type of guy that sets up first and what ever I "need to know" or if something doesn't work, I read about it afterwards. If I become really interested in something...then I'll read up on it.

That approach doesn't work for security issues on your live server. I've no doubt you'll be interested - nay, *fascinated*! - when someone cracks your system and wipes all your disks. But by then it's too late to start reading up.

Basically, you all can't tell me that you can't recommend certain "critical" areas that I should examine first and that the only way to get setup is by reading the whole manual. ???? I don't need to know about load balancing or other things that a "home user" would care to know about to get up and running.

The word everyone screamed at you was "security". You don't need to read the whole manual, you need to read up on the security issues. Your approach to learning as you go will work fine for getting the thing running efficiently, but not for security. You *have* to read that manual!

I just want to be up and running and get some "advice" about critical areas of security.

All areas of security are critical. The most important bit is the bit you ignore or don't understand.

As an example, I just want to publish pictures of my carpet. (It's really nice carpet). I can do it know, but how can I keep folks out of my other directories?

Other way round - you should be asking how you close off your other directories, and only open the one(s) you want. See, you don't yet know what questions to ask, so how can you ever be sure you've asked all the right ones until you have the background? And the background comes from TFM.

still a pain. If I were to change the path from /srv/www to /home/tom/public_html would this cause any security issues?

Yes.

Again, I know in order for me to get all the information anyone would ever want to know about Apache, I should read the manual....but I just want to test and slowly increase my knowledge. I just want to play around right now and I'm sure there are simple tips that can be given to an Apache newbie. (I think).

If you want to test and play, install apache on one of your internal machines, away from untrusted users. That's simple - it'll work out of the box. You should have it running inside 5 minutes. Increase your knowledge from there by all means. Just don't open the thing to the outside until you have read up on the security implications, and you've understood how they apply to you. Not anyone else, or an example server, *you*! -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003

On 08 Jun 2003 20:40:14 -0700 Tom Nielsen wrote:

Boy did you guys opened up on me! Ouch! I guess I should have expected it.

As an example, I just want to publish pictures of my carpet. (It's really nice carpet). I can do it know, but how can I keep folks out of my other directories?

Apache's built-in security takes care of most of that for you. If the directory isn't listed in httpd.conf, and you don't have a flawed version of apache, it won't allow visitors out of the web directories. Your best option is to make a separate user just for displaying your web photos. That way, if they do get out of the public_html, it's just a dummy user's home directory.

I've seen you all answer these types of questions before. I really do appreciate the input I've received and will receive...including the RTFM parts.

The only tricky thing with apache and homedirs is "suexec", which applies to the cgi-bin. suexec is enabled by default; to disable it, you need to remove the suexec binary from the system(or rename it). suexec will not allow any cgi to run unless it is owned by the owner of the homedir. It has it's own log too, with the other http logs. If you don't use any cgi scripts, and just serve web pages, your security risk is pretty low. -- use Perl; #powerful programmable prestidigitation

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi On Monday 09 June 2003 05:40, Tom Nielsen wrote:

Boy did you guys opened up on me! Ouch! I guess I should have expected it.

<snip>> You should of expected you put as if you did not want to look at the manuals and that we all should do your work. Take a look at this link for setting up Installation of a Secure Webserver http://www.suse.de/en/private/support/howto/secure_webserv/index.html Ian - -- A child of five would understand this. Send someone to fetch a child of five. Groucho Marx - ---------------------------------------------------- This mail has been scanned for virus by AntiVir for UNIX Copyright (C) 1994-2003 by H+BEDV Datentechnik GmbH. PGP ID: 589F8449 Fingerprint: EB1C FACF 6BEB 540E 8AC0 F04E 2A25 A2F1 589F 8449 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+5F+QKiWi8VifhEkRAjpxAJ9LFwKXtiU727NTyw8oe3VavXkbBwCcDftc 3BdDK8gnFGtceAL9xObTgLk= =vA8V -----END PGP SIGNATURE-----