swift 08/06/13 20:02:26 Modified: shb-services.xml Log: #223843 - Updates on ssh and apache configurations
Revision Changes Path 1.9 xml/htdocs/doc/en/security/shb-services.xml file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.9&view=markup plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.9&content-type=text/plain diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?r1=1.8&r2=1.9 Index: shb-services.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- shb-services.xml 8 Jul 2007 21:31:31 -0000 1.8 +++ shb-services.xml 13 Jun 2008 20:02:26 -0000 1.9 @@ -1,5 +1,5 @@ <?xml version='1.0' encoding='UTF-8'?> -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.8 2007/07/08 21:31:31 nightmorph Exp $ --> +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.9 2008/06/13 20:02:26 swift Exp $ --> <!DOCTYPE sections SYSTEM "/dtd/book.dtd"> <!-- The content of this document is licensed under the CC-BY-SA license --> @@ -7,8 +7,8 @@ <sections> -<version>1.4</version> -<date>2007-07-08</date> +<version>1.5</version> +<date>2008-06-13</date> <section> <title>Apache</title> @@ -23,34 +23,40 @@ <p> If you did not disable <c>ssl</c> in your <path>/etc/make.conf</path> before -installing Apache, you should have access to an ssl enabled server. Just add the -following line to enable it. +installing Apache, you should have access to an ssl enabled server. Inside +<path>/etc/apache2/vhosts.d</path> example configuration files can be found. +These are working examples and it is best to verify those or disable them. </p> -<pre caption="/etc/conf.d/apache"> -HTTPD_OPTS="-D SSL" -</pre> +<p> +It is important to define your configuration(s) to listen to a particular IP +address (rather than all available IP addresses on your system). For instance, +for the <path>00_default_vhost.conf</path> file: +</p> -<pre caption="/etc/apache/conf/apache.conf"> -#Make it listen on your ip +<pre caption="/etc/apache2/vhosts.d/00_default_vhost.conf"> +<comment># Make it listen on your ip</comment> Listen 127.0.0.1 -BindAddress 127.0.0.1 -#It is not a good idea to use nobody or nogroup - -#for every service not running as root -#(just add the user apache with group apache) -User apache -Group apache -#Will keep apache from telling about the version +</pre> + +<p> +We also recommend you to disable showing any information about your Apache +installation to the world. By default, the configuration will add server version +and virtual host name to server-generated pages. To disable this, change the +<c>ServerSignature</c> variable to <c>Off</c>: +</p> + +<pre caption="/etc/apache2/modules.d/00_default_settings.conf"> ServerSignature Off -ServerTokens Prod </pre> <p> Apache is compiled with <c>--enable-shared=max</c> and <c>--enable-module=all</c>. This will by default enable all modules, so you should comment out all modules in the <c>LoadModule</c> section -(<c>LoadModule</c> and <c>AddModule</c>) that you do not use. Restart the -service by executing <c>/etc/init.d/apache restart</c>. +(<c>LoadModule</c> and <c>AddModule</c>) that you do not use in the main +<path>/etc/apache2/httpd.conf</path> configuration file. Restart the +service by executing <c>/etc/init.d/apache2 restart</c>. </p> <p> @@ -301,7 +307,8 @@ <p> Netqmail is often considered to be a very secure mail server. It is written with security (and paranoia) in mind. It does not allow relaying by default and has -not had a security hole since 1996. Simply <c>emerge netqmail</c> and go configure! +not had a security hole since 1996. Simply <c>emerge netqmail</c> and go +configure! </p> </body> </section> @@ -405,7 +412,10 @@ <p> Also verify that you don't have <c>UsePAM yes</c> in your configuration file as -it overrides the public key authentication mechanism. +it overrides the public key authentication mechanism, or you can disable either +<c>PasswordAuthentication</c> or <c>ChallengeResponseAuthentication</c>. More +information about these options can be found in the <path>sshd_config</path> +manual page. </p> <p> -- [email protected] mailing list
