[plug] Securing your webserver
Leon Brooks
leon at cyberknights.com.au
Sat Aug 20 21:23:03 WST 2005
On Saturday 20 August 2005 11:19, Quintin Lette wrote:
> f. Take any advice/articles with a grain of salt (including mine)
g. If you can run your webserver (or any other service) as a non-root
user (or better still, chrooted (or better againm, both)), do so.
h. If it doesn't need to write to the web tree, don't let it. Methods of
stopping this include but are not limited to:
* let something else own the files, give Apache read access only
through membership of a group devoted to the purpose;
* chattr -R +i /path/to/DocumentRoot;
* SELinux kernel and appropriate transition limitations;
* mount the entire partition readonly.
i. simplify each service as much as possible; if it's only serving "flat
files" (no scripting), rip out mod_perl, mod_php, mod_python etc. If
you're not uploading files through the webserver, rip out mod_dav.
Never, ever use mod_frontpage.
j. security by obscurity can help, just don't *depend* on it. Put ports
for services like SSH and RSYNC at odd addresses, for example.
k. Use a non-x86 architecture. Even AMD64 or the like is still obscure
enough to help. An old Alpha will totally bamboozle the nasties.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Member, Perth Linux User Group
http://slpwa.asn.au/ Member, Linux Professionals WA
http://osia.net.au/ Member, Open Source Industry Australia
http://linux.org.au/ Member, Linux Australia
More information about the plug
mailing list