Well, I've just set up a webserver for the first time (apache 1.3.34) on my home lan, more of a hobby than anything serious at the moment. Here's the background:

My only firewall at the moment is a wireless router which is however well-configured for basic security. The port I'm binding apache to is being forwarded by the router. This is the only forwarding port which is open on the router.

Apache is installed with a minimal slackware installation, the only other "listening" service running is ssh. I'm using ssh for administration and I'm logging in from another computer (also slackware) on my lan, so port 22 is not open to the outside world on the router.

Well, the server is running and seems to be ok, but I'm concerned about the best security options for apache, both for myself and for everyone else. I obviously don't my webserver to become a breeding ground for worms/malware.

I'm going to follow the apache related security tips here:

http://httpd.apache.org/docs/1.3/mis...rity_tips.html

Anyone have any extra security ideas, slackware-oriented or otherwise, firewall or apache related? eg should I be using iptables in combination with the router, or is this overkill?

Cheers

a few things you might wanna look into:

http://www.modsecurity.org/ (web application security for apache)

http://www.grsecurity.net/ (kernel security patch)

http://www.rootkit.nl/ (a rootkit scanner, nice to run periodically with cron and have it mail you results, etc.)

http://www.logwatch.org (it watches your logs and emails you reports)

http://sourceforge.net/projects/tripwire (a file integrity checker is good to have)

BTW, it would be great if you could explain what kinda content you are serving with Apache... are you using php/perl/python?? do you have a database going??

it's not overkill IMHO... it provides you with another safety net in case something goes wrong at the router... it also lets you make rules to control access to the server within the LAN/DMZ, something which you could not do with the router...


just my ...

Thanks for the reply and the excellent links

Yea,I'm really really new to this, I'm not going to get into anything compllicated yet. I plan to start out just using HTML, probably better security-wise anyway, I can disable the apache modules I don't need. Eventually I'd like to migrate to something a bit more adventurous though such as LAMP, but not for a while yet.

Good point about the LAN, I'll brush up on my iptables.

Thanks!

In addition, I would run a file integrity check program like Tripwire, Aide or Samhain. None of these will stop an attack, but they can answer a lot of questions about which files have been altered if you suspect you've been compromised.

You can also contain Apache and other server programs with AppArmor. If there is a security problem, a potential cracker will stil not be able to break out of Apache's containment. For more information and packages see:

http://danieldk.org/apparmor/

All great suggestions. Just one more to add for anyone referring to this thread in the future:

mod_chroot (Saves having to manually set up apache in a "root jail" - mod_security also has this functionality).

I also found these security tips to be useful while hacking away at httpd.conf. The httpd.conf defaults are actually not very secure, but they're good for getting the server up and running without having to do anything.

I also got some iptables rules in place.

Cheers