On Nov 6, 2007 4:06 PM, Ryan Barnett <[EMAIL PROTECTED]> wrote: > > -----Original Message----- > > From: Dragon [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, November 06, 2007 3:52 PM > > To: users@httpd.apache.org > > Subject: Re: [EMAIL PROTECTED] Center for Internet Security's Apache > Benchmark > > Project Update > > > [Ryan Barnett] There are now PDF and html versions - > http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.pdf > http://apachebenchmark.sourceforge.net/CIS_Apache_Benchmark_v2.1.mht > > For this first round of feedback, we are looking for the following main > areas -
I'm not going to do a detailed review, but a few things that pop up in a quick scan: - 2.2 has a much smaller default config file than the other versions. Your suggestion to start from a blank config file is good for someone wanting to learn apache, but not that great from a security perspective. Some of the apache configuration directives have default values that are LESS secure than the value used in the 2.2 default config. - You should use "Options None" rather than "Options -this -that -theotherthing". - Section 1.9 is confusing and not secure. You should make clear that ScriptAlias should be used ONLY IF your are mapping content that would not normally be accessible from the web (because it is outside the DocumentRoot for example). It is the most secure solution in that case, since it is impossible to disable script execution without also disabling access ot the content. SetHandler/AddHandler should be used for content that lives in a normal-web-accessible directory. -1.10 could mention the TraceEnable directive. The <LimitExcept ...> thing is also a little dangerous because it might override other access controls. It should be used with care. -1.13 the recommended KeepAliveTimeout is probably too high. You should also mention firewall controls that could be used. (Restricting the number of connections per IP is often helpful.) Also, AcceptFilter can help against DoS attacks on supported systems and MaxClients can limit their effects. -1.17 Your logrotation script should use USR1 rather than HUP. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
