LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   playing with Apache securely (http://www.linuxquestions.org/questions/slackware-14/playing-with-apache-securely-4175413341/)

chexmix 06-25-2012 06:36 PM

playing with Apache securely
 
Hi all -

So, as the subject says, I'd like to play with some web server stuff on Slackware 13.37 ... but I'd like to do so in a secure fashion, so that no one mucks with it while I am learning.

Short of just disconnecting the network cable, how do I go about this?

Thanks,

Glenn

unSpawn 06-25-2012 07:43 PM

Just make the web server listen on only localhost or block TCP/80 in the firewall or use configuration file / .htaccess $DOCROOT / container allow / deny clauses.

cikrak 06-25-2012 10:52 PM

Quote:

Originally Posted by chexmix (Post 4711758)
Hi all -

So, as the subject says, I'd like to play with some web server stuff on Slackware 13.37 ... but I'd like to do so in a secure fashion, so that no one mucks with it while I am learning.

Short of just disconnecting the network cable, how do I go about this?

Thanks,

Glenn

If you just play.. do it in virtual environment. So you can hack your configuration here and there without worry. In the real world, a lot of things interfere each other in securiy term.

In my list :

-Disable module you don't need it.
-Disable directory browsing.
-Disable unnecessary options.
-Considering modsecurity for additional security layer.

After that, use nikto to test your webserver.

But I assume you play webserver at home, so just open your necessary port at your modem (like 80,22) if you want your site can be accessed from outside world.

chexmix 06-26-2012 05:59 AM

Quote:

Originally Posted by cikrak (Post 4711921)
If you just play.. do it in virtual environment.

OK ... I apologize if this is a stupid question, but how do I set up such a virtual environment?

cikrak 06-26-2012 07:46 PM

Quote:

Originally Posted by chexmix (Post 4712338)
OK ... I apologize if this is a stupid question, but how do I set up such a virtual environment?

IMHO... The easy way : using virtualbox. Install fresh Slackware in virtualbox and do everything you want without worry that will broke your entire system.

1. Install Virtualbox in your sistem.

http://download.virtualbox.org/virtu...-Linux_x86.run (32 bit)
or
http://download.virtualbox.org/virtu...inux_amd64.run (64 bit)

2. Install Slackware in Virtualbox.

So, you will run Slackware in slackware ;)

abesirovic1 06-27-2012 07:56 AM

It doesn't matter if he has it in virtualbox if the network interface is shared (i.e. outside people still open the apache site).

Just set it to: Listen 127.0.0.1 in httpd.conf file.

cikrak 06-27-2012 09:52 PM

Quote:

Originally Posted by abesirovic1 (Post 4713287)
It doesn't matter if he has it in virtualbox if the network interface is shared (i.e. outside people still open the apache site).

Just set it to: Listen 127.0.0.1 in httpd.conf file.

The positive point of using Virtualbox is someone can test and play in an isolated environment. Virtualbox set as NAT as default so the outside world can acces the Apache. But the purpose of Web server is inverted, so 'Host Only' type of networking required in Virtualbox. Open necessary port, hack the configuration file,give a dummy data,test the security and performance.

In my experiences, many adjustment required when developing web server to public service. Remove unecessary packets (like x,xap,d),adjust firewall,...hacking here and there :). Virtualbox is nice tool to experiment before run in real tournament.

It's hard to play hard in daily basis computer system. (without virtual environment, I need the other computer/server).

All in all, security is an art ;) For me, it's great to see the log catch many effort to compromise the system... I can learn from this. Ofcourse it doesn't happen if I disconnect my network cable from wall.


All times are GMT -5. The time now is 05:10 PM.