Aman Raheja wrote:
2.0.53 is indeed the latest version, with fix to known vulnerabilities.The security depends on what you are using. So you might want to check per module, that is enabled, what security threats you might face. For ex, if you have cgi enabled, it depends a lot on the programmers to ensure security, since the programs might be prone to buffer overflows. You might want to check for cross site scripting and other known web security issues. I would start looking in google with web security, apache security, and the like keywords to find more info. Apache docs also have security info: http://httpd.apache.org/docs-2.0/misc/security_tips.htmlHTH - Aman Raheja Pete Eakle wrote:Sorry, I forgot to mention this. We will be running on Fedora Linux, Core 2, and Apache 2.0.53. I believe we installed the latest Apache, so I don't know if the 'updates in place' issue will apply to us yet.
You might to check (as a base) for some stuff like : - Apache/php to latest version - (optional) php running with safe_mode on - php running with register_globals_off - (optional) have SElinux enabled and enforcing - /tmp , /var/tmp , /dev/shm and other temp dirs, with noexec priv.- A firewall permitting only new and stablished packets, and havind syncookies enabled. - Sometimes is nice to "hide" versions of your programs. This wont make your box unhackeable, but it will bore some script kiddies as they dont know with what ther are messing with - Try to use chrooted and suexec'd services... but that kinda complex some times..
and so on. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|