On Tuesday 04 December 2001 13:25, you wrote:
> Anyone point me to a good resource on Securing Apache?
>
> Any views, points you would like to share??
There's some useful articles available from Apache's own site. If you have
in house developed CGI's or use commercial tools, I'd expect that to be the
main risk area, most developers are more aware of deadlines, than best
security programming practice.
There were also artilces on securityfocus or securityportal sites, though at
least one became defunct after a take over. Kurt Seifried hangs out on the
SuSE security list, a good ploy might be to ask if anyone has Kurt's articles
on Apache, to that list ;)
As for anything securitywise, really it's up to you to define the
cost/benefits and apply common sense. It depends a lot on what you're
protecting, but I like to have a protected master server, and keep public web
servers as sacrificial hosts. rsync with ssh works well for updates, and ftp
is one of the nasties that has been used for infilitration in past.
You might like tools like Portsentry to try and detect hostile scanning and
roll down the security blanket.
Rob
--------------------------------------------------------------------
http://www.lug.org.uk http://www.linuxportal.co.uk
http://www.linuxjob.co.uk http://www.linuxshop.co.uk
--------------------------------------------------------------------
This archive was generated by hypermail 2.1.3 : Tue 11 Dec 2001 - 12:46:59 GMT