You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jay O'Brien <ja...@att.net> on 2005/03/16 03:21:18 UTC
[users@httpd] Security
I have apache 1.3.33 running on a FreeBSD machine, behind a Linksys
BEFSR41 firewall that has port 80, and only port 80, opened to the
FreeBsd box. The Win XP Pro machines on the same LAN can access the
FreeBSD machine via ftp but as only port 80 is open to the internet,
no one else can get to the FreeBSD machine except via Port 80.
What should I do to handle security issues? Am I open to hacking in
any way?
Jay O'Brien
Rio Linda, California USA
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security
Posted by Jay O'Brien <ja...@att.net>.
Scott Gifford wrote:
> "Jay O'Brien" <ja...@att.net> writes:
>
>
>>I have apache 1.3.33 running on a FreeBSD machine, behind a Linksys
>>BEFSR41 firewall that has port 80, and only port 80, opened to the
>>FreeBsd box. The Win XP Pro machines on the same LAN can access the
>>FreeBSD machine via ftp but as only port 80 is open to the internet,
>>no one else can get to the FreeBSD machine except via Port 80.
>>
>>What should I do to handle security issues? Am I open to hacking in
>>any way?
>
>
> Keep your Apache and FreeBSD up-to-date, installing any security
> updates from your vendor.
>
> More importantly, be very careful what Web applications you install;
> make sure they have an excellent security record, and audit them
> carefully for a secure coding style. If you write your own, make sure
> you write them very carefully, and have another person review the code
> for security flaws. Think hard about how people could cause your
> applications to misbehave, and make it impossible. Code defensively,
> and use language features to help you (like perl's taint mode). Make
> sure your code isn't vulnerable to cross-site scripting attacks.
> Learn about attacks on other applications, and make sure your script
> isn't vulnerable to them.
>
> If you don't have anybody available who is a security expert, take
> some time to learn about secure coding practices, or hire an expert to
> audit your code.
>
> Tools like mod_chroot and BSD jails can also help limit the damage
> that a breakin can cause.
>
> ----ScottG.
>
Scott,
Thanks for the response. As it is, the only "web app" I'm running is
count.cgi; Everthing is very simple html built in Mozilla Composer. I
don't even know how to spell poil, much less do I know the language.
There's only one user, me, and no one else can connect using ssh, ftp,
or any other protocol as only port 80 is open through the external NAT
in the router.
It seems to me that I'm pretty well protected, just with the hardware
router. I was hoping to get some specific comments that cover what I'm
doing.
Jay
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security
Posted by Scott Gifford <sg...@suspectclass.com>.
"Jay O'Brien" <ja...@att.net> writes:
> I have apache 1.3.33 running on a FreeBSD machine, behind a Linksys
> BEFSR41 firewall that has port 80, and only port 80, opened to the
> FreeBsd box. The Win XP Pro machines on the same LAN can access the
> FreeBSD machine via ftp but as only port 80 is open to the internet,
> no one else can get to the FreeBSD machine except via Port 80.
>
> What should I do to handle security issues? Am I open to hacking in
> any way?
Keep your Apache and FreeBSD up-to-date, installing any security
updates from your vendor.
More importantly, be very careful what Web applications you install;
make sure they have an excellent security record, and audit them
carefully for a secure coding style. If you write your own, make sure
you write them very carefully, and have another person review the code
for security flaws. Think hard about how people could cause your
applications to misbehave, and make it impossible. Code defensively,
and use language features to help you (like perl's taint mode). Make
sure your code isn't vulnerable to cross-site scripting attacks.
Learn about attacks on other applications, and make sure your script
isn't vulnerable to them.
If you don't have anybody available who is a security expert, take
some time to learn about secure coding practices, or hire an expert to
audit your code.
Tools like mod_chroot and BSD jails can also help limit the damage
that a breakin can cause.
----ScottG.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org