Apache 2.xx for Windows

bob332

Banned
Jan 25, 2002
597
0
0
could somebody recommend good reading for securing apache 2 (the latest version) for windows. it will be running on win2kpro, behind a router. the sites on it will be mostly static with one or two using php. any good advice on how to setup the conf doc would be extremely helpful. i have looked through the default conf and it doesn't state about how not to allow directory browsing. am i missing something? thanks in advance,
 

CTho9305

Elite Member
Jul 26, 2000
9,214
1
81
Originally posted by: bob332
could somebody recommend good reading for securing apache 2 (the latest version) for windows. it will be running on win2kpro, behind a router. the sites on it will be mostly static with one or two using php. any good advice on how to setup the conf doc would be extremely helpful. i have looked through the default conf and it doesn't state about how not to allow directory browsing. am i missing something? thanks in advance,

in the <directory /> section, put "Options -Indexes" to disable directory browsing. If you want some directories to be browsable, make there tehre is also the line "AllowOverride All". If you dont want to do it anywhere, use "AllowOverride None".

To override for a certain directory, create a file ".htaccess" and put the line "Options +Indexes" in it. this will allow you to browse that directory and its subdirectories only. AllowOverride None will prevent this from working though.
 

bob332

Banned
Jan 25, 2002
597
0
0
Originally posted by: CTho9305
Originally posted by: bob332
could somebody recommend good reading for securing apache 2 (the latest version) for windows. it will be running on win2kpro, behind a router. the sites on it will be mostly static with one or two using php. any good advice on how to setup the conf doc would be extremely helpful. i have looked through the default conf and it doesn't state about how not to allow directory browsing. am i missing something? thanks in advance,

in the <directory /> section, put "Options -Indexes" to disable directory browsing. If you want some directories to be browsable, make there tehre is also the line "AllowOverride All". If you dont want to do it anywhere, use "AllowOverride None".

To override for a certain directory, create a file ".htaccess" and put the line "Options +Indexes" in it. this will allow you to browse that directory and its subdirectories only. AllowOverride None will prevent this from working though.

thanks, do you edit the httpd.conf or the httpd.default.conf?
 

CTho9305

Elite Member
Jul 26, 2000
9,214
1
81
Originally posted by: bob332

thanks, do you edit the httpd.conf or the httpd.default.conf?

I had LOTS of trouble with that so I deleted the default (it seemed to sometimes read from the default instead of httpd.conf :confused:.)

anyway, it goes in httpd.conf
 

skyking

Lifer
Nov 21, 2001
22,521
5,559
146
Sometimes it is nice to have the default.conf file around for a reference. I append it with .bak( anything will do, bak=backup), and it will not get read. Same goes with major changes to the conf file. I'll copy it, and append the file name. That way, I can make some major changes, and still have a baseline reference. A couple of quick renames, and I would be back to where I started.
 

Argo

Lifer
Apr 8, 2000
10,045
0
0
One thing avout apache 2 - I don't think it supports ssl at this moment.
 

bob332

Banned
Jan 25, 2002
597
0
0
Originally posted by: Argo
One thing avout apache 2 - I don't think it supports ssl at this moment.

ssl is not needed for me at the moment, but thanks for the info

 

bob332

Banned
Jan 25, 2002
597
0
0
Originally posted by: CTho9305
Originally posted by: bob332
could somebody recommend good reading for securing apache 2 (the latest version) for windows. it will be running on win2kpro, behind a router. the sites on it will be mostly static with one or two using php. any good advice on how to setup the conf doc would be extremely helpful. i have looked through the default conf and it doesn't state about how not to allow directory browsing. am i missing something? thanks in advance,

in the <directory /> section, put "Options -Indexes" to disable directory browsing. If you want some directories to be browsable, make there tehre is also the line "AllowOverride All". If you dont want to do it anywhere, use "AllowOverride None".

To override for a certain directory, create a file ".htaccess" and put the line "Options +Indexes" in it. this will allow you to browse that directory and its subdirectories only. AllowOverride None will prevent this from working though.

thanks for all the help. got it going and vhosts are working, but am not sure where to put "Options -Indexes". i know you say in the directory section, but where is it?

 

bob332

Banned
Jan 25, 2002
597
0
0
what are the most common exploits that i need to be aware of? is it like iis (non-patched) that is insecure from the beginning? do i always need to update it?
 

vash

Platinum Member
Feb 13, 2001
2,510
0
0
Originally posted by: bob332
what are the most common exploits that i need to be aware of? is it like iis (non-patched) that is insecure from the beginning? do i always need to update it?
Most common exploits seem to come from modules you load. Looking on my Apache logs, something named Magic comes up on a frequent basis.

But I see plenty of references to cmd.exe as well :)

vash
 

manly

Lifer
Jan 25, 2000
12,467
3,314
136
Originally posted by: Argo
One thing avout apache 2 - I don't think it supports ssl at this moment.
Is this a Win32 thing? I no longer use Apache regularly, but I swear Apache 2.x integrated mod_ssl into the standard release.
 

Argo

Lifer
Apr 8, 2000
10,045
0
0
It could me win32 thing - the release notes stated that ssl wasn't available at the moment. That was 2 month ago.
 

bob332

Banned
Jan 25, 2002
597
0
0
Originally posted by: vash
Originally posted by: bob332
what are the most common exploits that i need to be aware of? is it like iis (non-patched) that is insecure from the beginning? do i always need to update it?
Most common exploits seem to come from modules you load. Looking on my Apache logs, something named Magic comes up on a frequent basis.

But I see plenty of references to cmd.exe as well :)

vash

after looking through the logs using sawmill log analyzer, i see the normal cmd.exe others, but i also see nimba. i am assuming it is hitting me, is doing any harm to me? i am using a dsl router, firewall and the most up-to-date norton and windows 2k pro installs.

thanks
 

CTho9305

Elite Member
Jul 26, 2000
9,214
1
81
Originally posted by: bob332
Originally posted by: vash
Originally posted by: bob332
what are the most common exploits that i need to be aware of? is it like iis (non-patched) that is insecure from the beginning? do i always need to update it?
Most common exploits seem to come from modules you load. Looking on my Apache logs, something named Magic comes up on a frequent basis.

But I see plenty of references to cmd.exe as well :)

vash

after looking through the logs using sawmill log analyzer, i see the normal cmd.exe others, but i also see nimba. i am assuming it is hitting me, is doing any harm to me? i am using a dsl router, firewall and the most up-to-date norton and windows 2k pro installs.

thanks

Nope. It just makes your error log get bigger ;)