modified apache version, chrooted by default. OpenBSD's approach to security is designed to allow Theo de Raadt to run around and lecture everyone else about how crappy their security is. Out of the box an OpenBSD server is pretty useless. Secure but useless. To get it to do anything you have to start turning on things, (like the webserver, etc.) and it's those things that get broken into. It's like when Microsoft ran around claiming that Windows NT 3.51 was C4 security compliant (Air Force manual 33-270) everyone was really impressed but what Microsoft didn't tell you is that NT only met C4 security when it didn't have a network adapter installed!!! P.S. Running apache chrooted is a great idea, and that's how my httpd is running, but it can be a PITA if you try to install it without understainding how it works. I'm sure you feel more secure running it like that, if it makes you happy, go for it. Me, I'm not going to be shutting down my DMZ any time soon. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security for webserver behind router?
On Thu, Jan 20, 2005 at 12:27:01AM -0800, Ted Mittelstaedt wrote: Just how much secure do you want to be? You can run apache chrooted in its directory. That basically means, that if apache is installed at /var/www/ , you can set it so that it isn't aware of anything that's not under /var/www/ So, even if a security hole is found on apache, and someone does manage to break in, they won't be able to do much to the system, nor gain information about it, but will only be able to deal with /var/www/* ... Not true. Naturally this is more of an academic discussion since the vast majority of cracks are perpetuated against Windows. If they get access to the CGI directory they can launch attacks against the loopback address 127.0.0.1 and thus have access to all services on the server, including the ones that are behind the firewall. They can also attack other hosts on the same subnet and compromise those then head back to the apache box. Have you actually done such a thing with obsd? Please let me know how you did it, and let it not include a httpd -u flag on the apache, nor things like chmod -R 777 / ;) They can fill the disk up and if /var/tmp is on there then things might stop working. Of course /var/tmp is not in /var/www... And of course, if the server isn't configured all that well they might find a script that some cronjob is executing, that is located down in the chrooted directory and install their stuff there. Ok, so you put scripts under /var/www/ for use with cronjob.. is this stupid or what? If security is all that matters, you might want to have a look at OpenBSD's approach, which runs a modified apache version, chrooted by default. OpenBSD's approach to security is designed to allow Theo de Raadt to run around and lecture everyone else about how crappy their security is. Out of the box an OpenBSD server is pretty useless. Secure but useless. To get it to do anything you have to start turning on things, (like the webserver, etc.) and it's those things that get broken into. You obviously never used it. But the point is not to talk about obsd on a fbsd list, is it? The guy needs suggestions, and i gave him the best i could think of. See the strength points of each os, don't just act childish defending your fave. We would have the same discussion a year ago if i had suggested to guy asking for firewalls to use pf. Of course, now pf is in freebsd so you would accept it as good. It's like when Microsoft ran around claiming that Windows NT 3.51 was C4 security compliant (Air Force manual 33-270) everyone was really impressed but what Microsoft didn't tell you is that NT only met C4 security when it didn't have a network adapter installed!!! Yes you are right. It's like that. You are funny. P.S. Running apache chrooted is a great idea, and that's how my httpd is running, but it can be a PITA if you try to install it without understainding how it works. I'm sure you feel more secure running it like that, if it makes you happy, go for it. Me, I'm not going to be shutting down my DMZ any time soon. Sure, if it makes you happy don't use it. Who cares. P.S. No point of this being in the list, so if you want a reply on this thread mail me personally. -- Thanos Tsouanas [EMAIL PROTECTED] .: Sians http://thanos.sians.org/ .: http://www.sians.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security for webserver behind router?
From the keyboard of Ted Mittelstaedt, written on Wed, Jan 19, 2005 at 11:25:00PM -0800: I am running Apache 1.3.33, as you suggest I should. You say as long as Apache is secure; what should I do to be sure that Apache is secure? Nothing, you nor nobody can do this. All you can do is subscribe to the Apache mailing list and if someone discovers a hole in Apache at some point in the future, then you can immediately patch your installation with the inevitable patch that will shortly follow. Don't forget that Apache's nature is offering content. What about unsafe PHP/CGI-scripts? You can secure Apache, but that doesn't help when your webapplication is a big hole to your system. Just my 0.2$c Grtz, -- Eilko. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security for webserver behind router?
--- Eilko Bos [EMAIL PROTECTED] wrote: From the keyboard of Ted Mittelstaedt, written on Wed, Jan 19, 2005 at 11:25:00PM -0800: I am running Apache 1.3.33, as you suggest I should. You say as long as Apache is secure; what should I do to be sure that Apache is secure? Nothing, you nor nobody can do this. All you can do is subscribe to the Apache mailing list and if someone discovers a hole in Apache at some point in the future, then you can immediately patch your installation with the inevitable patch that will shortly follow. Don't forget that Apache's nature is offering content. What about unsafe PHP/CGI-scripts? You can secure Apache, but that doesn't help when your webapplication is a big hole to your system. Just my 0.2$c Grtz, You can also use usr/ports/www/mod_security to help secure Apache. __ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security for webserver behind router?
On Wednesday 19 January 2005 07:21, Jay O'Brien wrote: I've brought up a 5.3 Release machine as a learning tool, with apache 1.3. It is on a LAN with Windows machines, and port 80 (and only port 80) is open and directed by the Linksys router to the FreeBSD machine. It is working fine so far, but my learning curve is slower than I would like. I know that there's lots to learn and do later about security, when I bypass the Router and use the FreeBSD box as the NAT device, but for now I would like to confine my learning to Apache, with only port 80 open. I do have ftp and ssh enabled on the LAN for access by the Windows boxes. As I haven't done anything for security on the FreeBSD machine, am I exposed to anything by having port 80 open? Is there anything I should do now? It's in the nature of any webserver software that it provides rich picking for hackers. If it's a learning tool, don't expose apache to the internet, you can test it perfectly well from your local network. If you want to access it from a remote location, then setup your FreeBSD firewall to allow access from a limited range of ip addresses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security for webserver behind router?
RW wrote: On Wednesday 19 January 2005 07:21, Jay O'Brien wrote: I've brought up a 5.3 Release machine as a learning tool, with apache 1.3. It is on a LAN with Windows machines, and port 80 (and only port 80) is open and directed by the Linksys router to the FreeBSD machine. It is working fine so far, but my learning curve is slower than I would like. I know that there's lots to learn and do later about security, when I bypass the Router and use the FreeBSD box as the NAT device, but for now I would like to confine my learning to Apache, with only port 80 open. I do have ftp and ssh enabled on the LAN for access by the Windows boxes. As I haven't done anything for security on the FreeBSD machine, am I exposed to anything by having port 80 open? Is there anything I should do now? It's in the nature of any webserver software that it provides rich picking for hackers. If it's a learning tool, don't expose apache to the internet, you can test it perfectly well from your local network. If you want to access it from a remote location, then setup your FreeBSD firewall to allow access from a limited range of ip addresses. Thanks, but what I want to know is what risk I have with port 80, and only port 80 open. Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security for webserver behind router?
Jay O'Brien writes: JOB Thanks, but what I want to know is what risk I have with port 80, JOB and only port 80 open. The risk depends on Apache, since that's the daemon answering the phone when someone calls in on port 80. Just make sure you're using the latest version of Apache (1.3.33, if you want the 1.x version, or 2.0.52, if you want the 2.x version). Some earlier versions are vulnerable. As long as Apache is secure, port 80 can be open. -- Anthony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security for webserver behind router?
Anthony Atkielski wrote: Jay O'Brien writes: JOB Thanks, but what I want to know is what risk I have with port 80, JOB and only port 80 open. The risk depends on Apache, since that's the daemon answering the phone when someone calls in on port 80. Just make sure you're using the latest version of Apache (1.3.33, if you want the 1.x version, or 2.0.52, if you want the 2.x version). Some earlier versions are vulnerable. As long as Apache is secure, port 80 can be open. I am running Apache 1.3.33, as you suggest I should. You say as long as Apache is secure; what should I do to be sure that Apache is secure? If there isn't a security risk with the FreeBSD system I've described, maybe this question belongs on the Apache mailing list, not here? Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security for webserver behind router?
On Wed, 19 Jan 2005 22:05:40 -0800, Jay O'Brien [EMAIL PROTECTED] wrote: Anthony Atkielski wrote: Jay O'Brien writes: JOB Thanks, but what I want to know is what risk I have with port 80, JOB and only port 80 open. The risk depends on Apache, since that's the daemon answering the phone when someone calls in on port 80. Just make sure you're using the latest version of Apache (1.3.33, if you want the 1.x version, or 2.0.52, if you want the 2.x version). Some earlier versions are vulnerable. As long as Apache is secure, port 80 can be open. I am running Apache 1.3.33, as you suggest I should. You say as long as Apache is secure; what should I do to be sure that Apache is secure? If there isn't a security risk with the FreeBSD system I've described, maybe this question belongs on the Apache mailing list, not here? If you are interested in learning about how FreeBSD works, and am concerned about security (which frankly are two good things to be concerned with) then your best bet is to check the man pages as well as the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/securing-freebsd.html (all good things to read) strictly speaking, by opening a port and exposing a service, an attack vector is created which someone could use against you. the best way to deal with this is to know what applications you are running to monitor them. as of now though there does not seem to be an open security hole with that version of apache...altho who knows what will happen tommorow. HTH -pete -- ~~o0OO0o~~ Pete Wright www.nycbug.org NYC's *BSD User Group ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Security for webserver behind router?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jay O'Brien Sent: Wednesday, January 19, 2005 10:06 PM To: FreeBSD - questions Subject: Re: Security for webserver behind router? Anthony Atkielski wrote: Jay O'Brien writes: JOB Thanks, but what I want to know is what risk I have with port 80, JOB and only port 80 open. The risk depends on Apache, since that's the daemon answering the phone when someone calls in on port 80. Just make sure you're using the latest version of Apache (1.3.33, if you want the 1.x version, or 2.0.52, if you want the 2.x version). Some earlier versions are vulnerable. As long as Apache is secure, port 80 can be open. I am running Apache 1.3.33, as you suggest I should. You say as long as Apache is secure; what should I do to be sure that Apache is secure? Nothing, you nor nobody can do this. All you can do is subscribe to the Apache mailing list and if someone discovers a hole in Apache at some point in the future, then you can immediately patch your installation with the inevitable patch that will shortly follow. If there isn't a security risk with the FreeBSD system I've described, maybe this question belongs on the Apache mailing list, not here? It is more accurate to say that a properly setup system contains no security holes KNOWN to the general public at the time that it was setup There is no way to guarentee security. People are always working on code looking for holes. Considering the hundred thousand or so lines of code in the source of a FreeBSD system running Apache, it is unrealistic to assume that every single bit of it is completely secure. Even the Motion Picture Association created a hole when they came up with the CSS encryption standard that is used on every DVD sold, and the MPAA has more money than God to throw into coding (well, at least more money than anyone else in the business) in short there is absolutely no guarentee no matter how much money you shit out your arsehole over a project and no matter how much money it's worth to you, that it can be guarenteed to be secure. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security for webserver behind router?
On Thu, Jan 20, 2005 at 04:23:07AM +0100, Anthony Atkielski wrote: Jay O'Brien writes: JOB Thanks, but what I want to know is what risk I have with port 80, JOB and only port 80 open. The risk depends on Apache, since that's the daemon answering the phone when someone calls in on port 80. Just make sure you're using the latest version of Apache (1.3.33, if you want the 1.x version, or 2.0.52, if you want the 2.x version). Some earlier versions are vulnerable. As long as Apache is secure, port 80 can be open. Just how much secure do you want to be? You can run apache chrooted in its directory. That basically means, that if apache is installed at /var/www/ , you can set it so that it isn't aware of anything that's not under /var/www/ So, even if a security hole is found on apache, and someone does manage to break in, they won't be able to do much to the system, nor gain information about it, but will only be able to deal with /var/www/* ... If security is all that matters, you might want to have a look at OpenBSD's approach, which runs a modified apache version, chrooted by default. P.S. Running apache chrooted is a great idea, and that's how my httpd is running, but it can be a PITA if you try to install it without understainding how it works. good luck -- Thanos Tsouanas [EMAIL PROTECTED] .: Sians http://thanos.sians.org/ .: http://www.sians.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
