May 2007
Tiny mod to Apache 2.0 Hardening Guide
May 09, 2007 | Permalink
Thanks to John Kristoff for his feedback, I've updated the guide to better notify the webmaster when the Apache server restarts, without the convoluted "copy to /tmp" first.
Here's the note that John sent me:
Hi Martin,
I happened to come across your Apache 2.0 hardening guide and I was
looking through it I saw this peculiar suggestion:
As a failsafe measure, you should notify your webmaster alias any time
this server is restarted. That way, you'll be notified of any
unauthorized attempts.
Open /opt/apache/bin/apachectl and add something like this to the file:
tail /opt/apache2/logs/error_log > /tmp/error_log
/bin/mail -s 'Apache web server has restarted' < /tmp/error_log rm /tmp/error_log
That would be quite dangerous if someone could get access to the shell
or if you had an user on the system that decided to wreak havoc. For
example, someone could create a link named error_log that points to some
privileged file. Since the script probably runs as root, even though
the web server does not, this could be a potential problem.
Perhaps this may be a little simpler and a little safer:
tail /opt/apache2/logs/error_log |
/bin/mail -s 'Apache web server has restarted'
John
Hi Martin,
I happened to come across your Apache 2.0 hardening guide and I was
looking through it I saw this peculiar suggestion:
As a failsafe measure, you should notify your webmaster alias any time
this server is restarted. That way, you'll be notified of any
unauthorized attempts.
Open /opt/apache/bin/apachectl and add something like this to the file:
tail /opt/apache2/logs/error_log > /tmp/error_log
/bin/mail -s 'Apache web server has restarted' < /tmp/error_log rm /tmp/error_log
That would be quite dangerous if someone could get access to the shell
or if you had an user on the system that decided to wreak havoc. For
example, someone could create a link named error_log that points to some
privileged file. Since the script probably runs as root, even though
the web server does not, this could be a potential problem.
Perhaps this may be a little simpler and a little safer:
tail /opt/apache2/logs/error_log |
/bin/mail -s 'Apache web server has restarted'
John
|