Got my server up...security suggestions?

[tuxxman]

I got my apache2 server up...
SuSe 9.3 with the firewall on, and it allows http (port 80)
I got a fairly complex root password.
i have set in httpd.conf for it to not let / access, but i have allowed other dirs in /srv/www/htdocs

thats about it...
my server is in my sig.
any suggestions on what i can do to make my server more secure, or am i alright?

[deek]

I think you covered the main bases there, really.

I would recommend reviewing your apache logs on a regular basis as well as your basic system logs, but I really can't think of anything major you would have to worry about for a simple website.

I feel like I am missing something, but at this point, nothing is coming to mind!

[luma]

do not allow root login via SSH.
so users HAVE to log in as a regular user and then su to root account.

just one extra little security measure for the server itself

Luma

[kkubasik]

Well, being as you have already covered some of your most important bases (ie, Apache is the only visible port on your computer) There are really 3 big things to focus on when securing a webserver.

1. Remove un-used modules. More modules == more possible security flaws, so keep those loaded to a minimum, if you don't need any, don't use any.
2. Proper permissions, this one is far more complicated, but basicaly apache shouldn't be running as root, and write/execute permissions for the web user should be kept at an absolute minimum.
3. Perhaps the one greatest security enhancement possible is running apache from a chroot jail, but this no easy task, especaily if you are trying to serve dynamic content.

Google will have more on how to complete these task, but I hope this helps.

[tuxxman]

thanks guys....am looking into all of what was suggested