Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
Here's hoping that this is the right forum to post this question in, being my first post and all..
I am about to take delivery of 3 new web servers, currently we are running Apache2 & PHP5 on our production boxes. My question is, is it safe (security wise) to compile and install Apache on the new production servers? What are the security implications of having all the required development tools for the compiling of Apache and PHP on the production boxes? If this isnt a good idea, how do I *move* the Apache and PHP binaries and related files from the compile box to the live servers.
Thanks!
Dean.
Adding Apache and PHP to a production server is fine. Millions of servers around the world run this setup every day. Of course, its just like every other piece of software: stay on top of security updates. And code wisely with PHP.
I guess I didnt word my question correctly, Im more interested in the security implications of having the required tools for development eg compilers, linkers etc etc (Im not a C programmer) on the production box.
What I would do is have 1 stage/test box and install the compilers on that box. For your 3 production web server boxes, do not install compilers. Just compile apache & php on the test box and throw the necessary config files/modules/libraries/binaries over to the 3 prod boxes.
By doing this, you have no compilers for the prod boxes which means that in the case where you do get hacked, the attacker cannot do a simple wget and grap a trojan and compile it. The attacker would have to su as root, grab a compiler and its dependencies and install it which takes time.
Thanks, thats what I thought. Now, is there anyone that can point me to information on which files/directorys I need to move from the test box to the production box in regards to Apache and PHP?
Yes, I do compile from source (is there any other way?)
Ive never had much time to go into the details of what make, make install etc does...Im guessing its make install that copies all the files to the right locations...am I getting warm?
As a side note, I joined this forum because I was looking for answers to questions, not just "You should know the answer", if I knew the answer, then I wouldnt have bothered posting right?
For those that may also be searching for an answer to this question, here a reply I got from another forum....it might be obvious to some....
<quote>
If the OS on the testbox has the same version as the OS on the production server,
then I would suggestion you compile and install them on a separate directory ( usually default path is /usr/local).
Basically, say you install then all under /opt/local with
./configure --prefix=/opt/local/<package name> # <===pacakge name like apache213, php411...
Then you make the symbolic link from /opt/local/<package name>/bin/<executeable filename> to /opt/local/bin
such as
cd /opt/local/bin
ln -s ../apache213/bin/httpd . # <=== use related path instead of absolutely path.
If everything test ok, then you just copy over /opt/local to the production server.
Or put /opt/local on NFS server and mount on the production as /opt/local.
</quote>
Yes, I do compile from source (is there any other way?)
Yes there are. If you are on redhat, then you can just install the rpm packages. If you are on debian, you can do an apt-get and so forth. There's others ways of getting the packages installed.
Quote:
As a side note, I joined this forum because I was looking for answers to questions, not just "You should know the answer", if I knew the answer, then I wouldnt have bothered posting right?
That might've sound mean on my end and I didn't mean it that way. This forum is designed to help people and not give the answers out unless it's obvious that you have tried attempting to solve your problem. It just sounded to me that you wanted a quick answer without attempting to find the answer yourself. That was what I was trying to get at.
Ok, so let's take this on a different approach. Where are you stuck on and which part have you done?
Yes there are. If you are on redhat, then you can just install the rpm packages. If you are on debian, you can do an apt-get and so forth. There's others ways of getting the packages installed.
Sure, I understand that, I guess I must have misunderstood your answer where you asked if I was compiling from source, as I see using RPMs or apt-get as simply installing pre-compiled binarys, not compiling yourself.
Quote:
It just sounded to me that you wanted a quick answer without attempting to find the answer yourself.
You are right, I was searching for a quick answer. We are currently in the middle of an office move and server upgrade, so I dont quite have time to be trawling thru Google looking for answers, although, I did spend an hour or so trying to find out an answer to my question, I guess I was asking Google the wrong question
I did find an answer to my question as you will see above. Tho, this didnt quite answer my question properly. What I am trying to do is compile Apache PHP5 FreeTDS and a few others on a test box then move them to the production servers, the goal being not to have to have gcc, make etc etc on the production servers. The test hardware and software will be exactly the same as the production box, so no problem there. My main issue is that I dont know where Apache, PHP5 and the rest put all their required files. From the answer I got on another forum it suggests that if I compile using the --prefix switch, then the software will be installed in whichever directory I specify, eg if I use --prefix=/software/apache2 then Apache (for example) will be installed into /software/apache2. Where I am having trouble is when I compile PHP5 for example, the php.ini file expects to be in /usr/lib, and also with FreeTDS, the config files are in /usr/etc. Are there other files that go into other directorys that I dont know about? If I compile PHP with --prefix=/software/php and then just copy the /software/php to another server, will PHP still work?
That pretty much should work. If you specify './configure --prefix=/blahblah' then that would be the top directory for all your configs,libs,and so forth. So moving that over to your new box should work. Try that and run it. If it doesn't work, it should spit out an error message stating that it's missing something and that's when you start debugging. But if you're moving the top directory tree over, you're pretty much 80%+ done. I haven't done that in a while so I'm not sure what extra steps are needed.
If you tried that and still get stumped and you have exhausted your brain muscles then another approach would be to remove the compiler afterwards (gcc and g++ binaries) on your new box. Just another suggestion.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.