Tell me more ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems.. It's 100% free, no registration required.
up vote 2 down vote favorite

I have an OpenBSD server that has a running webserver (the built-in apache web srv).

How can I harden this setup? I want to only server static html files, no php, no sql.

share|improve this question
2  
remove all unnecessary apache modules, be sure webdav is not running, permissions should not allow execution of scripts / directory traversal, etc... – Mike Pennington Jun 6 '12 at 7:07
@MikePennington Should drop that in an answer – Tim Jun 6 '12 at 13:11

3 Answers

up vote 3 down vote accepted

If you're only serving static files, you don't need modify the config. The defaults are secure. Anyway, the OpenBSD FAQ is your friend, particularly the section about apache+chroot.

In the future, nginx will probably replace apache in base.

share|improve this answer
up vote 1 down vote

The OpenBSD devs have already done this work for you! The default install is already hardened and lacks support for php "out of the box" and includes OpenBSD's audits and security changes. The fact that Apache runs w/in a chroot by default also isolates the daemon to the directory /var/www. The default configs in your httpd.conf file are also set to sane defaults, but you should review them for your particular case.

Like most things in OpenBSD, the defaults are sane, and if you want to shoot yourself in the foot, you have to explicitly do so.

share|improve this answer
and why does the "httpd.conf" contains the /var/www for chroot? What happens if someone modifies this path in this config file? for ex.: to "/"? - will the chroot dir be changed? :D – gasko peter Jun 23 '12 at 6:23
check the httpd man page on OpenBSD: "By default, httpd will chroot(2) to the ServerRoot'' path, serving documents from the DocumentRoot'' path. As a result of the default secure behaviour, httpd cannot access any objects outside ``ServerRoot'' - this security measure is taken in case httpd is compromised. This is not without drawbacks, though" – gabe. Jul 18 '12 at 20:12
Though if you're going to change the chroot to /, you are kind of defeating the purpose. Might as well just use the -u option to httpd to disable the chroot entirely at that point. Definitely check out the official OpenBSD FAQ on this: openbsd.org/faq/faq10.html#httpdchroot – gabe. Jul 18 '12 at 20:30
up vote 0 down vote

There is also a book called "Hardening Apache" that has some good tips as well.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.