From owner-freebsd-questions@FreeBSD.ORG Thu Jan 20 07:25:02 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33F9A16A4CE for ; Thu, 20 Jan 2005 07:25:02 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id C47A843D45 for ; Thu, 20 Jan 2005 07:25:01 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) j0K7P0j06348; Wed, 19 Jan 2005 23:25:00 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Jay O'Brien" , "FreeBSD - questions" Date: Wed, 19 Jan 2005 23:25:00 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-Reply-To: <41EF4A34.4020808@att.net> Importance: Normal Subject: RE: Security for webserver behind router? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jan 2005 07:25:02 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Jay O'Brien > Sent: Wednesday, January 19, 2005 10:06 PM > To: FreeBSD - questions > Subject: Re: Security for webserver behind router? > > > Anthony Atkielski wrote: > > > Jay O'Brien writes: > > > > JOB> Thanks, but what I want to know is what risk I have > with port 80, > > JOB> and only port 80 open. > > > > The risk depends on Apache, since that's the daemon > answering the phone > > when someone calls in on port 80. > > > > Just make sure you're using the latest version of Apache > (1.3.33, if you > > want the 1.x version, or 2.0.52, if you want the 2.x version). Some > > earlier versions are vulnerable. As long as Apache is > secure, port 80 > > can be open. > > > > I am running Apache 1.3.33, as you suggest I should. You say > "as long as > Apache is secure"; what should I do to be sure that Apache is secure? > Nothing, you nor nobody can do this. All you can do is subscribe to the Apache mailing list and if someone discovers a hole in Apache at some point in the future, then you can immediately patch your installation with the inevitable patch that will shortly follow. > If there isn't a security risk with the FreeBSD system I've described, > maybe this question belongs on the Apache mailing list, not here? > It is more accurate to say that a properly setup system contains "no security holes KNOWN to the general public at the time that it was setup" There is no way to guarentee security. People are always working on code looking for holes. Considering the hundred thousand or so lines of code in the source of a FreeBSD system running Apache, it is unrealistic to assume that every single bit of it is completely secure. Even the Motion Picture Association created a hole when they came up with the CSS encryption standard that is used on every DVD sold, and the MPAA has more money than God to throw into coding (well, at least more money than anyone else in the business) in short there is absolutely no guarentee no matter how much money you shit out your arsehole over a project and no matter how much money it's worth to you, that it can be guarenteed to be secure. Ted