[gentoo-doc-cvs] cvs commit: shb-services.xml - gentoo-doc-cvs

From:	Sven Vermeulen <swift@××××××××××××.org>
To:	gentoo-doc-cvs@l.g.o
Subject:	[gentoo-doc-cvs] cvs commit: shb-services.xml
Date:	Fri, 13 Jun 2008 20:02:32
Message-Id:	`E1K7FTe-00076y-E7@stork.gentoo.org`

1

swift       08/06/13 20:02:26

2

3

  Modified:             shb-services.xml

4

  Log:

5

  #223843 - Updates on ssh and apache configurations

6

7

Revision  Changes    Path

8

1.9                  xml/htdocs/doc/en/security/shb-services.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.9&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.9&content-type=text/plain

12

diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?r1=1.8&r2=1.9

13

14

Index: shb-services.xml

15

===================================================================

16

RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v

17

retrieving revision 1.8

18

retrieving revision 1.9

19

diff -u -r1.8 -r1.9

20

--- shb-services.xml	8 Jul 2007 21:31:31 -0000	1.8

21

+++ shb-services.xml	13 Jun 2008 20:02:26 -0000	1.9

22

@@ -1,5 +1,5 @@

23

 <?xml version='1.0' encoding='UTF-8'?>

24

-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.8 2007/07/08 21:31:31 nightmorph Exp $ -->

25

+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.9 2008/06/13 20:02:26 swift Exp $ -->

26

 <!DOCTYPE sections SYSTEM "/dtd/book.dtd">

27

28

 <!-- The content of this document is licensed under the CC-BY-SA license -->

29

@@ -7,8 +7,8 @@

30

31

 <sections>

32

33

-<version>1.4</version>

34

-<date>2007-07-08</date>

35

+<version>1.5</version>

36

+<date>2008-06-13</date>

37

38

 <section>

39

 <title>Apache</title>

40

@@ -23,34 +23,40 @@

41

42

<p>

43

 If you did not disable <c>ssl</c> in your <path>/etc/make.conf</path> before

44

-installing Apache, you should have access to an ssl enabled server. Just add the

45

-following line to enable it.

46

+installing Apache, you should have access to an ssl enabled server. Inside

47

+<path>/etc/apache2/vhosts.d</path> example configuration files can be found.

48

+These are working examples and it is best to verify those or disable them.

49

 </p>

50

51

-<pre caption="/etc/conf.d/apache">

52

-HTTPD_OPTS="-D SSL"

53

-</pre>

54

+<p>

55

+It is important to define your configuration(s) to listen to a particular IP

56

+address (rather than all available IP addresses on your system). For instance,

57

+for the <path>00_default_vhost.conf</path> file:

58

+</p>

59

60

-<pre caption="/etc/apache/conf/apache.conf">

61

-#Make it listen on your ip

62

+<pre caption="/etc/apache2/vhosts.d/00_default_vhost.conf">

63

+<comment># Make it listen on your ip</comment>

64

 Listen 127.0.0.1

65

-BindAddress 127.0.0.1

66

-#It is not a good idea to use nobody or nogroup -

67

-#for every service not running as root

68

-#(just add the user apache with group apache)

69

-User apache

70

-Group apache

71

-#Will keep apache from telling about the version

72

+</pre>

73

+

74

+<p>

75

+We also recommend you to disable showing any information about your Apache

76

+installation to the world. By default, the configuration will add server version

77

+and virtual host name to server-generated pages. To disable this, change the

78

+<c>ServerSignature</c> variable to <c>Off</c>:

79

+</p>

80

+

81

+<pre caption="/etc/apache2/modules.d/00_default_settings.conf">

82

 ServerSignature Off

83

-ServerTokens Prod

84

 </pre>

85

86

<p>

87

 Apache is compiled with <c>--enable-shared=max</c> and

88

 <c>--enable-module=all</c>. This will by default enable all modules, so you

89

 should comment out all modules in the <c>LoadModule</c> section

90

-(<c>LoadModule</c> and <c>AddModule</c>) that you do not use. Restart the

91

-service by executing <c>/etc/init.d/apache restart</c>.

92

+(<c>LoadModule</c> and <c>AddModule</c>) that you do not use in the main

93

+<path>/etc/apache2/httpd.conf</path> configuration file. Restart the

94

+service by executing <c>/etc/init.d/apache2 restart</c>.

95

 </p>

96

97

<p>

98

@@ -301,7 +307,8 @@

99

<p>

100

 Netqmail is often considered to be a very secure mail server. It is written with

101

 security (and paranoia) in mind. It does not allow relaying by default and has

102

-not had a security hole since 1996. Simply <c>emerge netqmail</c> and go configure!

103

+not had a security hole since 1996. Simply <c>emerge netqmail</c> and go

104

+configure!

105

 </p>

106

 </body>

107

 </section>

108

@@ -405,7 +412,10 @@

109

110

<p>

111

 Also verify that you don't have <c>UsePAM yes</c> in your configuration file as

112

-it overrides the public key authentication mechanism.

113

+it overrides the public key authentication mechanism, or you can disable either

114

+<c>PasswordAuthentication</c> or <c>ChallengeResponseAuthentication</c>. More

115

+information about these options can be found in the <path>sshd_config</path>

116

+manual page.

117

 </p>

118

119

<p>

--

124

gentoo-doc-cvs@l.g.o mailing list

1	swift 08/06/13 20:02:26
2
3	Modified: shb-services.xml
4	Log:
5	#223843 - Updates on ssh and apache configurations
6
7	Revision Changes Path
8	1.9 xml/htdocs/doc/en/security/shb-services.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.9&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.9&content-type=text/plain
12	diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?r1=1.8&r2=1.9
13
14	Index: shb-services.xml
15	===================================================================
16	RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v
17	retrieving revision 1.8
18	retrieving revision 1.9
19	diff -u -r1.8 -r1.9
20	--- shb-services.xml 8 Jul 2007 21:31:31 -0000 1.8
21	+++ shb-services.xml 13 Jun 2008 20:02:26 -0000 1.9
22	@@ -1,5 +1,5 @@
23	<?xml version='1.0' encoding='UTF-8'?>
24	-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.8 2007/07/08 21:31:31 nightmorph Exp $ -->
25	+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.9 2008/06/13 20:02:26 swift Exp $ -->
26	<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
27
28	<!-- The content of this document is licensed under the CC-BY-SA license -->
29	@@ -7,8 +7,8 @@
30
31	<sections>
32
33	-<version>1.4</version>
34	-<date>2007-07-08</date>
35	+<version>1.5</version>
36	+<date>2008-06-13</date>
37
38	<section>
39	<title>Apache</title>
40	@@ -23,34 +23,40 @@
41
42	<p>
43	If you did not disable <c>ssl</c> in your <path>/etc/make.conf</path> before
44	-installing Apache, you should have access to an ssl enabled server. Just add the
45	-following line to enable it.
46	+installing Apache, you should have access to an ssl enabled server. Inside
47	+<path>/etc/apache2/vhosts.d</path> example configuration files can be found.
48	+These are working examples and it is best to verify those or disable them.
49	</p>
50
51	-<pre caption="/etc/conf.d/apache">
52	-HTTPD_OPTS="-D SSL"
53	-</pre>
54	+<p>
55	+It is important to define your configuration(s) to listen to a particular IP
56	+address (rather than all available IP addresses on your system). For instance,
57	+for the <path>00_default_vhost.conf</path> file:
58	+</p>
59
60	-<pre caption="/etc/apache/conf/apache.conf">
61	-#Make it listen on your ip
62	+<pre caption="/etc/apache2/vhosts.d/00_default_vhost.conf">
63	+<comment># Make it listen on your ip</comment>
64	Listen 127.0.0.1
65	-BindAddress 127.0.0.1
66	-#It is not a good idea to use nobody or nogroup -
67	-#for every service not running as root
68	-#(just add the user apache with group apache)
69	-User apache
70	-Group apache
71	-#Will keep apache from telling about the version
72	+</pre>
73	+
74	+<p>
75	+We also recommend you to disable showing any information about your Apache
76	+installation to the world. By default, the configuration will add server version
77	+and virtual host name to server-generated pages. To disable this, change the
78	+<c>ServerSignature</c> variable to <c>Off</c>:
79	+</p>
80	+
81	+<pre caption="/etc/apache2/modules.d/00_default_settings.conf">
82	ServerSignature Off
83	-ServerTokens Prod
84	</pre>
85
86	<p>
87	Apache is compiled with <c>--enable-shared=max</c> and
88	<c>--enable-module=all</c>. This will by default enable all modules, so you
89	should comment out all modules in the <c>LoadModule</c> section
90	-(<c>LoadModule</c> and <c>AddModule</c>) that you do not use. Restart the
91	-service by executing <c>/etc/init.d/apache restart</c>.
92	+(<c>LoadModule</c> and <c>AddModule</c>) that you do not use in the main
93	+<path>/etc/apache2/httpd.conf</path> configuration file. Restart the
94	+service by executing <c>/etc/init.d/apache2 restart</c>.
95	</p>
96
97	<p>
98	@@ -301,7 +307,8 @@
99	<p>
100	Netqmail is often considered to be a very secure mail server. It is written with
101	security (and paranoia) in mind. It does not allow relaying by default and has
102	-not had a security hole since 1996. Simply <c>emerge netqmail</c> and go configure!
103	+not had a security hole since 1996. Simply <c>emerge netqmail</c> and go
104	+configure!
105	</p>
106	</body>
107	</section>
108	@@ -405,7 +412,10 @@
109
110	<p>
111	Also verify that you don't have <c>UsePAM yes</c> in your configuration file as
112	-it overrides the public key authentication mechanism.
113	+it overrides the public key authentication mechanism, or you can disable either
114	+<c>PasswordAuthentication</c> or <c>ChallengeResponseAuthentication</c>. More
115	+information about these options can be found in the <path>sshd_config</path>
116	+manual page.
117	</p>
118
119	<p>
120
121
122
123	--
124	gentoo-doc-cvs@l.g.o mailing list

Gentoo Archives: gentoo-doc-cvs