[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Web Server Security



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi!

There are several methods securing your webserver.

- - firerights
- - chroot-ing
- - compardment (set "kernel-attributes" for file-execution)
- - (n)ids
- - logserver for all servers within you network (no local logging)
- - install only needed stuff - no more no less
- - secure php.ini
- - disable suexec within apache-config
- - minimal php/other modules setup
- - run mysql without network support (access only over localhost/127.0.0.1)
- - restrict usage of directories to only inside special folders
(php.ini: open_basedir) - this will only allow this directory as root
for webpages no traversal out of this directory will be allowed!
- - disable cgi ...
- - customize your logs (log what's needed and extra data which might be
interesting but not too much)
- - with ssl enable high encryption
[...]

By setting rights to programs that may be used by another app (e.g. at
apache startup) you may alter your configuration.
Better give apache a restricted bash!
Try chrooting your apache instead to make it a way more secure.

Make a chroot-jail by copying ann needed libraries and stuff to
/var/chroot/apache (/bin, /etc, and so on) and start apache with
unprivileged user from chroot. This will give script-kiddie no rights
except within chroot-jail.
Maybe you want ACL's (not compareable to file-rights!) within chroot.

Mention: The more effort you do on security the more time you will
consume by doing so! The more secure a daemon is the more difficult it
will be to "get it running".

Regards

Philippe

- --

Diese Nachricht ist digital signiert und enthält weder Siegel noch
Unterschrift!

Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iQD1AwUBQ3HkHUNg1DRVIGjBAQIFfwb9Hdvx9tseJejJ7Fb80faBSK6DbELxXsxM
uBQmaqhchLecagnpGjj+h4jIfyQVZ2GMgWcAPJTpTTEE5FAOlCmBMfg1cl2B96J+
vx5eAOp9/LZhDL1N1UZUTybvpX61ypWkC3zRilh20XSrKkJqYFejOhg/FA4wKvmP
04KU049kLGZCTuwKMonXmTu2EaASVNZmziN4HtVCwASJEqmPlZh4e5oz0E0uA4um
vHzZiwzk3DLgk6emyuXxMcRj8vJ2C39KDAigSDG7MsjmprU2OdWtp2eWPzWOzDsp
OlM1jh0Ed/Y=
=MU5A
-----END PGP SIGNATURE-----


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here