Discussion:
Most secure web server
(too old to reply)
Geoff
2007-01-06 13:55:40 UTC
Permalink
Hi!

Does anyone have any advice in choosing the most secure web server
possible? Apache is often used, but has many features which are not
needed. Being heavy-weight is more likely to introduce exploits. What
do you think of any alternatives to apache or am I wrong to think this
about Apache?

Thanks!
Geoff
notbob
2007-01-06 17:29:20 UTC
Permalink
Post by Geoff
Hi!
Does anyone have any advice in choosing the most secure web server
possible? Apache is often used, but has many features which are not
needed. Being heavy-weight is more likely to introduce exploits. What
do you think of any alternatives to apache or am I wrong to think this
about Apache?
I recall reading that OpenBSD takes Apache and does their usual code
audit and they made over a hundred changes because they also were not
happy with Apache's security. Unfortunately, I can no longer find
that cite.

nb
John Smith
2007-01-07 14:37:30 UTC
Permalink
Post by notbob
Post by Geoff
Hi!
Does anyone have any advice in choosing the most secure web server
possible? Apache is often used, but has many features which are not
needed. Being heavy-weight is more likely to introduce exploits. What
do you think of any alternatives to apache or am I wrong to think this
about Apache?
I recall reading that OpenBSD takes Apache and does their usual code
audit and they made over a hundred changes because they also were not
happy with Apache's security. Unfortunately, I can no longer find
that cite.
nb
The OpenBSD site is www.openbsd.org, apache is the default web server
included in the base system. OpenBSD is BSD Unix not Linux. You can
download OpenBSD from the site or buy the CD's.

J Smith @ Microsoft @ CO @ UK
E mails may be blocked post replies to newsgroups.
Ken Sims
2007-01-06 18:38:25 UTC
Permalink
Hi Geoff -
Post by Geoff
Does anyone have any advice in choosing the most secure web server
possible? Apache is often used, but has many features which are not
needed. Being heavy-weight is more likely to introduce exploits. What
do you think of any alternatives to apache or am I wrong to think this
about Apache?
Don't load the Apache modules for functions/features that you don't
use.

For example, I don't use any proxy features so I don't load the proxy
modules. That way if there are any security holes in the proxy
modules, my server is not vulnerable to them.
--
Ken
http://www.kensims.net/
Ertugrul Soeylemez
2007-01-07 01:45:53 UTC
Permalink
Post by Geoff
Does anyone have any advice in choosing the most secure web server
possible? Apache is often used, but has many features which are not
needed. Being heavy-weight is more likely to introduce exploits. What
do you think of any alternatives to apache or am I wrong to think this
about Apache?
The Apache core itself is just a simple implementation of HTTP, a
configuration parser, and a server socket (maybe a few more things).
Even multitasking is a separate feature. So take Ken's advice, and
don't load modules for features you don't need.


Regards,
E.S.
Geoff
2007-01-07 14:27:09 UTC
Permalink
Thanks for the advice guys!
Post by Ertugrul Soeylemez
Post by Geoff
Does anyone have any advice in choosing the most secure web server
possible? Apache is often used, but has many features which are not
needed. Being heavy-weight is more likely to introduce exploits. What
do you think of any alternatives to apache or am I wrong to think this
about Apache?The Apache core itself is just a simple implementation of HTTP, a
configuration parser, and a server socket (maybe a few more things).
Even multitasking is a separate feature. So take Ken's advice, and
don't load modules for features you don't need.
Regards,
E.S.
Nico
2007-01-09 08:09:31 UTC
Permalink
Post by Geoff
Thanks for the advice guys!
Post by Ertugrul Soeylemez
Post by Geoff
Does anyone have any advice in choosing the most secure web server
possible? Apache is often used, but has many features which are not
needed. Being heavy-weight is more likely to introduce exploits. What
do you think of any alternatives to apache or am I wrong to think this
about Apache?The Apache core itself is just a simple implementation of HTTP, a
configuration parser, and a server socket (maybe a few more things).
Even multitasking is a separate feature. So take Ken's advice, and
don't load modules for features you don't need.
A lot has been left out: Apache is fully featured: there are tools
available for all sorts of things which you may not need (such as PHP
and MySQL) and for things that are very useful for security (such as
SSL, and local Kerberos authentication). Using a good webserver is not
enough to be secure: I highly recommend goiing over what you need with
someone comfortable with your particular server to walk you through the
booby traps.
Ertugrul Soeylemez
2007-01-10 09:58:35 UTC
Permalink
Post by Nico
Post by Ertugrul Soeylemez
Post by Geoff
Does anyone have any advice in choosing the most secure web
server possible? Apache is often used, but has many features
which are not needed. Being heavy-weight is more likely to
introduce exploits. What do you think of any alternatives to
apache or am I wrong to think this about Apache?The Apache core
itself is just a simple implementation of HTTP, a
configuration parser, and a server socket (maybe a few more
things). Even multitasking is a separate feature. So take Ken's
advice, and don't load modules for features you don't need.
A lot has been left out: Apache is fully featured: there are tools
available for all sorts of things which you may not need (such as PHP
and MySQL) and for things that are very useful for security (such as
SSL, and local Kerberos authentication). Using a good webserver is not
enough to be secure: I highly recommend goiing over what you need with
someone comfortable with your particular server to walk you through
the booby traps.
You're talking about security and PHP in the same paragraph, and you're
completely missing the point.


Regards,
E.S.

Loading...