Operating Systems > Linux and UNIX

Default Apache Security

(1/2) > >>

billy_gates:
Are the default security settings in Apache and the overall system "safe" in redhat.  Also what is the best ownership user and permissions to set on the files and folders for the web server?

TheQuirk:
744 for static, 755 for "dynamic" pages.

Read this (it's mostly performance oriented, but it has a few security things in there. You should apply a lot of those stuff, though): http://php.weblogs.com/tuning_apache_unix

voidmain:
It is safe if you have your system up to date with all the updates. And of course if you don't have separate firewall you'll want to either configure the Linux firewall and turn off all services that are not in use. The rest depends on your content. As far as directory permissions go you usually don't want the user that Apache runs under (usually a user named "apache" or "nobody") to be able to write to anything on your system. I should say "as little as possible" as there may be occasions when you'll need to set up an area that Apache can write to, just keep it separate. And a default install of Red Hat will have the permissions properly set on all system areas.

You should search for web developer documentation out on the net that specifically discusses security. Also you might want to browse through the Apache web site, they should have some security information. Basically the default install + updates is secure. When you start configuring it above default and adding your own content is where your security may drop depending on how much you know about security.

voidmain:

quote:Originally posted by TheQuirk:
744 for static, 755 for "dynamic" pages.

--- End quote ---


Sorry but I have to disagree with the above. You do not want to set any files executable unless they need to be (CGI programs and directories are two things that need to be executable. Files with SSI using the Apache XBit Hack are another example. HTML and PHP scripts should not be set executable). And the above would definitely be wrong if the files are owned by the apache user, except for special cases.

[ January 16, 2003: Message edited by: void main ]

TheQuirk:
Uhh, that's what I meant by dynamic.

Edit: nevermind, I get it. So shoot me.

[ January 16, 2003: Message edited by: TheQuirk ]

Navigation

[0] Message Index

[#] Next page

Go to full version