have a few questions about securing an apache server.

1. is it ok to leave the /var/www/html dir set to 755? is there a way to reduce the permissions and still have the URL run?

2. do i really need to worry about the internal firewall on my MDK10 box when i am behind a NAT router with rather robust firewall/NAT secuirties?

3. is there a way to make it so any directory involving apache, to include /var/www/html, are only accessable via my LAN or via VPN?

3b. if so how would i go about doing that?


please keep in mind im no ubb3r *nix user. im still basicaly a newB, but i do understand M$ extreemly well. if you give me CLI or bash instructions please be as specific and detailed as you can. treat me like you would a 6yr in your directions with reguards to step by step.

i am learning my way around more and more every day by the great help from ppl on this site and it is extreemly appriciated.

thank you for your time and help.

The 755 on the folder is ok, there should not be anything in there you don't want people to see in the first place, it's a web server for goodness sakes.

Just kidding.


You can probably make the html files and pictures in there 440 and owner.group root.apache or whatever user it runs on.

It really depends on what all you have in there, and how the server is setup. Make a backup of the entire tree before changing things.



One firewall is good enough for me.

You can setup httpd.conf to only have the document root and no other Directory access.

If your not forwarding port 80 then they can't get there anyway. Or you can firewall port 80 from the outside and allow local access only, but like I said there is no way to get there from the outside without the router forwarding the port anyway. VPN that is forwarded to the webserver or another system on the lan would be the same as being on the webserver or lan so it would be granted access.

ok great thanks.

now how do i go about setting the root.apache or owner.group is that chown?

just using root atm. only have 2 accounts on my MDK system root and me.

only things running on that site are basic HTML, some MPEGs, and some JPGs along with a handful of pdf files that over time i hope to replace with html fo the most part.

In your httpd.conf file there is a spot for owner and group. Create another user and give him NO privileges in your system except for the sole purpose of running your website (part of this is in the .conf file which I mentioned above). Also change the www folder and all subdirectories and make him the owner and group. Give him read only access to everything except for the logs which he needs write permission to. You can also give him write permission on your www directory but they if someone hacks you with the webowner's account he can hack your website also. Just change to root if you need to add anything and change the permissions on the file as soon as it's moved.

thank you, now could you step by step that for me.

i think i know how to make a new user in *nix, but am not 100% on how to assign overall persmisions to an account.

no matter who the owner is of a dir or file the root always can make changes yes and override the owner?

Here is my user apache in /etc/passwd

apache:x:48:48:Apache:/var/www:/sbin/nologin

Here is the group in /etc/group

apache:x:48:

thanks. ill mess around with that after i recover from MDK10 update killing my system. had to blow it away and now having to recover all my code for my URL.

after the update my apache died, my system no longer acknowledge that i have a CDRW in it so i had no way of backing up the current code of my site. have the old code on CD so im in the proccess of recovering the code, cleaning it up, then updating it so it will run like it is supposed to.

thanks for the heads up.