More Apache2 Questions

[bluestrobe]

1. How can one restrict the access to web pages on my server? I would like to make it so they can't change or load stuff into them. At this point I just want the pages to be viewed until I can learn more about Apache.

2. I have the server on my home network. I am restricted due to a consumer router (WRT54GS) but this will be replaced when funds become available. I know it should be on a subnet different than everything else. Is this still a security issue? It?s currently on a static IP and only port 80 has been forwarded to it.

3. I also use this server to run BOINC (A DC App for those who don't know). To run this I have to be logged into the "Administrator" account (It won't work on a standard user account). Is this a serious security risk? I can live without BOINC if it is.

4. I already have Anti-Virus installed. Although only port 80 is open, should I install a software firewall also?

5. Is there a simple walkthrough online about the above topics? The apache website caters to the Linux crowd and seems to give instructions that only a previous operator can understand. I have a "24 hour" book but it will take days to read that with my book reading attention span.

Thanks!

 

[Atheus]

Originally posted by: bluestrobe
1. How can one restrict the access to web pages on my server? I would like to make it so they can't change or load stuff into them. At this point I just want the pages to be viewed until I can learn more about Apache.

You've lost me here... are you running a CMS or forum of some kind? Or are you allowing FTP access? Who could alter your webpage?

2. I have the server on my home network. I am restricted due to a consumer router (WRT54GS) but this will be replaced when funds become available. I know it should be on a subnet different than everything else. Is this still a security issue? It?s currently on a static IP and only port 80 has been forwarded to it.

Your router is fine, don't worry about it. If you want more features you can put the openWRT firmware on it - you get IPtables firewalling for example.

The idea of having it on a different subnet would be to prevent the spread of virus infection to the server machine from others on your network. Since your workstations are Windows, and so is the server, this is especially important _but_ the subnetting method does not have any real advantages over blocking access with a software firewall in this case.

3. I also use this server to run BOINC (A DC App for those who don't know). To run this I have to be logged into the "Administrator" account (It won't work on a standard user account). Is this a serious security risk? I can live without BOINC if it is.

I think apache must run with high priviliges anyway, but I'm not sure, someone else will clear this up I'm sure.

4. I already have Anti-Virus installed. Although only port 80 is open, should I install a software firewall also?

Yes, you should probably block access to all ports except 80 loacally.

5. Is there a simple walkthrough online about the above topics? The apache website caters to the Linux crowd and seems to give instructions that only a previous operator can understand. I have a "24 hour" book but it will take days to read that with my book reading attention span.

Thanks!

The book is probably a good bet if it is a beginner level thing. Do you have experience with any server program or internet host?

 

[bluestrobe]

I don't have web server experience and this is sort of a learning experience. I was told by an experienced web server operator that hacker can manipulate code and insert or destroy information in html files if you just load them and run the server from its default configuration. Maybe I was told wrong on that one.

I have a separate FTP server which I've had up since 2001. That?s set as the router DMZ and has a software firewall on it already. It's sitting idle now as the business venture with it dried up.

I might run a forum on the server in the future but for now it's just a straight HTML website with nothing fancy.


I know apache will run with high privileges as it is right now for testing purposes. I was mainly worried localized security. Maybe locking the workstation when not in use locally? Its win2k Server.

 

[Atheus]

Originally posted by: bluestrobe
I don't have web server experience and this is sort of a learning experience. I was told by an experienced web server operator that hacker can manipulate code and insert or destroy information in html files if you just load them and run the server from its default configuration. Maybe I was told wrong on that one.

There are a lot of ways to break into a computer, so I'm not sure what he/she was referring to. Maybe they were just telling you to install all the updates and configure the thing properly? You should keep your machine fully patched, correctly configured, firewalled, and anti-virused to have the best chance of preventing attacks.

I have a separate FTP server which I've had up since 2001. That?s set as the router DMZ and has a software firewall on it already. It's sitting idle now as the business venture with it dried up.

For maximum security I'd turn it off and disable the DMZ - if it's not in use that is. For future reference, forwarding a port is better than using the DMZ.

I might run a forum on the server in the future but for now it's just a straight HTML website with nothing fancy.

I asked about forums and CMS because using a database driven system privides more opportunities for people to change it's content. I thought this might have been what you meant by "I would like to make it so they can't change or load stuff into them".

There are all sorts of problems introduced by running a dynamic (database driven) site, so if you are as security conscious as you seem to be, you should do your research before coding and running this stuff.

I know apache will run with high privileges as it is right now for testing purposes. I was mainly worried localized security. Maybe locking the workstation when not in use locally? Its win2k Server.

You cannot really prevent local access to the machine through software, except to the most casual of intruder. If you think someone in your house is going to purposefully mess up your server then lock the door.

 

[kamper]

Originally posted by: bluestrobe
I don't have web server experience and this is sort of a learning experience. I was told by an experienced web server operator that hacker can manipulate code and insert or destroy information in html files if you just load them and run the server from its default configuration. Maybe I was told wrong on that one.

Sounds awfully funny. That could be done with webdav, but I'm reasonably sure it's not installed, enabled and wide open by default. A lot more becomes possible if you have some language like php or perl installed but that's not usually a huge concern unless you do something really dumb.

I have a separate FTP server which I've had up since 2001. That?s set as the router DMZ and has a software firewall on it already. It's sitting idle now as the business venture with it dried up.

I might run a forum on the server in the future but for now it's just a straight HTML website with nothing fancy.


I know apache will run with high privileges as it is right now for testing purposes. I was mainly worried localized security. Maybe locking the workstation when not in use locally? Its win2k Server.

Locking the work station doesn't have much to do with anything. If apache's running with administrative privileges and it gets infiltrated nothing is going to stop you from getting owned. On that note, running BOINC as an admin has little extra risk, except if it somehow gets hacked while it's calling home but that is no different on a web server than elsewhere.

A better long run solution is to use apache on an operating system where the devs have set it up with less privileges (runs as root at start up, binds to port 80 and then drops to a less privileged user). I have no idea if that is possible or done on a windows machine.

 

[Nothinman]

I think apache must run with high priviliges anyway, but I'm not sure, someone else will clear this up I'm sure.

Apache starts as root but drops priviledges right after it binds port 80. Sure you can make it run as root all of the time, but it would take some extra configuration.

 

[bluestrobe]

Looks like I'll uninstall BOINC and log into a basic user account before going public with my little website. The user account I created had all of the unessecary directories locked out and so forth.

edit: Thanks all for the help!

 

[kamper]

Originally posted by: Nothinman

I think apache must run with high priviliges anyway, but I'm not sure, someone else will clear this up I'm sure.

Apache starts as root but drops priviledges right after it binds port 80. Sure you can make it run as root all of the time, but it would take some extra configuration.

On windows too?

 

[kamper]

Originally posted by: bluestrobe
Looks like I'll uninstall BOINC and log into a basic user account before going public with my little website. The user account I created had all of the unessecary directories locked out and so forth.

Um, what's the point of that exactly?

 

[Nothinman]

On windows too?

Who knows. I would assume that Apache has the same uid switching capability there, but it probably requires a few manual steps like creating a specific account for it and stuff unless the Windows installer does it for you.

 

[kamper]

Originally posted by: http://httpd.apache.org/docs/2.2/platform/windows.html
By default, all Apache services are registered to run as the system user (the LocalSystem account). The LocalSystem account has no privileges to your network via any Windows-secured mechanism, including the file system, named pipes, DCOM, or secure RPC. It has, however, wide privileges locally.

Hmm, not familiar with this LocalSystem account but it sounds like it's got administration rights. At any rate, there's no mention of dropping privileges.

 

[Nothinman]

Yea, sounds like full admin acccess locally but it can't connect to any other servers. Not really a good idea, I'm surprised they do it like that by default.

 

[bluestrobe]

Originally posted by: kamper

Originally posted by: bluestrobe
Looks like I'll uninstall BOINC and log into a basic user account before going public with my little website. The user account I created had all of the unessecary directories locked out and so forth.

Um, what's the point of that exactly?

n/m read the post wrong. Other than software firewall I should be set.

 

[kamper]

Even a software firewall is of little value if you trust your nat firewall.

 

[bluestrobe]

I installed one anyways just in case. How hard is it to host two websites on the same server without them seeing each other? Just curious.

 

[cleverhandle]

Originally posted by: bluestrobe
How hard is it to host two websites on the same server without them seeing each other?

Not hard. Google "apache virtual hosts" for lots of info. If you're using SSL, note that there can be only one https site per machine, unless you have multiple public IP's to use. You can have as many regular http sites as you like though.

 

[bluestrobe]

no https here. I am hosting an old website of mine and also wanted to start some type of opinion blog.

 

[kamper]

Originally posted by: cleverhandle
If you're using SSL, note that there can be only one https site per machine, unless you have multiple public IP's to use. You can have as many regular http sites as you like though.

Is that just for properly signed certs? Like, can you host multiple sites with self-signed certificates?

 

[cleverhandle]

Originally posted by: kamper
Is that just for properly signed certs? Like, can you host multiple sites with self-signed certificates?

No, still only one. It's a limitation of the way the SSL protocol works - the point of SSL is to encapsulate the HTTP. That means that the SSL handshake has to happen before the server reads the HTTP request, and thus before it knows what name it's being called by. Thus, it's impossible to have multiple virtual SSL sites because if the server had multiple certificates, it wouldn't know which one to present to the client. If you have multiple IP's you can get around this by binding more than one IP to an interface and selecting the certificate based on the IP requested.

 

[kamper]

I've only self-signed certificates once or twice but I don't remember having a host name involved with the process. Why can't you use the same cert for multiple hosts?

 

[cleverhandle]

Originally posted by: kamper
I've only self-signed certificates once or twice but I don't remember having a host name involved with the process.

Then your memory is not very good. The whole point of an SSL certificate is to certify that you're talking to a particular host (or domain in the case of wildcard certs). You always enter a hostname when you create a certificate, whether or not you sign it yourself.

Why can't you use the same cert for multiple hosts?

Reread my post above. If that's still not good enough, then Google it. I can't really restate it in any significantly different way.

 

[Nothinman]

I've only self-signed certificates once or twice but I don't remember having a host name involved with the process. Why can't you use the same cert for multiple hosts?

A cert is supposed to identify a single entity, in this case a hostname and that hostname is most definitely in the cert. I believe you can purchase wildcard certs that will match against *.domain.com, but I don't know what the side effects of them would be.

 

[kamper]

Originally posted by: cleverhandle
You always enter a hostname when you create a certificate, whether or not you sign it yourself.

That's all I was looking for. And makes perfect sense now that I think about it. I just need a little kick sometimes

 

[bluestrobe]

I just moved my past logs (install, access, error) to another directory to archive them. I made replacement logs with the same exact file names in the original place. Now theres nothing being logged into the new logs. Anyone have any ideas on how to get apache to start logging again?