In article <42e8ac2a$0$11079$e4fe514c@news.xs4all.nl>,
Thomas J. Boschloo <nospam@hccnet.nl> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>The Doctor wrote:
>> In article <MPG.1d52008b4f03a9a6989a7a@news-server.columbus.rr.com>,
>> Leythos <void@nowhere.lan> wrote:
>>
>>>In article <dc8ti0$nld$2@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>>>says...
>>>
>>>>SPykids is a known defacer of Web Site. How does one prevent them
>>>>from ever having access to Server or even a LAN?
>>>>
>>>>Customer complained:
>>>>
>>>>Spykids should not be able to get into our websites
>>>>regardless of whether they are
>>>>piggy-backing on a member or not. This has happened 2x so far.
>>>
>>>You need to learn how they are getting in, what measures you can do to
>>>block it and such.
>>>
>>>First, put the web server behind a dedicated firewall, not a NAT box, a
>>>firewall - only allow real HTTP or HTTPS sessions to it.
>>>
>>>Require users to have strong passwords, look it up if you don't know
>>>what that means.
>>>
>>>Block IP networks that don't need access to your web sites - as an
>>>example I block about 50 subnets in countries outside of our own and it
>>>cuts down on a lot of attempts.
>>>
>>
>>
>> I am using pf via OpenBSD. What do I need to add?
>
>Only install services that Apache needs and keep both your OpenBSD and
>Apache fully patched at all times. If you do that, you won't even need a
>firewall. But if the firewall is based on another computer, it doesn't
>hurt much (iow, even a firewall can have its buffer overflows and other
>stuff)..
The firewall is pf on OpenBSD.
As for Apache , I use:
CC=/usr/bin/gcc CFLAGS="-Wall -DDEBUG -g -O9 -march=i686 " ./configure \
--enable-layout=BSDI\
--enable-v4-mapped \
--enable-maintainer-mode\
--enable-modules=most\
--enable-mods-shared=all\
--disable-optional-hook-export\
--disable-optional-hook-import\
--disable-optional-fn-export\
--disable-optional-fn-import\
--disable-ldap\
--disable-auth-ldap\
--disable-proxy\
--disable-proxy-connect\
--disable-proxy-ftp\
--disable-proxy-http\
--enable-auth-anon=shared\
--enable-auth-dbmi=shared\
--enable-auth-digest=shared\
--enable-file-cache=shared\
--enable-echo=shared\
--enable-charset-lite=shared\
--enable-cache=shared\
--enable-disk-cache=shared\
--enable-mem-cache=shared\
--enable-ext-filter=shared\
--enable-deflate=shared\
--enable-logio=shared\
--enable-mime-magic=shared\
--enable-cern-meta=shared\
--enable-expires=shared\
--enable-headers=shared\
--enable-usertrack=shared\
--enable-unique-id=shared\
--enable-ssl=shared\
--enable-bucketeer=shared\
--enable-static-support\
--enable-static-htpasswd\
--enable-static-htdigest\
--enable-static-rotatelogs\
--enable-static-logresolve\
--enable-static-htdbm\
--enable-static-ab\
--enable-static-checkgid\
--enable-http\
--enable-dav=shared\
--enable-info=shared\
--enable-suexec=shared\
--enable-cgi=shared\
--enable-cgid=shared\
--enable-dav-fs=shared\
--enable-vhost-alias=shared\
--enable-speling=shared\
--enable-rewrite=shared\
--enable-so\
--with-z=/usr\
--with-ssl=/usr/contrib\
--with-mpm=prefork\
--enable-nonportable-atomics=yes\
--with-suexec-bin=/usr/contrib/bin\
--with-suexec-caller=www\
--with-suexec-userdir=html\
--with-suexec-docroot=html\
--with-suexec-uidmin=100\
--with-suexec-gidmin=100\
--with-suexec-logfile=/var/log/httpd/suexec_log\
--with-suexec-safepath=/bin:/usr/bin://usr/contrib/bin\
--with-suexec-umask=022
>
>Then there is 0-day exploits. Not much you can do about them I am afraid..
>
>Also, change your passwords after a fresh install. And make them
>unquessable (like not using the pw 'God' for your 'root' account).
I use the 3-4 combination on a 7+ string password.
>
>Thomas
>- --
>Life is like a videogame with no chance to win - ATR
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (MingW32)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iQB5AwUBQuisWQEP2l8iXKAJAQEEmwMfXcrsBo5rSbU0sY0+o SbRbU/taK2xqlTg
>AZoaBEDsAy8/8xvb1Do+jTQbRkg5SGi9daIbAV3aJgGyIt+gyW2kJ+FR3WZ6lt 35
>i3uHQ3c+Nw2JnA4e6QUQDiiULij7djQ7CBWh3Q==
>=dMvm
>-----END PGP SIGNATURE-----
--
Member - Liberal International
This is
doctor@nl2k.ab.ca Ici
doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.