Date: Thu, 20 Jan 2005 09:46:24 +0200 From: Thanos Tsouanas <thanos@sians.org> To: freebsd-questions@freebsd.org Subject: Re: Security for webserver behind router? Message-ID: <20050120074624.GA3246@kender.sians.org> In-Reply-To: <1493773909.20050120042307@wanadoo.fr> References: <41EE0A7B.0@att.net> <200501200009.01258.list-freebsd-2004@morbius.sent.com> <41EF1C10.2090106@att.net> <1493773909.20050120042307@wanadoo.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 20, 2005 at 04:23:07AM +0100, Anthony Atkielski wrote:
> Jay O'Brien writes:
>
> JOB> Thanks, but what I want to know is what risk I have with port 80,
> JOB> and only port 80 open.
>
> The risk depends on Apache, since that's the daemon answering the phone
> when someone calls in on port 80.
>
> Just make sure you're using the latest version of Apache (1.3.33, if you
> want the 1.x version, or 2.0.52, if you want the 2.x version). Some
> earlier versions are vulnerable. As long as Apache is secure, port 80
> can be open.
Just how much secure do you want to be? You can run apache
chrooted in its directory. That basically means, that if
apache is installed at /var/www/ , you can set it so that it
isn't aware of anything that's not under /var/www/
So, even if a security hole is found on apache, and someone does
manage to break in, they won't be able to do much to the system,
nor gain information about it, but will only be able to deal
with /var/www/* ...
If security is all that matters, you might want to have a look
at OpenBSD's approach, which runs a modified apache version,
chrooted by default.
P.S. Running apache chrooted is a great idea, and that's how my
httpd is running, but it can be a PITA if you try to
install it without understainding how it works.
good luck
--
Thanos Tsouanas <thanos@sians.org> .: Sians
http://thanos.sians.org/ .: http://www.sians.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050120074624.GA3246>