Introduction to the Apache Web Server - ApacheCon
Introduction to the Apache Web Server - ApacheCon
Introduction to the Apache Web Server - ApacheCon
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Section 19<br />
Security<br />
http://httpd.apache.org/docs/misc/security-tips.html<br />
19.1 Overview<br />
<strong>Apache</strong> has a significantly lower incidence of security problems, and significantly higher speed of resolving<br />
those problems, than that o<strong>the</strong>r web server. However, <strong>the</strong> last several releases have been security bug fix<br />
releases. And, although we try <strong>to</strong> ship apache ”secure by default”, <strong>the</strong>re are a number of things that you<br />
can do <strong>to</strong> improve <strong>the</strong> situation, as well as a lot of things that you can do <strong>to</strong> make it worse.<br />
Here’s <strong>the</strong> simplistic list of what you should do.<br />
• Keep file permissions as restrictive as possible<br />
• Disable unused ports<br />
• Remove unnecessary user accounts<br />
• Don’t use telnet<br />
• Limit modules (Don’t have modules installed that you are not using)<br />
• Avoid FrontPage like <strong>the</strong> plague<br />
• Avoid SSI where not necessary<br />
• Don’t use <strong>the</strong> system password file for au<strong>the</strong>ntication<br />
• Don’t put your password file in a document direc<strong>to</strong>ry<br />
• Develop on a staging server<br />
• Keep up with OS and <strong>Apache</strong> security patches.<br />
• Restrict CGI<br />
• Use suexec for CGI<br />
Ok, now, in more detail ...<br />
115