Securing your Xinet server

The basics

•	Make sure you have the latest version of Apache.

•	Make sure all of the current OS patches and updates have been installed.

•	Make sure the OS itself has been secured properly. This is the most common way hackers get in, not via the Web server itself.

•	All administrators should have their own accounts and use sudo rather than login in as root. This provides a double layer of authentication.

•	Make regular backups and test them for restoration integrity.

•	Do not accept ICMP redirects or pings on broadcast addresses. This insures that your server or network remains invisible to people using programs to search for live machines to probe further.

•	IP source routed packets should be declined.

•	Do not allow packets into your network from outside that have an inside source address.

•	Do not allow packets out of your network that have an outside source address.

•	Shut down all unnecessary ports on the Web server. You should only have www, http, https, email, dns, ssh, and sftp enabled (as needed).

•	Use secure protocols such as ssh and sftp rather than telnet and ftp.

•	Install a firewall and use either a proxy server or NAT/Virtual servers to provide a secure buffered communication channel between the Xinet server and the outside world. See Proxy and reverse-proxy servers for more details.

What do all these things in httpd.conf mean and how should I set them?

Here is a list of some of the tags you should look at in the httpd.conf file; however, you really should also read the documentation from apache.org for more information. As a rule of thumb, you should turn off everything you don’t absolutely need.

•	ServerAdmin This should be a real email address.

•	User & Group This should never be root. Create others for the server

•	Indexing [NO] This means that clients can’t get directory listing — knowledge is power for a hacker.

•	ServerType Standalone

•	MinSpareServers [5]

•	MaxSpareServers [10]

•	StartServers [5]

•	MaxClients [150] Set a reasonable number of threads to keep the system from being overwhelmed by a denial of service attack (DOS)

•	MaxRequestPerChild [30]

•	Timeout [300] Set time in seconds to wait for get, put, ack, post.

•	ServerSignature [OFF] Again, knowledge is power to a hacker so don’t tell clients what kind or version of Web server software is running.

•	LogTypes {Referrer, Agent, Access/Transfer, Error, Combined, Scriptlog}—Choose only those you really need and turn off all others. For improved performance, consider putting logs on a separate file system.

•	LogLevels {Emerg, Alert, Crit, Error, Warn, Notice, Info, Debug} — Choose Warn or Notice unless you really need more information.

•	KeepAlive [ON] This provides persistent connections and speeds up image fetches.

•	MaxKeepAliveRequests [100] Put a reasonable limit on this so a single connection can’t hog the server.

•	KeepAliveTimeout [15] Time to actually keep the connection open

•	ListenBacklog Maximum length of request queues

•	HostnameLookups Best to leave this off unless you really need hostnames in your log files. You can post process the logs and do the lookups at that time if you want.

•	FollowSymLinks [OFF] Causes multiple lsstat commands for short and long URLs. Only turn this on if you really need it

•	SymLinksIfOwnerMatch [OFF] As above

•	AllowOverride [NONE] — This will keep Apache from trying to open a .htaccess file in every directory it touches.