Difference between revisions of "SRA840 Lab9"

From CDOT Wiki
Jump to: navigation, search
(Milton Paiva Neto)
(Patricia Constantino)
 
(11 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
=Mohak=
 +
 +
* Did you have any problems with configuring
 +
Apache to be more secure. If you did then how did
 +
you resolve them.
 +
 +
I used Apache2.0. This link discusses security
 +
tips for Apache version 2.0. There are
 +
step-by-step instructions and easy to understand.
 +
I followed the link and security tips discussed
 +
on the page and did not had any problems
 +
installing them.
 +
 +
* Did you have any problems with configuring
 +
PHP+Apache to be more secure. If you did them how
 +
did you resolve them.
 +
 +
I could not follow all the instruction and
 +
suggestions given in the book because of lack of
 +
time and  problems in my Virtual Box.
 +
 +
* Why you chose those security tips ?
 +
 +
A general security tip is to keep your Apache
 +
server updated. It is crucial to keep your self
 +
updated with the latest releases and patches. I
 +
choose to follow other security tips as mentioned
 +
in the book because they are used to harden your
 +
system against attacks. Some security tips given
 +
in the link are not Apache related by related to
 +
some scripts and even OS you are using.
 +
 +
* What additional security tips exist on the
 +
internet for the tips you used above. Point links
 +
to those websites in your answer.
 +
 +
Links given below discuss a few security risks
 +
and how to overcome it:
 +
 +
http://www.securityfocus.com/infocus/1706
 +
http://proquest.safaribooksonline.com/0596007248
 +
 +
 +
=Nestor the Securitor=
 +
 +
==Did you have any problems with configuring Apache to be more secure. If you did then how did you resolve them.==
 +
I installed Apache with SSL. All I need is make sure 443 port is opened and generate a key. That's it
 +
 +
==Did you have any problems with configuring PHP+Apache to be more secure. If you did then how did you resolve them.==
 +
I use 'mod_security'
 +
 +
==Describe==
 +
===Why you chose those security tips?===
 +
SSL is the most commonly used to protect web service. And it will also protect the clients too..
 +
I use 'mod_security', it's interesting to have firewall module on top of Apache. It's quite useful when you are a webmast and dose not have any previlige to firewall and system. Then, 'mod_security' would be useful in this case.
 +
 +
===What additional security tips exist on the Internet for the tips you used above. Point links to those websites in your answer.===
 +
====Apache====
 +
http://www.securityfocus.com/infocus/1694
 +
 +
http://www.apache-ssl.org/
 +
 +
====mod_php====
 +
http://proquest.safaribooksonline.com/0596007248/apachesc-CHP-3#X2ludGVybmFsX1NlY3Rpb25Db250ZW50P3htbGlkPTA1OTYwMDcyNDgvYXBhY2hlc2MtQ0hQLTEyLVNFQ1QtMg==
 +
 +
http://www.webmasterworld.com/forum92/5592.htm
 +
 
=Milton Paiva Neto=
 
=Milton Paiva Neto=
  
Line 13: Line 80:
  
 
[http://www.petefreitag.com/item/505.cfm]http://www.petefreitag.com/item/505.cfm
 
[http://www.petefreitag.com/item/505.cfm]http://www.petefreitag.com/item/505.cfm
 +
 +
[http://www.securityfocus.com/infocus/1706]http://www.securityfocus.com/infocus/1706
 +
 +
[http://www.securityfocus.com/infocus/1694]http://www.securityfocus.com/infocus/1694
 +
 +
 +
=Patricia Constantino=
 +
 +
- Did you have any problems with configuring PHP+Apache to be more secure. If you did then how did you resolve them?.
 +
 +
I didn't have any problem following the instructions in the book (I got more troubles with my Virtual Machine though) I got enough information about what to do and why, so as a conclusion I understand that all those steps are mainly to:
 +
Avoid give unnecessary privileges to users.
 +
Restrict the range of activity of unprivileged users.
 +
Avoid the use of a server for general work process.
 +
Open just the necessary ports and services.
 +
Keep the system updated, getting in that way the patches and files that fix and solve potential security problems.
 +
 +
 +
- Why you chose those security tips?
 +
I consider that talking about security, the very common open ports are the most susceptible to attacks, so I decide to get more understanding in that area.
 +
 +
I got this book borrowed and it's good:
 +
 +
http://www.apachesecurity.net/

Latest revision as of 16:02, 15 April 2009

Mohak

* Did you have any problems with configuring 
Apache to be more secure. If you did then how did 
you resolve them.

I used Apache2.0. This link discusses security 
tips for Apache version 2.0. There are 
step-by-step instructions and easy to understand. 
I followed the link and security tips discussed 
on the page and did not had any problems 
installing them.
* Did you have any problems with configuring 
PHP+Apache to be more secure. If you did them how 
did you resolve them.

I could not follow all the instruction and 
suggestions given in the book because of lack of 
time and  problems in my Virtual Box. 
* Why you chose those security tips ?

A general security tip is to keep your Apache 
server updated. It is crucial to keep your self 
updated with the latest releases and patches. I 
choose to follow other security tips as mentioned 
in the book because they are used to harden your 
system against attacks. Some security tips given 
in the link are not Apache related by related to 
some scripts and even OS you are using.
* What additional security tips exist on the 
internet for the tips you used above. Point links 
to those websites in your answer.

Links given below discuss a few security risks 
and how to overcome it:

http://www.securityfocus.com/infocus/1706
http://proquest.safaribooksonline.com/0596007248


Nestor the Securitor

Did you have any problems with configuring Apache to be more secure. If you did then how did you resolve them.

I installed Apache with SSL. All I need is make sure 443 port is opened and generate a key. That's it

Did you have any problems with configuring PHP+Apache to be more secure. If you did then how did you resolve them.

I use 'mod_security'

Describe

Why you chose those security tips?

SSL is the most commonly used to protect web service. And it will also protect the clients too..
I use 'mod_security', it's interesting to have firewall module on top of Apache. It's quite useful when you are a webmast and dose not have any previlige to firewall and system. Then, 'mod_security' would be useful in this case.

What additional security tips exist on the Internet for the tips you used above. Point links to those websites in your answer.

Apache

http://www.securityfocus.com/infocus/1694

http://www.apache-ssl.org/

mod_php

http://proquest.safaribooksonline.com/0596007248/apachesc-CHP-3#X2ludGVybmFsX1NlY3Rpb25Db250ZW50P3htbGlkPTA1OTYwMDcyNDgvYXBhY2hlc2MtQ0hQLTEyLVNFQ1QtMg==

http://www.webmasterworld.com/forum92/5592.htm

Milton Paiva Neto

1. Did you have any problems with configuring PHP+Apache to be more secure. If you did then how did you resolve them. Describe :

Actually after setting up all the apache modules I didn't have any problem, but there are some steps that are tricky like run apache in a chroot environment, check the checksum of the downloaded files, use the least privilege policy, run apache as a user without access to a shell or terminal.

  • Why you chose those security tips?

To avoid intruders in my system and even if someone break in to my system, it will login as an user with low privileges and this person will not be allowed to run rootkits to because root(scalable privileges).

  • What additional security tips exist on the Internet for the tips you used above. Point links to those websites in your answer.

[1]http://www.petefreitag.com/item/505.cfm

[2]http://www.securityfocus.com/infocus/1706

[3]http://www.securityfocus.com/infocus/1694


Patricia Constantino

- Did you have any problems with configuring PHP+Apache to be more secure. If you did then how did you resolve them?.

I didn't have any problem following the instructions in the book (I got more troubles with my Virtual Machine though) I got enough information about what to do and why, so as a conclusion I understand that all those steps are mainly to: Avoid give unnecessary privileges to users. Restrict the range of activity of unprivileged users. Avoid the use of a server for general work process. Open just the necessary ports and services. Keep the system updated, getting in that way the patches and files that fix and solve potential security problems.


- Why you chose those security tips? I consider that talking about security, the very common open ports are the most susceptible to attacks, so I decide to get more understanding in that area.

I got this book borrowed and it's good:

http://www.apachesecurity.net/