The best place to begin is with a security firm or
consulting firm that provides security audits and has
professionals who are already experienced with tomcat
and apache httpd (along with your OS, DB and network
architecture). It's never a good idea to skimp where
security is concerned and there is simply to much to
learn in a short period of time to be sure of
conducting a reliable audit if you haven't already
worked a great deal with the software and hardware in
question.
There is a great deal more involved in a security
audit than ensuring that there are no configuration
errors in the server software. You must first
understand how the servers are operating on the
network and ensure that the OS file systems are
secured and the DB connectivity is knotted tight.
Pay to have it done, watch and learn. A good company
will provide you with complete details of the audit
along with recommendations for changes, the cost of
making the recommended changes and the technical
reasons behind those recommendations.
If you are unable to pay for consulting services then
be prepared to study until your eyes bleed - there is
a lot of material, often covering very technical
topics. Hit the library or (even better) spend some
time with a Starbucks at your local Barns and Noble.
Find books on Apache and Tomcat and read the security
chapters. Look for books specifically targeting web
server security, firewalls and networking security.
Be sure to target those that mention your OS
specifically (especially because security
configurations often vary widely by OS) and to read up
on securing your OS specifically for a server
environment. Learn everything you can about logging
and the automated processing of logs.
Follow the book reading by scanning every mailing list
and forum you can find for keywords including
security, apache, tomcat and your OS (and the various
combinations between). You will raise many specific
questions of your own on many security related topics
during your hunt, so don't forget to always have a
notebook handy so that you can get your questions out
on the mailing lists if Google won't give you the
answers.
-marc
--- Luis Correia <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I don't have much experience with Apache/Tomcat
> servers. I have to perform
> some kind of security audit to these servers...
> What and where to begin ?
> What should I look for ?
> For the Apache server I supposed I should look in
> the httpd.conf e .htaccess
> files ? What to look for ?
>
> Thanks in advanced !
>
> Best Regards
>
>
> --
> Cumprimentos,
>
> Luís Correia
>
__________________________________
Yahoo! for Good - Make a difference this year.
http://brand.yahoo.com/cybergivingweek2005/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
