Hi

I am using Apache 2.2 Virtual Hosts.

My setup is.....

/home/user (chmod 555)
/home/user/site1 (chmod 555)
/home/user/site2 (chmod 555)
/home/user/site1/public_html (chmod 755)
/home/user/site1/logs (chmod 555)
/home/user/site1/cgi-bin (chmod 755)

Before I go live with the server, are my user directories secure enough to prevent unauthorise acitivity?

TIA

post us your vhost.conf file...

Thanks for your reply

Ok here you go!

-------------------------------------------
NameVirtualHost 12.12.x.y:80

###### DEFAULT WEBSITE ######

<VirtualHost 12.12.x.y:80>
ServerAdmin admin@xxx.com
DocumentRoot /home/xx/xx/public_html
ServerName www.x.com
ServerAlias xx.com www.xx.com
ErrorLog /home/xx/xx/logs/error.log
CustomLog /home/xx/xx/logs/access.log common
<directory /home/xx/xx/public_html>
allow from all
</directory>
</VirtualHost>

###### END DEFAULT WEBSITE ######




###### KEY BUSINESS MANAGEMENT - CLIENT SITES ######

<VirtualHost 12.12.x.y:80>
ServerAdmin admin@xx.com
DocumentRoot /home/xx/xx/public_html/client
ServerName www.xx.com
ServerAlias client.xx.com
ErrorLog /home/xx/xx/logs/error.log
CustomLog /home/xx/xx/logs/access.log common
<directory /home/xx/xx/public_html/client>
allow from all
</directory>
</VirtualHost>

###### END CLIENT SITES ######

Yeah, looks like DocumentRoot is properly set...anytime you offer ports to the world you're asking for trouble so watch your logs and you may want to install some kind of intrusion detection like ACID, tripwire, etc...

Hello Rickead,

There is more to it than just permissions, it also depends on the owner and group of the directories. Have a look at the CIS web site: www.cisecurity.com. They have documentation and a security scanner for Apache. Although I had to tweak the scanner (who, for example, sets directory permissions to '660'?), the accompanying doco in PDF format is *excellent* (I haven't yet found else as extensive on the web with regards to this subject), and the general thrust will point you in the right direction.

As per the CIS suggestion, I have set up three dedicated groups, and the one that runs httpd has write permissions only on the log directory and the logs themselves. As is pointed out in the doco, this can prevent common web defacement attacks ;-) I have actually set up my directory permissions to be tighter than what CIS recommends, although this took a little trial-and-error.

If you are interested in O/S hardending (Linux, AIX, HP-UX, Solaris), CIS has scanners and doco for that as well - so that you can have a very well hardened web server.

I hope this is helpful.

Regards,
Hugh

(who, for example, sets directory permissions to '660'?), People that don't need to actually "cd" into the directory, but only need to list and create/delete files in it.

:p