From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GD6QB-000479-OT for garchives@archives.gentoo.org; Tue, 15 Aug 2006 21:26:00 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k7FLNq7D019316; Tue, 15 Aug 2006 21:23:52 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k7FLLnLg014560 for ; Tue, 15 Aug 2006 21:21:49 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 396EE6413C for ; Tue, 15 Aug 2006 21:21:48 +0000 (UTC) Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22610-04 for ; Tue, 15 Aug 2006 21:21:39 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id A024364837 for ; Tue, 15 Aug 2006 21:21:37 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1GD6KF-00046f-9w for gentoo-user@gentoo.org; Tue, 15 Aug 2006 23:19:51 +0200 Received: from www.buffer.net ([24.73.161.102]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 15 Aug 2006 23:19:51 +0200 Received: from wireless by www.buffer.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 15 Aug 2006 23:19:51 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] Securing Apache2 Date: Tue, 15 Aug 2006 21:19:22 +0000 (UTC) Message-ID: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: main.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 24.73.161.102 (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060616) Sender: news X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Status: No, score=-2.573 required=5.5 tests=[AWL=0.026, BAYES_00=-2.599] X-Spam-Score: -2.573 X-Spam-Level: X-Archives-Salt: a44d3aad-b67f-406b-9e06-c25f01f4fca7 X-Archives-Hash: 042815fb56bb7ee6dc0ea84ed41b83d6 Hello, I've got (2.0.58-r2) installed and running. It displays a simple html web page just fine. It been quite a few years since I've been tagged with managing a web server... Anyway, I've found lots of URLs, some listed at the end of this message. I've also looked in /usr/portage/net-www and noticed lots of mod_* packages. I'm trying to use the security featues of apache2 without chrooting (I'm not even sure chrooting apache2 is necessary for good-to-strong web security? Is there a wiki or docs or suggestions as to which modules provide good web security in addition to mod_security? Here's what I need. Environment Mulitple domain names (around 20) on a single IP address (One machine) The Single (Static) IP address is allocated to the firewall. which currently successfully passes bidirectional port 80 traffic to/from the DMZ based apache2 web server. Java, php5, perl, mysql All web developers behind the firewall mod_security is installed When I look in //etc/apache2/apache2-builtin-mods I do not see any modules which are related to security, except mod_auth* and mod_secruity. Furthermore, I followed the emerge instructions and added this to my /etc/conf.d/apache2 file: Again, I'm not having trouble getting this to work, I'm just looking for a concise document/wiki/example on security for this sort of web server configuration. If not, then maybe a doc/wiki/example on setting up a minimalistic apache2 web server with good security. Then I could go on adding the languages/features to an apache2 web server, and incrementally test the web server for security as languages/features are added. Maybe using 'nikto' or anyother suggested tools for web-server security scanning.....? Maybe I should keep thg web server offline until scans from nikto are clean? http://gentoo-wiki.com/Apache_Modules_mod_security http://gentoo-wiki.com/Apache2_Install http://localhost/manual/ http://www.gentoo.org/doc/en/apache-troubleshooting.xml http://www.modsecurity.org/documentation/quick-examples.html James -- gentoo-user@gentoo.org mailing list