TurnKey Linux Virtual Appliance Library

Apache settings

Hans's picture

Perhaps you should alter some default settings when apache is installed.

  • Deactivate status module : I don't think most people are aware of the /server-status page and if they are, they can just activate the module...
  • ServerTokens Prod  instead of ServerTokens OS,   You already reduced it from Full to OS, but for a production environment I don't think you need that info
  • ServerSignature Off,     No need to have these on a error page
  • Remove the /phpinfo.php file  (You have already webmin ....)
  • Directories /css /js /images are open for directory listings.  Perhaps add a .htaccess file there with Options -Indexes

These are only minor things, the appliances are well protected, but everyting helps I think...

Liraz Siri's picture

Not sure about tightening the screws out of the box

Thanks for the suggestions Hans. Getting the defaults right is tricky. You have to consider different usage scenarios and optimize the user experience for newbies over more experienced users that understand what they want and know how to tweak things to their liking.

I'm not sure it would make sense to tighten the screws out of the box as some of this stuff is somewhat useful when you are doing development (e.g., it makes it easier to figure out what software you are using and Google for more information). Also, tightening these particular screws wouldn't really do that much to improve security.

Perhaps the best approach would be to add these tips to the community documentation. I remember a few users asked for tutorials on steps that could be taken to harden appliances in a production environment. Maybe this could be a part of that.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)