7.6. Wrapping Up

 < Day Day Up > 

Almost every system administrator has responsibility for at least one web server, and web servers are some of the most visible machines on the Internet. Taking precautions with you web server is both prudent and necessary. If you need complex functionality, Apache is probably the best server to choose. If you need low overhead, a small footprint, or bandwidth limitations, thttpd is a good choice.

Regardless of which operating system you choose (both FreeBSD and OpenBSD make excellent web servers), the single most important lesson in running a web server securely is to enable only the functionality you need. Not only can a feature unexpectedly create a security risk by itself, it might create a security risk when it unexpectedly combines with another feature (as mod_include can trick mod_access by issuing requests from localhost). Consider how you segregate the permissions of your web services. You can run perl and PHP scripts as CGIs so that you can use suexec or cgiwrap to map their privileges onto a specific userid. You can instead run them in mod_perl and mod_php and use various OS techniques like ulimit to limit the web server's ability to access operating system resources. Likewise, you should limit your users' abilities to override configuration settings. Understand their needs and grant just the permissions they need to achieve their goals.

     < Day Day Up > 


    Mastering FreeBSD and OpenBSD Security
    Practical Guide to Software Quality Management (Artech House Computing Library)
    ISBN: 596006268
    EAN: 2147483647
    Year: 2003
    Pages: 142
    Authors: John W. Horch

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net