Help!

Most secure web server

 
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Security RSS
Next:  Traceroute & IP masquerading  
Author Message
Geoff
External


Since: Jan 06, 2007
Posts: 2



PostPosted: Sat Jan 06, 2007 10:55 am    Post subject: Most secure web server
Archived from groups: comp>os>linux>security (more info?)

Hi!

Does anyone have any advice in choosing the most secure web server
possible? Apache is often used, but has many features which are not
needed. Being heavy-weight is more likely to introduce exploits. What
do you think of any alternatives to apache or am I wrong to think this
about Apache?

Thanks!
Geoff
Back to top
Ken Sims
External


Since: Sep 24, 2006
Posts: 13



PostPosted: Sat Jan 06, 2007 3:38 pm    Post subject: Re: Most secure web server [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Hi Geoff -

On 6 Jan 2007 05:55:40 -0800, "Geoff" wrote:

>Does anyone have any advice in choosing the most secure web server
>possible? Apache is often used, but has many features which are not
>needed. Being heavy-weight is more likely to introduce exploits. What
>do you think of any alternatives to apache or am I wrong to think this
>about Apache?

Don't load the Apache modules for functions/features that you don't
use.

For example, I don't use any proxy features so I don't load the proxy
modules. That way if there are any security holes in the proxy
modules, my server is not vulnerable to them.

--
Ken
http://www.kensims.net/
Back to top
notbob
External


Since: Jun 08, 2004
Posts: 857



PostPosted: Sat Jan 06, 2007 4:29 pm    Post subject: Re: Most secure web server [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

On 2007-01-06, Geoff wrote:
> Hi!
>
> Does anyone have any advice in choosing the most secure web server
> possible? Apache is often used, but has many features which are not
> needed. Being heavy-weight is more likely to introduce exploits. What
> do you think of any alternatives to apache or am I wrong to think this
> about Apache?

I recall reading that OpenBSD takes Apache and does their usual code
audit and they made over a hundred changes because they also were not
happy with Apache's security. Unfortunately, I can no longer find
that cite.

nb
Back to top
Ertugrul Soeylemez
External


Since: Nov 03, 2005
Posts: 271



PostPosted: Sun Jan 07, 2007 7:45 am    Post subject: Re: Most secure web server [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

"Geoff" (07-01-06 05:55:40):

> Does anyone have any advice in choosing the most secure web server
> possible? Apache is often used, but has many features which are not
> needed. Being heavy-weight is more likely to introduce exploits. What
> do you think of any alternatives to apache or am I wrong to think this
> about Apache?

The Apache core itself is just a simple implementation of HTTP, a
configuration parser, and a server socket (maybe a few more things).
Even multitasking is a separate feature. So take Ken's advice, and
don't load modules for features you don't need.


Regards,
E.S.
Back to top
Geoff
External


Since: Jan 06, 2007
Posts: 2



PostPosted: Sun Jan 07, 2007 11:27 am    Post subject: Re: Most secure web server [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Thanks for the advice guys!

On Jan 7, 1:45 am, Ertugrul Soeylemez wrote:
> "Geoff" (07-01-06 05:55:40):
>
> > Does anyone have any advice in choosing the most secure web server
> > possible? Apache is often used, but has many features which are not
> > needed. Being heavy-weight is more likely to introduce exploits. What
> > do you think of any alternatives to apache or am I wrong to think this
> > about Apache?The Apache core itself is just a simple implementation of HTTP, a
> configuration parser, and a server socket (maybe a few more things).
> Even multitasking is a separate feature. So take Ken's advice, and
> don't load modules for features you don't need.
>
> Regards,
> E.S.
Back to top
John Smith
External


Since: Jan 07, 2007
Posts: 1



PostPosted: Sun Jan 07, 2007 7:37 pm    Post subject: Re: Most secure web server [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

notbob wrote:

>On 2007-01-06, Geoff wrote:
>> Hi!
>>
>> Does anyone have any advice in choosing the most secure web server
>> possible? Apache is often used, but has many features which are not
>> needed. Being heavy-weight is more likely to introduce exploits. What
>> do you think of any alternatives to apache or am I wrong to think this
>> about Apache?
>
>I recall reading that OpenBSD takes Apache and does their usual code
>audit and they made over a hundred changes because they also were not
>happy with Apache's security. Unfortunately, I can no longer find
>that cite.
>
>nb

The OpenBSD site is www.openbsd.org, apache is the default web server
included in the base system. OpenBSD is BSD Unix not Linux. You can
download OpenBSD from the site or buy the CD's.

J Smith @ Microsoft @ CO @ UK
E mails may be blocked post replies to newsgroups.
Back to top
Nico
External


Since: Dec 08, 2006
Posts: 55



PostPosted: Tue Jan 09, 2007 5:09 am    Post subject: Re: Most secure web server [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

Geoff wrote:
> Thanks for the advice guys!
>
> On Jan 7, 1:45 am, Ertugrul Soeylemez wrote:
> > "Geoff" (07-01-06 05:55:40):
> >
> > > Does anyone have any advice in choosing the most secure web server
> > > possible? Apache is often used, but has many features which are not
> > > needed. Being heavy-weight is more likely to introduce exploits. What
> > > do you think of any alternatives to apache or am I wrong to think this
> > > about Apache?The Apache core itself is just a simple implementation of HTTP, a
> > configuration parser, and a server socket (maybe a few more things).
> > Even multitasking is a separate feature. So take Ken's advice, and
> > don't load modules for features you don't need.

A lot has been left out: Apache is fully featured: there are tools
available for all sorts of things which you may not need (such as PHP
and MySQL) and for things that are very useful for security (such as
SSL, and local Kerberos authentication). Using a good webserver is not
enough to be secure: I highly recommend goiing over what you need with
someone comfortable with your particular server to walk you through the
booby traps.
Back to top
Ertugrul Soeylemez
External


Since: Nov 03, 2005
Posts: 271



PostPosted: Wed Jan 10, 2007 3:58 pm    Post subject: Re: Most secure web server [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)

"Nico" (07-01-09 00:09:31):

> > > > Does anyone have any advice in choosing the most secure web
> > > > server possible? Apache is often used, but has many features
> > > > which are not needed. Being heavy-weight is more likely to
> > > > introduce exploits. What do you think of any alternatives to
> > > > apache or am I wrong to think this about Apache?The Apache core
> > > > itself is just a simple implementation of HTTP, a
> > >
> > > configuration parser, and a server socket (maybe a few more
> > > things). Even multitasking is a separate feature. So take Ken's
> > > advice, and don't load modules for features you don't need.
>
> A lot has been left out: Apache is fully featured: there are tools
> available for all sorts of things which you may not need (such as PHP
> and MySQL) and for things that are very useful for security (such as
> SSL, and local Kerberos authentication). Using a good webserver is not
> enough to be secure: I highly recommend goiing over what you need with
> someone comfortable with your particular server to walk you through
> the booby traps.

You're talking about security and PHP in the same paragraph, and you're
completely missing the point.


Regards,
E.S.
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Security All times are: Eastern Time (US & Canada)
Page 1 of 1

 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum