Douglas, Mark, Ryan,
Thanks for the replies, all good information.
A little background on me...
I've been a MCP since 1998, been computing since '94, been using
FreeBSD since 4.x-RELEASE.
I've administered networks with dozens of servers and hundreds of
clients, but never with an eye on security, only on a contract basis
for things related to the clients.
Other machines on the lan are, a PowerMac, my personal workstation, a
WinXp box for storage and things that can be done easier on Windoze,
another FreeBSD box, which was installed to be identical to the
webserver, so I could use it to "make mistakes on". Different
hardware there, though.
If you haven't already done so, please feel free to visit <http://bubbabbq.homeunix.net
> and explore for yourself what I'm doing and not doing.
There's no uploads, no php, no document.write.
I do have 1 form, /contact.html.
cgiemail <http://web.mit.edu/wwwdev/cgiemail/>, which is written in C,
is behind that form.
I have sendmail_enable="NO" in /etc/rc.conf.
I connect from the Mac to pick up my mail using qpopper via inetd on
I do a good bit of cgi and ssi on /humor.html. 99% of the cgi is
written in /bin/sh, the rest in perl.
I'm especially interested in Mark, and Ryan's comments about
auditing. I get 2 reports every day that show me what happened in the
error.log, and awstats, with some custom extra sections, is how I
monitor the access.log. I see value there.
The most frequent thing I see in the logs are hosts looking for an
open proxy. I'm not running one.
Every now and then, there will be a request for something like: /
thisdoesntexisthaha.html, or /noexist_072034159e9c9199.html. Probably
I also run chkrootkit -q every day.
As an aside, I'm currently making a to-do list for Apache:
*Comment out all the modules I don't need..? I assume that without a
thorough knowledge of each module, I can't just depend on the
<IfModule directives in httpd.conf?
*Implement some of the apache_tools-snapshot.tgz that I downloaded
*See if I can discourage Google FeedFetcher from trying to download 2
rss feeds that I haven't served in over a year. (Looks unlikely,
FeedFetcher seems to be a proxy for subscribers.)
*Re-read everything related to Apache and Security.
So now, maybe you have a little more information. I'm currently
leaning towards installing mod-security, if for nothing more than the
auditing, and I would assume that you would suggest that I actually
compile it with options, rather than install a package...?
I will trim my posts from now on, and apologize for being so
verbose...it's the COFFEE!!
On Apr 20, 2009, at 5:11 PM, Douglas Held wrote:
> Great question and the answer depends: do you serve any dynamic web
> pages (forms, uploads, php, document.write() etc.?)
> If you do, then your site's applications can be used to compromise
> your server/lan, or used to help compromise computers connecting to
> your site. The default rules in mod_security would probably lend
> significant protection from things like cross site scripting and sql
> If you do not serve any dynamic content, then your site is not a risk
> at this time. You would experience a minor increase in security by
> implementing the mod_security chroot option. In my opinion, the real
> value in securing your site further lies in your education, not in
> actual increased security from threats.
> On 4/20/09, Charles Howse <chowse@...> wrote:
>> I've been lurking on the list for a few days now, and since I've
>> noticed some activity, decided to post my question.
>> I have a home network. I have a cable modem, 4-port router with the
>> ability to open and close any port, and 4 computers running. I also
>> have the router configured to drop both unaccepted TCP request and
>> ICMP packets from the Internet.
>> The only incoming port that is open is 80, and that is forwarded to
>> webserver, which runs FreeBSD-6.4-STABLE, and Apache 2.2.11. I keep
>> all my software updated religiously.
>> The entire webroot directory is backed up every day, and I have a
>> fairly plain configuration for the machine, reading all the periodic
>> reports, my own custom reports, Logwatch reports, etc.
>> I also have clamav, and awstats installed and running.
>> Assuming that an attacker could get past the router, and into the
>> webserver via a vulnerability in Apache, there is really nothing I'm
>> concerned about losing on the webserver. Now, if he gets into the
>> lan, that's big trouble!
>> From what I have read (and that is considerable), mod-security seems
>> complicated and has need of "fiddling with". I'm an avid reader of
>> books and articles concerning computer security, and have read
>> Security", but I must admit, I don't understand everything.
>> Would mod-security would be overkill for me and my little network?
>> A Great place to have fun and learn about Barbecue -
>> Stay on top of everything new and different, both inside and
>> around Java (TM) technology - register by April 22, and save
>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>> 300 plus technical and hands-on sessions. Register today.
>> Use priority code J9JMT32. http://p.sf.net/sfu/p
>> mod-security-users mailing list
>> Commercial ModSecurity Appliances, Rule Sets and Support:
> Sent from Gmail for mobile | mobile.google.com
> Douglas Held
> +1 (415) 830-6123