Web Server OS

Page 4 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: Brazen
In case nobody else has mentioned this... I just want to point out that while running Apache on Windows sounds like it would be more secure, Apache does have known exploits and there is not way (that I know of) to have automatic scheduled patching for Apache on Windows - you would have to be sure to check periodically for new versions for security patches. However with IIS on Windows, you get nightly checks for updates. Of course the best route would be Apache on Linux, since it can be easily automatically patched on a schedule using yum on Fedora or apt on Debian.
Click to expand...

According to Secunia:
Apache 1.3 (a.k.a. the decent one):
Unpatched vulnerability 1: I don't know what this check_forensic script is, but it isn't on my systems (it's aparently in apache-utils package 1.3.31). It's a local attack, requiring the attacker to have a system account. And, it only works with the privs of the user running the script. So if it isn't root, it shouldn't overwrite anything important.
Partial fix 1: this is a cross-site scripting attack that affects a number of web servers, not just apache. It also only affects servers that do reverse DNS lookups, which isn't smart on busier sites.

Apache 2 (a.k.a. the other one):
Unpatched vulnerability 1: See #1 above.
Unpatched vulnerability 2: Requires a malicious administrator. It's also supposedly a local "exploit."
Partial fix 1: See #1 above.

What exploits am I missing? Because these are just crap.
 
S

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
I think he just means that Apache doesnt have a built-in patching mechanism like IIS does (Windows Updates). Basically just that you have to know when there are releases and patch it.

But than again all good admins know that they need to keep up on this stuff right? :D
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: spyordie007
I think he just means that Apache doesnt have a built-in patching mechanism like IIS does (Windows Updates). Basically just that you have to know when there are releases and patch it.

But than again all good admins know that they need to keep up on this stuff right? :D
Click to expand...

I read the statement "Apache does have known exploits" differently.
 
D

drag

Elite Member
Jul 4, 2002
8,708
0
0
Well actually Apache does.. just not in Windows. :p

And if security was our primary concern we'd all be running OpenBSD's version of Apache 1.3 in OpenBSD because, frankly, that kicks the crap out of ever other usefull system in terms of security; propriatory and Free. Even IIS6.

I figure if you realy realy want to run a web server in Windows the only _real_ way to do it is to buy a Windows 2003 server edition and have at it with IIS 6. Everything else is either crap (running Apache on Windows XP) or worse (Running IIS5 on most anything)
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Oh, and it's not Apache's job to make an updater, it's the distributers (redhat, Debian, OpenBSD, NetBSD, etc.). And they generally do.

I think that may have been Drag's point in the post right above this one. ;)
 
S

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
I read the statement "Apache does have known exploits" differently.
Click to expand...
I was assuming "known exploits" means things that patches are available for; and both IIS and Apache have those kinds of known exploits.

As far as known exploits that are not fixed both platforms are (reletivily speaking) secure.
http://secunia.com/product/1173/
 
S

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
I think that may have been Drag's point in the post right above this one.
Click to expand...
True :)

I also agree that IIS 5 has some serious issues; it isnt the end of the world if you are still using it as a web server if it is properly patched and administered. IIS 6 however is one of the best reasons to go to Server 2003; it is much better than IIS 5.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: spyordie007
I read the statement "Apache does have known exploits" differently.
Click to expand...
I was assuming "known exploits" means things that patches are available for; and both IIS and Apache have those kinds of known exploits.
Click to expand...

Patched exploits are boring, so I went with unpatched. ;)
 
RebateMonger

RebateMonger

Elite Member
Dec 24, 2005
11,586
0
0
Originally posted by: n0cmonkey
Patched exploits are boring, so I went with unpatched. ;)
Click to expand...
Lots of "boring", but successful, attacks are made using known exploits. There are lots of unpatched servers out there, both Linux and Windows. Most of the big-name exploits over the past few years have only been successful on servers that weren't kept up-to-date.
 
B

bluestrobe

Platinum Member
Aug 15, 2004
2,033
1
0
Got XAMPP installed without a hitch and learned a little about linux at the same time. Is there any way you can tell what programs are running/working in linux like you can do with the task manager in windows?

edit: does anyone know how to make a static IP work on SuSE 10.0 OSS? I tried entering the IP, subnet and gateway to no avail.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: RebateMonger
Originally posted by: n0cmonkey
Patched exploits are boring, so I went with unpatched. ;)
Click to expand...
Lots of "boring", but successful, attacks are made using known exploits. There are lots of unpatched servers out there, both Linux and Windows. Most of the big-name exploits over the past few years have only been successful on servers that weren't kept up-to-date.
Click to expand...

But if you're going to be looking at statistics like the number of advisories posted and whatnot, you should be smart enough to keep your system fairly up to date.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: bluestrobe
Got XAMPP installed without a hitch and learned a little about linux at the same time. Is there any way you can tell what programs are running/working in linux like you can do with the task manager in windows?
Click to expand...

ps

edit: does anyone know how to make a static IP work on SuSE 10.0 OSS? I tried entering the IP, subnet and gateway to no avail.
Click to expand...

Entered it where? :confused:
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: bluestrobe
Originally posted by: n0cmonkey

Entered it where? :confused:
Click to expand...


The network device screen in KDE.
Click to expand...

I'd forget that KDE stuff and edit the configuration file. If it's anything like Redhat it'll be something like /etc/sysconfig/network-scripts/ifcfg-eth0

I don't have a Suse machine to poke around on though.
 
B

bluestrobe

Platinum Member
Aug 15, 2004
2,033
1
0
The command didn't work. I have partial connectivity. I can ping the Linux setup from all of the other boxes and even hit the router from the Linux box but no internet or anything else for the Linux box.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: bluestrobe
The command didn't work. I have partial connectivity. I can ping the Linux setup from all of the other boxes and even hit the router from the Linux box but no internet or anything else for the Linux box.
Click to expand...

Which command?
 
B

bluestrobe

Platinum Member
Aug 15, 2004
2,033
1
0
Sorry, that was for a PM.

I found the original copy of Win2K Server for the server I'm tinkering with and might just go that route tomorrow for a change of pace.
 
B

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
Originally posted by: spyordie007
I read the statement "Apache does have known exploits" differently.
Click to expand...
I was assuming "known exploits" means things that patches are available for; and both IIS and Apache have those kinds of known exploits.

As far as known exploits that are not fixed both platforms are (reletivily speaking) secure.
http://secunia.com/product/1173/
Click to expand...

Yes, by known exploits, I was, in this case, refering to exploits for which there is a patch. The point was really about getting the updates automatically, because if you are like me, you don't have time to check Apache's website every day for security updates. If you run Apache on Fedora or Debian (and a few others) you don't have to. Likewise, if you run IIS on Windows, you get security patches automatically if you have Automatic Updates enabled. Both webservers have known _patched_ vulnerabilities and both webservers will continue to get new _future-patched_ vulnerabilities.

Just my $0.02 though, I'd go with Apache on Linux (CentOS is my flavor of choice).
 
D

DidlySquat

Banned
Jun 30, 2005
903
0
0
Originally posted by: Nothinman
Installing Apache on Linux is hard? I can't say I've used SuSe but I would figure there's an entry for it in YAST, on most distributions it's as simple as 'apt-get install apache' or 'yum install apache' and you're done.
Click to expand...


tru dat, and this even starts up apache and even adds it to the relevant startup scripts so it always starts up on boot. It even sets up a web site template you can view immediately. Similarly, installing PHP is a piece of cake.

See the Ubuntu guide:

http://easylinux.info/wiki/Ubuntu#Apache_HTTP_Server

Also check out the Ubuntu document storage facility:

http://doc.gwos.org/index.php/Apache_MySQL_SSH

Easy as cake, and ROFL @suse, go with ubuntu x100 better
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom