From owner-freebsd-questions@FreeBSD.ORG Thu Jan 20 07:20:35 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCB6116A4CE for ; Thu, 20 Jan 2005 07:20:35 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35A9643D49 for ; Thu, 20 Jan 2005 07:20:35 +0000 (GMT) (envelope-from nomadlogic@gmail.com) Received: by rproxy.gmail.com with SMTP id a36so62042rnf for ; Wed, 19 Jan 2005 23:20:34 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=A7Cm3BYOWN9aNQpsL16YOHnCZsBX7E8A+SUos1x9OSQyzjkmROwNwlFtS2cVevbcMKPMq43Gcs83Iqgfb7+W7BdZ/pUvsQmEs60qPQy1qmHQxIXhTegHZXTMRmnjOrAa/ppiOqVtp7zLHkvSfxXKhLBQHM3OGZnwx9IbC6iwDBE= Received: by 10.38.82.63 with SMTP id f63mr190567rnb; Wed, 19 Jan 2005 23:20:34 -0800 (PST) Received: by 10.38.14.22 with HTTP; Wed, 19 Jan 2005 23:20:34 -0800 (PST) Message-ID: <57d710000501192320dbce397@mail.gmail.com> Date: Wed, 19 Jan 2005 23:20:34 -0800 From: pete wright To: Jay O'Brien In-Reply-To: <41EF4A34.4020808@att.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <41EE0A7B.0@att.net> <200501200009.01258.list-freebsd-2004@morbius.sent.com> <41EF1C10.2090106@att.net> <1493773909.20050120042307@wanadoo.fr> <41EF4A34.4020808@att.net> cc: FreeBSD - questions Subject: Re: Security for webserver behind router? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: pete wright List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jan 2005 07:20:35 -0000 On Wed, 19 Jan 2005 22:05:40 -0800, Jay O'Brien wrote: > Anthony Atkielski wrote: > > > Jay O'Brien writes: > > > > JOB> Thanks, but what I want to know is what risk I have with port 80, > > JOB> and only port 80 open. > > > > The risk depends on Apache, since that's the daemon answering the phone > > when someone calls in on port 80. > > > > Just make sure you're using the latest version of Apache (1.3.33, if you > > want the 1.x version, or 2.0.52, if you want the 2.x version). Some > > earlier versions are vulnerable. As long as Apache is secure, port 80 > > can be open. > > > > I am running Apache 1.3.33, as you suggest I should. You say "as long as > Apache is secure"; what should I do to be sure that Apache is secure? > > If there isn't a security risk with the FreeBSD system I've described, > maybe this question belongs on the Apache mailing list, not here? > If you are interested in learning about how FreeBSD works, and am concerned about security (which frankly are two good things to be concerned with) then your best bet is to check the man pages as well as the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/securing-freebsd.html (all good things to read) strictly speaking, by opening a port and exposing a service, an attack vector is created which someone could use against you. the best way to deal with this is to know what applications you are running to monitor them. as of now though there does not seem to be an open security hole with that version of apache...altho who knows what will happen tommorow. HTH -pete -- ~~o0OO0o~~ Pete Wright www.nycbug.org NYC's *BSD User Group