How secure is apache?
Discussion
I'm starting to get my new network built. Until I can afford another PC to run in a DMZ I'm thinking of running a web server on a box in my normal network and using my router to forward requests on port 80 to Apache (and 8080 I guess for Tomcat).
If this is set up and running on a Linux box with all the default stuff set in Apache (I've never used Apache so won't be capable of doing anything special) how secure is this? I've got stuff on the network I want to keep secure (business stuff, not dodgy p0rn!) so don't want any old script kiddie cracking their way in.
Thanks
If this is set up and running on a Linux box with all the default stuff set in Apache (I've never used Apache so won't be capable of doing anything special) how secure is this? I've got stuff on the network I want to keep secure (business stuff, not dodgy p0rn!) so don't want any old script kiddie cracking their way in.
Thanks
So long as you're running the latest version, its pretty secure.
There are things you can do to firm it up (disable version display, compile in different version numbers) but these are just for the 'high security' types out there.
There have been reported root giving bugs in older versions, but non at present.
Scripts are a different issue all together tho, any number of scripts can lead to intrusions
But thats not what you asked
J
There are things you can do to firm it up (disable version display, compile in different version numbers) but these are just for the 'high security' types out there.
There have been reported root giving bugs in older versions, but non at present.
Scripts are a different issue all together tho, any number of scripts can lead to intrusions
But thats not what you asked
J
jimothy said:
Scripts are a different issue all together tho, any number of scripts can lead to intrusions
But thats not what you asked
J
Guess what my next question is then...
Whats this script intrusions all about?
If you run an insecure cgi script, then an attacker can compromise your system, even though Apache, etc., are perfectly secure.
A dumb example; You allow the user to type a filename into a text box and have the server do a directory listing for them by running an "ls" command with the provided filename, by constructing a command line and passing it to the shell. If the text I provide as a filename is actually "fred; more /etc/passwd", the command line you construct is "ls fred; more /etc/passwd" and when you pass that to a shell, I get a printout of your password file...
And there's plenty more where that came from. Have a look at the OWASP web site for help;
www.owasp.org/index.jsp
H.
zumbruk said:
If you run an insecure cgi script, then an attacker can compromise your system, even though Apache, etc., are perfectly secure.
A dumb example; You allow the user to type a filename into a text box and have the server do a directory listing for them by running an "ls" command with the provided filename, by constructing a command line and passing it to the shell. If the text I provide as a filename is actually "fred; more /etc/passwd", the command line you construct is "ls fred; more /etc/passwd" and when you pass that to a shell, I get a printout of your password file...
And there's plenty more where that came from. Have a look at the OWASP web site for help;
www.owasp.org/index.jsp
H.
Both a genius and a man with fine taste in cars!
Thats my bedtime reading for tonight.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff