web server security

Legacy 2009. 3. 24. 17:26
ref. http://www.cgisecurity.com/apache-security.html

Apache Security

Apache documentation
Apache Security tips (1.3) (2.0) (2.2)
suEXEC Support
httpd.apache.org/docs/

Download Apache:
Main mirror download page

How to Chroot apache:
Apache chroot mini HOWTO (Note: not in english but provides commands that can be used) (HTML)
Chrooting Apache2 howto, October 14th, 2003 (HTML)

Misc:
Securing Apache: Step By Step, SANS GIAC - GCUX Practical Assignment (HTML) (ZIP)
Apache security advisories
Apache Security from A-Z, Lincoln Stein
Apache Security Configuration Document
Basic Apache Security Considerations, John Grotevant (PDF)
Security and Apache: An Essential Primer, Maxwell's Demon and Hat Colour
Apache Security Secrets: Revealed (PDF)
WU-FTPD and Apache Security Basics (PDF)
How to 'chroot' an Apache tree with Linux and Solaris
Using Apache with suexec on Linux
Installing and Securing the Apache Webserver with SSL
How to Use NDS eDirectory to Secure Apache Web Server for Netware, (PDF)
Securing Apache: Understanding and securing your Apache web server configuration (PDF)

Security holes... Who cares? (PDF)
A detailed write up of the slapper worm.

Securing Apache: Step-by-Step, May 14, 2003
This is a very good article I highly suggest.

mod_security
This is a apache plugin that will give you extra security. If you are looking for a good free solution then this is for you.

News Groups:

alt.apache.configuration
comp.infosystems.www.servers.misc
comp.infosystems.www.servers.unix


1. Don't run unnecessary servers or interpreters. If you don't need the FTP (File Transfer Protocol) server that's bundled with your Web server, don't give hackers another target: Disable it, or don't install it at all. Similarly, disable scripting languages and sample scripts that you don't absolutely require.

2. Subscribe to your server vendor's security alert list. Or at least monitor its Web site regularly for patches and apply them immediately. The Computer Emergency Response Team advisory list at www.cert.org/advisories/ can be a useful resource. Don't forget to watch out for alerts and patches for your OS as well as for the Web server itself.

3. Practice good password habits. Avoid simple, easy-to-guess passwords, particularly for privileged administrator accounts. On the other hand, don't make your password rules so draconian that users resort to writing them down. Always change default passwords and eliminate unnecessary accounts (such as guest). Make sure passwords are actually enabled for sensitive areas and administration functions.

4. Know what's happening on your network. Many Web servers are free and easy to install, so watch out for well-meaning but ill-informed users who may inadvertently create security holes.

5. Use your operating system's permission mechanism. Usually the Web server runs with the permission of a particular user. Make sure that user has appropriately limited access.

6. Monitor your logs. Your Web server keeps track of every request; review your logs regularly for signs of out-of-the-ordinary behavior.

7. Segregate public and private data. Don't store sensitive data on the same machines as public Web servers if you don't have to do it. For an extranet, you might consider a "sacrificial lamb" configuration, where a Web server sits outside the firewall so that it doesn't jeopardize corporate data behind the firewall.

8. Be careful with your server configuration. Limit executable files to specific directories, and make sure their source codes can't be downloaded. Turn off features such as automatic directory indexing and WebDAV publishing support if you don't need them. Run any security tools your OS or Web-server vendor provides, such as Microsoft's IIS Lockdown Tool, to identify potential weak spots.

9. Check programs for security holes. CGI scripts on Web servers are particularly prone to security breaches, especially if they don't validate user-supplied data before accessing files or operating-system services.

: