Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
have a few questions about securing an apache server.
1. is it ok to leave the /var/www/html dir set to 755? is there a way to reduce the permissions and still have the URL run?
2. do i really need to worry about the internal firewall on my MDK10 box when i am behind a NAT router with rather robust firewall/NAT secuirties?
3. is there a way to make it so any directory involving apache, to include /var/www/html, are only accessable via my LAN or via VPN?
3b. if so how would i go about doing that?
please keep in mind im no ubb3r *nix user. im still basicaly a newB, but i do understand M$ extreemly well. if you give me CLI or bash instructions please be as specific and detailed as you can. treat me like you would a 6yr in your directions with reguards to step by step.
i am learning my way around more and more every day by the great help from ppl on this site and it is extreemly appriciated.
The 755 on the folder is ok, there should not be anything in there you don't want people to see in the first place, it's a web server for goodness sakes.
Just kidding.
You can probably make the html files and pictures in there 440 and owner.group root.apache or whatever user it runs on.
It really depends on what all you have in there, and how the server is setup. Make a backup of the entire tree before changing things.
One firewall is good enough for me.
You can setup httpd.conf to only have the document root and no other Directory access.
If your not forwarding port 80 then they can't get there anyway. Or you can firewall port 80 from the outside and allow local access only, but like I said there is no way to get there from the outside without the router forwarding the port anyway. VPN that is forwarded to the webserver or another system on the lan would be the same as being on the webserver or lan so it would be granted access.
Last edited by DavidPhillips; 04-05-2004 at 06:56 AM.
You can probably make the html files and pictures in there 440 and owner.group root.apache or whatever user it runs on.
It really depends on what all you have in there, and how the server is setup. Make a backup of the entire tree before changing things.
ok great thanks.
now how do i go about setting the root.apache or owner.group is that chown?
just using root atm. only have 2 accounts on my MDK system root and me.
only things running on that site are basic HTML, some MPEGs, and some JPGs along with a handful of pdf files that over time i hope to replace with html fo the most part.
In your httpd.conf file there is a spot for owner and group. Create another user and give him NO privileges in your system except for the sole purpose of running your website (part of this is in the .conf file which I mentioned above). Also change the www folder and all subdirectories and make him the owner and group. Give him read only access to everything except for the logs which he needs write permission to. You can also give him write permission on your www directory but they if someone hacks you with the webowner's account he can hack your website also. Just change to root if you need to add anything and change the permissions on the file as soon as it's moved.
Originally posted by InEeDhElPlInUx In your httpd.conf file there is a spot for owner and group. Create another user and give him NO privileges in your system except for the sole purpose of running your website (part of this is in the .conf file which I mentioned above). Also change the www folder and all subdirectories and make him the owner and group. Give him read only access to everything except for the logs which he needs write permission to. You can also give him write permission on your www directory but they if someone hacks you with the webowner's account he can hack your website also. Just change to root if you need to add anything and change the permissions on the file as soon as it's moved.
thank you, now could you step by step that for me.
i think i know how to make a new user in *nix, but am not 100% on how to assign overall persmisions to an account.
no matter who the owner is of a dir or file the root always can make changes yes and override the owner?
thanks. ill mess around with that after i recover from MDK10 update killing my system. had to blow it away and now having to recover all my code for my URL.
after the update my apache died, my system no longer acknowledge that i have a CDRW in it so i had no way of backing up the current code of my site. have the old code on CD so im in the proccess of recovering the code, cleaning it up, then updating it so it will run like it is supposed to.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.