FreeBSD and Apache, is it safe out of the box ?

security security at jim-liesl.org
Fri Mar 7 19:33:49 UTC 2008


Mike Tancsa wrote:
> At 12:02 PM 3/7/2008, Darran wrote:
>> Hello all,
>>
>> I want to run a (FreeBSD 7) server facing the internet and running 
>> Apache and
>> wondered if its safe out of the box .. so to speak ?
> Yes, today it is.  But that does not necessarily mean you will not 
> need to do updates, apply patches, perhaps change your configuration 
> to deal with new threats.  In my experience, FreeBSD makes the later 
> part easier than Windows or Linux (IMHO and experience)
>
>
>> Do i have to do a degree in configuration to allow it to face the 
>> wild west
>> (internet) ?
>> I also want to use it for storage of media and serving of media .. 
>> using windows
>> and freebsd clients .. is it possible .. again .. out of the box ?
>
>
> If you mean turn it on, click a few buttons and "it works" ? no.  You 
> will need to install and configure samba and apache.
> e.g.
> cd /usr/ports/net/samba3;make install
>
> will get the application installed, but you still need to configure it 
> and later maintain it.  With Windows, I find you can initially get 
> things working without understanding how it works.  But when you run 
> into problems, you wont understand how to fix them. In general I find 
> with FreeBSD, you are expected to understand some basics, but you are 
> then better prepared to understand the problems you will face in 
> running a server....
>
> That being said, the defaults FreeBSD 7.0 it comes with are pretty 
> sane and you should be able to get going quickly to the point where 
> you are doing "stuff"
>
>         ---Mike
>
> _
I would agree with the following caveats:
ONLY allow ssh logins, ONLY using public key auth., and never directly 
to root.
Careful with guest access under SAMBA
While Apache at this point is reasonably secure, there are a ton of apps 
that you can run under it that aren't.  I'm thinking of many PHP based 
in general, and most of the forum apps in particular.  Be sure to 
research the security history of web apps (or anything that opens up a 
port listener).  Sign up for the mailing list of what you install, so 
you'll be alerted to security updates.
Consider running a file modification detector like aide or tripwire.  
They won't keep you from getting owned, but they'll tell you if it happens

A little light reading

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security-intro.html
http://www.onlamp.com/pub/a/bsd/2002/08/08/FreeBSD_Basics.html
http://httpd.apache.org/docs/2.2/misc/security_tips.html

jim



More information about the freebsd-stable mailing list