1 |
swift 08/06/13 20:02:26 |
2 |
|
3 |
Modified: shb-services.xml |
4 |
Log: |
5 |
#223843 - Updates on ssh and apache configurations |
6 |
|
7 |
Revision Changes Path |
8 |
1.9 xml/htdocs/doc/en/security/shb-services.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.9&view=markup |
11 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.9&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?r1=1.8&r2=1.9 |
13 |
|
14 |
Index: shb-services.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v |
17 |
retrieving revision 1.8 |
18 |
retrieving revision 1.9 |
19 |
diff -u -r1.8 -r1.9 |
20 |
--- shb-services.xml 8 Jul 2007 21:31:31 -0000 1.8 |
21 |
+++ shb-services.xml 13 Jun 2008 20:02:26 -0000 1.9 |
22 |
@@ -1,5 +1,5 @@ |
23 |
<?xml version='1.0' encoding='UTF-8'?> |
24 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.8 2007/07/08 21:31:31 nightmorph Exp $ --> |
25 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.9 2008/06/13 20:02:26 swift Exp $ --> |
26 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
27 |
|
28 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
29 |
@@ -7,8 +7,8 @@ |
30 |
|
31 |
<sections> |
32 |
|
33 |
-<version>1.4</version> |
34 |
-<date>2007-07-08</date> |
35 |
+<version>1.5</version> |
36 |
+<date>2008-06-13</date> |
37 |
|
38 |
<section> |
39 |
<title>Apache</title> |
40 |
@@ -23,34 +23,40 @@ |
41 |
|
42 |
<p> |
43 |
If you did not disable <c>ssl</c> in your <path>/etc/make.conf</path> before |
44 |
-installing Apache, you should have access to an ssl enabled server. Just add the |
45 |
-following line to enable it. |
46 |
+installing Apache, you should have access to an ssl enabled server. Inside |
47 |
+<path>/etc/apache2/vhosts.d</path> example configuration files can be found. |
48 |
+These are working examples and it is best to verify those or disable them. |
49 |
</p> |
50 |
|
51 |
-<pre caption="/etc/conf.d/apache"> |
52 |
-HTTPD_OPTS="-D SSL" |
53 |
-</pre> |
54 |
+<p> |
55 |
+It is important to define your configuration(s) to listen to a particular IP |
56 |
+address (rather than all available IP addresses on your system). For instance, |
57 |
+for the <path>00_default_vhost.conf</path> file: |
58 |
+</p> |
59 |
|
60 |
-<pre caption="/etc/apache/conf/apache.conf"> |
61 |
-#Make it listen on your ip |
62 |
+<pre caption="/etc/apache2/vhosts.d/00_default_vhost.conf"> |
63 |
+<comment># Make it listen on your ip</comment> |
64 |
Listen 127.0.0.1 |
65 |
-BindAddress 127.0.0.1 |
66 |
-#It is not a good idea to use nobody or nogroup - |
67 |
-#for every service not running as root |
68 |
-#(just add the user apache with group apache) |
69 |
-User apache |
70 |
-Group apache |
71 |
-#Will keep apache from telling about the version |
72 |
+</pre> |
73 |
+ |
74 |
+<p> |
75 |
+We also recommend you to disable showing any information about your Apache |
76 |
+installation to the world. By default, the configuration will add server version |
77 |
+and virtual host name to server-generated pages. To disable this, change the |
78 |
+<c>ServerSignature</c> variable to <c>Off</c>: |
79 |
+</p> |
80 |
+ |
81 |
+<pre caption="/etc/apache2/modules.d/00_default_settings.conf"> |
82 |
ServerSignature Off |
83 |
-ServerTokens Prod |
84 |
</pre> |
85 |
|
86 |
<p> |
87 |
Apache is compiled with <c>--enable-shared=max</c> and |
88 |
<c>--enable-module=all</c>. This will by default enable all modules, so you |
89 |
should comment out all modules in the <c>LoadModule</c> section |
90 |
-(<c>LoadModule</c> and <c>AddModule</c>) that you do not use. Restart the |
91 |
-service by executing <c>/etc/init.d/apache restart</c>. |
92 |
+(<c>LoadModule</c> and <c>AddModule</c>) that you do not use in the main |
93 |
+<path>/etc/apache2/httpd.conf</path> configuration file. Restart the |
94 |
+service by executing <c>/etc/init.d/apache2 restart</c>. |
95 |
</p> |
96 |
|
97 |
<p> |
98 |
@@ -301,7 +307,8 @@ |
99 |
<p> |
100 |
Netqmail is often considered to be a very secure mail server. It is written with |
101 |
security (and paranoia) in mind. It does not allow relaying by default and has |
102 |
-not had a security hole since 1996. Simply <c>emerge netqmail</c> and go configure! |
103 |
+not had a security hole since 1996. Simply <c>emerge netqmail</c> and go |
104 |
+configure! |
105 |
</p> |
106 |
</body> |
107 |
</section> |
108 |
@@ -405,7 +412,10 @@ |
109 |
|
110 |
<p> |
111 |
Also verify that you don't have <c>UsePAM yes</c> in your configuration file as |
112 |
-it overrides the public key authentication mechanism. |
113 |
+it overrides the public key authentication mechanism, or you can disable either |
114 |
+<c>PasswordAuthentication</c> or <c>ChallengeResponseAuthentication</c>. More |
115 |
+information about these options can be found in the <path>sshd_config</path> |
116 |
+manual page. |
117 |
</p> |
118 |
|
119 |
<p> |
120 |
|
121 |
|
122 |
|
123 |
-- |
124 |
gentoo-doc-cvs@l.g.o mailing list |