Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I hate to admit it, but I am uncertain based upon these logs, especially the first one which had a 200 response code, if they were able to use my Apache as an unintended proxy. This then lead me to look at the list of Apache modules installed by default (list below). It looks like several modules are loaded, but not configured in the default configuration. For example, mod_proxy and its relatives are loaded by default, but unless you configure a proxy in httpd.conf, theoretically don't do anything. I spent some time reviewing this list of modules on Apache's website and many of them look like they have a valid function, e.g. logging, authorization, etc, and it left me not being entirely sure which of these should be disabled. Similarly, Google searching retrieves lots of suggestions to disable unused modules, but doesn't provide a clear answer on which are important to a secure and functioning system.
Any suggestions for which modules should stay and which should go?
Thank you for the reply. I looked up a few of the modules and I am found myself becoming more concerned about deleting a module that is beneficial to the security rather than disabling a service that could be exploited. In essence, I am wondering if say for example I don't use LDAP authentication or database authentication, does it open up a security hole to remove authz_dbm_module and authnz_ldap_module? My suspicion is that it does not.
This is another manifestation of the "kitchen sink problem" that is very frequently found with otherwise sensible and well-intentioned Linux distros: they install everything but the aforesaid sink, just in case somebody out there could possibly need it. (For instance, the default configuration for an early Red Hat system contained a driver for a DECSystem token-ring network card. (And if you have never heard of a token-ring network, you didn't miss much.)
You should "strip" the Apache installation to only those modules which you actually use in some web-site that you know (and intend...) is being run on this computer.
A lot of the used modules must be activated or used later in the config (dav, rewrite, alias, basic_auth, digest_auth, status). You could deactivate them, but since they are unconfigured they are not a security risk.
Some modules are fairly essential (like mod_deflate).
My guess would be that the mime modules and the cache modules might be a security risk, but I wouldbe careful when deactivating them.
Any suggestions for which modules should stay and which should go?
Following an Apache HTTP server 2.0 / 2.2 install, I have a checklist of modules that I always disable (unless I have a very good reason to keep them around).
mod_userdir
mod_info
mod_status
mod_include
mod_proxy* (unless acting as a proxy service)
mod_dav* (unless acting as a webdav service)
That's not a comprehensive list, but it is a solid starting point to knock out some commonly enabled-by-default (and potentially worrisome) modules.
I would like to thank everyone for the replies. I have been disabling modules and finding that the process is not without risk as Apache will not restart more often than it will after making changes.
So far I have the list pared down to the list below. I think that there are more auth modules than I need, but otherwise most of the extras have been removed.
Edit: correction, I appear to have done something to completely hose Apache. Now it appears to be running, but won't even find the root index file. ARGH! I may just reconfigure the package and start again.
Last edited by Noway2; 05-21-2012 at 04:46 AM.
Reason: more information.
I have been disabling modules and finding that the process is not without risk as Apache will not restart more often than it will after making changes.
After making configuration changes, always do a sanity check before restarting Apache.
Code:
# apachectl -t
That can help prevent unexpected outages by parsing your config (without messing with the running daemon) and reporting problems.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.