Apache2 safety?

Joel Oliver joelol75 at verizon.net
Sun Aug 3 18:29:36 UTC 2008

> Thanks, that is nice to hear. Is there anything else that needs fixing
> in the basic install to make thing as safe as can be? I am running
> firestarter and only have port 80 open an a few others for torrents
> and what not. Port 22 is closed, sure gets hit a lot!

One thing I like to do is limit the server 'tokens'.  Doesn't do much 
for safety, but having the server report every enabled option and its 
version along with your OS type and version is not a good idea IMO 
(Makes scripting attacks looking in the header easy if an exploit for a 
certain version/OS is found).  You can understand what I am talking 
about goto http://www.grc.com/id/idserve.htm    This utility only works 
in windows though... I have never seen a linux version and this doesn't 
seem to work right in wine...

The section in the apache2.conf file is:

# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Minor

I set mine on 'Minor' although for the truly paranoid 'Prod' would be better

Also remove any symbolic links from the mods enabled directory for 
anything you will not use... And I usually have to enable the mod for 
ssl (For https: access)

A quicker way to manage these symbolic links are the a2enmod and 
a2dismod commands.

More information about the kubuntu-users mailing list