how secure is default apache-2.2.8 + FreeBSD7?

[ilnux]

HI,

I am running apache on my laptop at home and on my router I have forwarded ports 80 and 22. I have not yet installed php and mysql but do have some other services running, including ntp and ddclient.

How secure would my site be if I made it 'live' now, with a standard install of FreeBsd 7.0 and apache-2.2.8 ( with security updates)?

What should be my next step towards better security?

Thanks

[wildpossum]

1> Setup /etc/hosts.allow & /etc/hosts.deny correctly: see "man hosts -k".

2> Set up your firewall correctly. Read your documentation.

By correctly, I mean to ONLY let those domains your willing to serve have access.

3> Setup sshd.conf to disallow Type 1 connections.
sshd safety is only as good as your users passwords are set. I demand password greater than 10 char long, of mixed upper and lower case including numbers, best is, some phase that is easy for you to remember like "!!2008isMY##??__day"

Best still, is only allow a combined host & user certification/authorisation via ssh-keys.
Configure ssd.conf so that root access/authentation is disallowed. (remembering to restart the sshd to ensure the new config settings take hold).

4> Run apache as nobody, or as a user name that hasn't got a home directory. NEVER, run apache as root.

5> Ensure that NO file has global r/w access || is suid capable.

6> Make sure your root password is complex preferrably a phase with mixed upper and lower case with numeric embedded characters. As pointed out in <3>.

7> Make sure you review your syslog messages daily at a minimum.

That's a start!

[ilnux]

Wow, thankyou for your detailed response! Two questions if I may,

2> Set up your firewall correctly. Read your documentation.

By correctly, I mean to ONLY let those domains your willing to serve have access.

At the moment I have forwarded the ports to a single machine on the network, and I am using a single domain. Is that what you meant?

4> Run apache as nobody, or as a user name that hasn't got a home directory. NEVER, run apache as root.

Does this mean instead of running apache as a daemon on startup, I should create a user without a home directory, login as that user and then start apache from the shell?

[wildpossum]

Quote #1: I meant that you can via /etc/hosts.allow and or iptables allow only certain domains i.e.: IP addresses to access your site via SSH. or example if your running your site for everyone at 203.20.1.122 then set up /etc/hosts.allow to "sshd: 203.20.1.0/255.255.255.0 : ALLOW".

AND, check your firewall has disabled all other services other than sshd, and http/https.

Quote #2: I mean check that apache is running as "nobody" or some other username that doesn't have an account. You can see what apache is running as by looking at the apache.conf or httpd.conf file. Some older distro and some source installs would run as "apache" but some others as "root" which is a big NOno.

Hope that helps U.
See your apache documentation and "man hosts -k" for more information.

[anomie]

What should be my next step towards better security?

There's really a lot you could do to lock this down further. On a very basic level I'd say you will want to allow only pubkey authentication (and disable all others) for sshd. And you may want to run apache22 in a FBSD jail. Hardening apache itself, based on your needs, is another story.

Setup sshd.conf to disallow Type 1 connections.

This is already done by default on a FBSD installation (only protocol 2 is allowed).

Run apache as nobody, or as a user name that hasn't got a home directory. NEVER, run apache as root.

If OP installed apache22 from ports, it runs as the www user.

You have three packet filtering firewall choices. They're all explained in the handbook: Chapter 28 Firewalls.