Hi folks

I recently purchased "Sams Teach Yourself Perl in 24 hours", and it came with a CD that installed Perl (5.6.1) and Apache (1.3.20).

Perl is working fine (and yes, I'm having fun with it), but I'm hesitant to activate Apache. I'd love to do it, so that I could fully test out my scripts locally, but I'm worried that, due to my ignorance, I may open up some serious security exposures.

Is it safe to assume that Apache is configured already for adequate security? I'm on a cable connection, running Norton (AV) and BlackIce (firewall), so I want to be careful. But I don't want to spend months researching each and every little parameter to determine it's affect.

Does anyone know of a site with a "quick and dirty" list of parameter checks for Apache?

Any help, advice or experiences would be *greatly* appreciated.

If you put up a firewall, and block port 80 from everyone except localhost (or 127.0.0.1), that should be sufficient.

Apache listens for incoming requests on port 80. If you block port 80, then you should be fine.

You may also want to consider running apache on a port other than 80. And make sure to grab the latest version (from apache.org) as there have been some recent flaws.

I considered suggesting a different port, but if you've already firewalled port 80, I don't see that using a different port would really add any security? And simply changing to a different port without adding a firewall won't really prevent someone from accessing the web server, as they will probably scan for open ports. You would probably defeat braindead viruses, like Nimbda, but not someone who really wanted to probe the machine.

Grabbing the latest version is always a good suggestion, though. Especially for the Windows release.

How does one go about blocking port 80? In ZoneAlarm, I don't see any such option. You can block individual programs, but the only port options I see are under Security > Advanced, and ports 53 & 67 (DNS and DHCP). Am I missing something?

Dan

Originally posted by sheila:
I considered suggesting a different port, but if you've already firewalled port 80, I don't see that using a different port would really add any security? Two locks is better than one. It might seem a bit paranoid, but in the current world being paranoid is a good characteristic for a system administrator. I would put Apache on another port if I could.

And simply changing to a different port without adding a firewall won't really prevent someone from accessing the web server, as they will probably scan for open ports. You would probably defeat braindead viruses, like Nimbda, but not someone who really wanted to probe the machine.[/COLOR]I agree that determined hackers will not be stopped, but the fact is that most computers are hacked by script kiddies using tools checking for obvious security holes. Putting Apache on another port will prevent 99.9% of all attempts to crack a server through Apache.

Jan Derk

Originally posted by dank:
How does one go about blocking port 80? In ZoneAlarm, I don't see any such option. You can block individual programs, but the only port options I see are under Security > Advanced, and ports 53 & 67 (DNS and DHCP). Am I missing something? If I am not mistaken, you need the pro version to do that.

JD

Apache (1.3.20) Like Sheila says, get the latest version (1.3.26), the older versions contain a security breach. You can download the latest version from:

http://apache.org/

JD

Originally posted by dank:
How does one go about blocking port 80? In ZoneAlarm, I don't see any such option.
I use Tiny Personal Firewall (http://tinysoftware.com), and it is easy to set up incoming/outgoing blocks (or permissions) by IP address, remote Port, local Port and combinations, as well as by application.

If I am not mistaken, you need the pro version to do that.
That's what I've got...

Dan

Wow! Talk about a helpful community! Thanks folks, that's what I needed to know (and yes, I updated to the current version first).

Now I can test some REALLY strange stuff! :cool: