From owner-freebsd-questions@FreeBSD.ORG Thu Jan 20 07:46:36 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 643C716A4CE for ; Thu, 20 Jan 2005 07:46:36 +0000 (GMT) Received: from kender.sians.org (adsl-ppp00.fastnet.gr [193.58.186.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8EC2343D39 for ; Thu, 20 Jan 2005 07:46:27 +0000 (GMT) (envelope-from thanos@sians.org) Received: from kender.sians.org (thtsou@localhost.sians.org [127.0.0.1]) by kender.sians.org (8.13.0/8.13.0) with ESMTP id j0K7kPAn029809 for ; Thu, 20 Jan 2005 09:46:25 +0200 (EET) Received: (from thtsou@localhost) by kender.sians.org (8.13.0/8.13.0/Submit) id j0K7kOE7006038 for freebsd-questions@freebsd.org; Thu, 20 Jan 2005 09:46:24 +0200 (EET) X-Authentication-Warning: kender.sians.org: thtsou set sender to thanos@sians.org using -f Date: Thu, 20 Jan 2005 09:46:24 +0200 From: Thanos Tsouanas To: freebsd-questions@freebsd.org Message-ID: <20050120074624.GA3246@kender.sians.org> Mail-Followup-To: freebsd-questions@freebsd.org References: <41EE0A7B.0@att.net> <200501200009.01258.list-freebsd-2004@morbius.sent.com> <41EF1C10.2090106@att.net> <1493773909.20050120042307@wanadoo.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1493773909.20050120042307@wanadoo.fr> User-Agent: Mutt/1.4.2i Subject: Re: Security for webserver behind router? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jan 2005 07:46:36 -0000 On Thu, Jan 20, 2005 at 04:23:07AM +0100, Anthony Atkielski wrote: > Jay O'Brien writes: > > JOB> Thanks, but what I want to know is what risk I have with port 80, > JOB> and only port 80 open. > > The risk depends on Apache, since that's the daemon answering the phone > when someone calls in on port 80. > > Just make sure you're using the latest version of Apache (1.3.33, if you > want the 1.x version, or 2.0.52, if you want the 2.x version). Some > earlier versions are vulnerable. As long as Apache is secure, port 80 > can be open. Just how much secure do you want to be? You can run apache chrooted in its directory. That basically means, that if apache is installed at /var/www/ , you can set it so that it isn't aware of anything that's not under /var/www/ So, even if a security hole is found on apache, and someone does manage to break in, they won't be able to do much to the system, nor gain information about it, but will only be able to deal with /var/www/* ... If security is all that matters, you might want to have a look at OpenBSD's approach, which runs a modified apache version, chrooted by default. P.S. Running apache chrooted is a great idea, and that's how my httpd is running, but it can be a PITA if you try to install it without understainding how it works. good luck -- Thanos Tsouanas .: Sians http://thanos.sians.org/ .: http://www.sians.org/