-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! There are several methods securing your webserver. - - firerights - - chroot-ing - - compardment (set "kernel-attributes" for file-execution) - - (n)ids - - logserver for all servers within you network (no local logging) - - install only needed stuff - no more no less - - secure php.ini - - disable suexec within apache-config - - minimal php/other modules setup - - run mysql without network support (access only over localhost/127.0.0.1) - - restrict usage of directories to only inside special folders (php.ini: open_basedir) - this will only allow this directory as root for webpages no traversal out of this directory will be allowed! - - disable cgi ... - - customize your logs (log what's needed and extra data which might be interesting but not too much) - - with ssl enable high encryption [...] By setting rights to programs that may be used by another app (e.g. at apache startup) you may alter your configuration. Better give apache a restricted bash! Try chrooting your apache instead to make it a way more secure. Make a chroot-jail by copying ann needed libraries and stuff to /var/chroot/apache (/bin, /etc, and so on) and start apache with unprivileged user from chroot. This will give script-kiddie no rights except within chroot-jail. Maybe you want ACL's (not compareable to file-rights!) within chroot. Mention: The more effort you do on security the more time you will consume by doing so! The more secure a daemon is the more difficult it will be to "get it running". Regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQ3HkHUNg1DRVIGjBAQIFfwb9Hdvx9tseJejJ7Fb80faBSK6DbELxXsxM uBQmaqhchLecagnpGjj+h4jIfyQVZ2GMgWcAPJTpTTEE5FAOlCmBMfg1cl2B96J+ vx5eAOp9/LZhDL1N1UZUTybvpX61ypWkC3zRilh20XSrKkJqYFejOhg/FA4wKvmP 04KU049kLGZCTuwKMonXmTu2EaASVNZmziN4HtVCwASJEqmPlZh4e5oz0E0uA4um vHzZiwzk3DLgk6emyuXxMcRj8vJ2C39KDAigSDG7MsjmprU2OdWtp2eWPzWOzDsp OlM1jh0Ed/Y= =MU5A -----END PGP SIGNATURE-----