"Jay O'Brien" <jayobrien@xxxxxxx> writes: > I have apache 1.3.33 running on a FreeBSD machine, behind a Linksys > BEFSR41 firewall that has port 80, and only port 80, opened to the > FreeBsd box. The Win XP Pro machines on the same LAN can access the > FreeBSD machine via ftp but as only port 80 is open to the internet, > no one else can get to the FreeBSD machine except via Port 80. > > What should I do to handle security issues? Am I open to hacking in > any way? Keep your Apache and FreeBSD up-to-date, installing any security updates from your vendor. More importantly, be very careful what Web applications you install; make sure they have an excellent security record, and audit them carefully for a secure coding style. If you write your own, make sure you write them very carefully, and have another person review the code for security flaws. Think hard about how people could cause your applications to misbehave, and make it impossible. Code defensively, and use language features to help you (like perl's taint mode). Make sure your code isn't vulnerable to cross-site scripting attacks. Learn about attacks on other applications, and make sure your script isn't vulnerable to them. If you don't have anybody available who is a security expert, take some time to learn about secure coding practices, or hire an expert to audit your code. Tools like mod_chroot and BSD jails can also help limit the damage that a breakin can cause. ----ScottG. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|