General discussion


DOWNLOA Apache Web Server: Lock it down in 10 steps

By jasonhiner Moderator ·

After you take a look at this video, please post your feedback, ideas for future improvements, or further thoughts on this topic.

TechRepublic Downloads Team

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Other Ideas?

by thomas_nooning In reply to DOWNLOAD: Apache Web Serv ...

I'd be interested in hearing what you other SysAdmins out there have done to harden Apache. And please let me know if you have any questions regarding the steps outlined in the download.

Thanks, Tom

Collapse -

the top 10 listed

by Jaqui In reply to DOWNLOAD: Apache Web Serv ...

are the default configuration options of all the linux distros I've looked at.
also the recommended config from

I would add:
install the bandwidth module, which kills the iis specific viruses that consume data transfer by reporting infected machines to one location.

disable any cgi but approved scripts.
do not enable frontpage extentions ( they break security by accessing activex controls )

force download and saving of any file other than html/xhtml/php/xml
( do default opening of pdf )

use moz_gzip
compress all data being transferred, saves data transfer, and stops execution of malicious code until user enables.

Collapse -

RE: the top 10 listed

by thomas_nooning In reply to the top 10 listed

While some of the items listed are indeed part of the default configuration on many distributions, not all of them are. I've yet to come across one that installs Apache into a chroot jail for instance, well maybe Tinfoil Hat Linux. But leaving it up to the defaults is not the best idea on any production webserver, you should know the best practices by heart.

And mod_gzip is nice, but be careful with browser compatility and certain file types, like CSS and JavaScript.

Related Discussions

Related Forums