HPE Community
Operating System - Linux
1828629 Members
6544 Online
109983 Solutions
New Discussion

Setting up Secure Web Server

 
SOLVED
Go to solution
Kyle D. Harris
Regular Advisor

‎12-19-2003 12:59 AM

‎12-19-2003 12:59 AM

Setting up Secure Web Server

I have installed the RPM packages for the Secure Web Server. I did this to take care of a vulnerability (HTTP directory listing) in which the server will return a directory listing.

Anyway after installing I guess i'm supposed to set up the Web Server so that it is not in automatic directory listing mode.

Can Anybody explain how to set that up? The more "detail" the better. I'm fairly new to Linux. PS. i have 8.0 Redhat.
0 Kudos
Reply
4 REPLIES 4
Mark Grant
Honored Contributor

‎12-19-2003 01:11 AM

‎12-19-2003 01:11 AM

Solution

Re: Setting up Secure Web Server

Kyle,

There's no stopping you is there! One minute you are starting out, the next minute you are trying to set up a secure web server. Next we'll be seeing you sporting an Olympians itrc hat no doubt!

I guess the web server is apache and I wonder if you have ever been to the following link which will provide you with more documentation than you can shake a stick at.

http://httpd.apache.org/
Never preceed any demonstration with anything more predictive than "watch this"
Reply
Steven E. Protter
Exalted Contributor

‎12-19-2003 02:02 AM

‎12-19-2003 02:02 AM

Re: Setting up Secure Web Server

Apache is the most widely used web server. It didn't get its name however from the Indian tribe, it was a play on the word patch.

It is a heavily patched, securable web server.

Your specific issues can all be handled in the httpd.conf file.

You can set the DocumentRoot directive to a location that you find is secure and have the permissions locked down on.

The best idea with this regards is not to have root own that directory. You are better off from the security standpoint to let the apache user own the binaries and another unpriviledged user own the directory and sub documuments and directories below the DocumentRoot directory.

Permissions need to be universal read, Do not give users outside your group of web content users any other access. You may need execute access on the directory, but not with Linux.

There are other directives in httpd.conf to be concererd with.

Alias /hello/ "/home/webman/htdocs"

This sets up a subdirectory of the main server http://servername/hello and that location can be totally diffferent than the DocumentRoot

So you have lots and lots of things to think about.

The Bastille security utility has a semi automated tool to put the httpd server in a chroot jail. This limits access and if someone exploits a flaw in apache, they won't get root access.

Any app that uses a port below 1024 on a Unix or Linux server requires special aceess be granted. That is root's backyard and should not be given over to other users lightly.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Kyle D. Harris
Regular Advisor

‎12-19-2003 02:08 AM

‎12-19-2003 02:08 AM

Re: Setting up Secure Web Server

Haha Mark. No i won't ever have a Hat or crown (unless it's crown royale). I try to learn but don't know too much. I'm 21 and all the partying slows my brain.

yes it is apache.

Thanks to you both.
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎12-19-2003 10:56 AM

‎12-19-2003 10:56 AM

Re: Setting up Secure Web Server

Don't let age or partying stop ya Kyle! I'm only 26 here! Yea, ok 5 years means I'm getting to be an old man... *ducks from the things thrown from others* but still! :)

As for the secure web server, assuming you just installed the RedHat httpd RPM's, there should be one configured by default.

The default for an RH8 RPM of Apache 2.0's webserver for SSL configuration is in "/etc/httpd/conf.d/ssl.conf".

It states that the DocumentRoot (where the files go) is '/var/www/html/' (which is the same for the non-secure server).

Whilst this makes life easy, it's not terribly secure. This should be changed to it's own discreet path.

Other than that, all the stuff that SEP and Mark said are good ;)
One long-haired git at your service...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.