Forum: 

Apache settings

Hans Harder's picture

Perhaps you should alter some default settings when apache is installed.

  • Deactivate status module : I don't think most people are aware of the /server-status page and if they are, they can just activate the module...
  • ServerTokens Prod  instead of ServerTokens OS,   You already reduced it from Full to OS, but for a production environment I don't think you need that info
  • ServerSignature Off,     No need to have these on a error page
  • Remove the /phpinfo.php file  (You have already webmin ....)
  • Directories /css /js /images are open for directory listings.  Perhaps add a .htaccess file there with Options -Indexes

These are only minor things, the appliances are well protected, but everyting helps I think...

Liraz Siri's picture

Thanks for the suggestions Hans. Getting the defaults right is tricky. You have to consider different usage scenarios and optimize the user experience for newbies over more experienced users that understand what they want and know how to tweak things to their liking.

I'm not sure it would make sense to tighten the screws out of the box as some of this stuff is somewhat useful when you are doing development (e.g., it makes it easier to figure out what software you are using and Google for more information). Also, tightening these particular screws wouldn't really do that much to improve security.

Perhaps the best approach would be to add these tips to the community documentation. I remember a few users asked for tutorials on steps that could be taken to harden appliances in a production environment. Maybe this could be a part of that.

Post new comment