[svlug] Server Hardening

Rick Moen rick at linuxmafia.com
Thu Sep 21 16:59:16 PDT 2006 

Quoting Lord Sauron (lordsauronthegreat at gmail.com):

> So, I should write my own minimalistic wiki if I really need a wiki
> and use Apache2/PHP5/MySQL4, shut down all the things I don't use and
> pray that there isn't any issues with subversion and ssh and rsync
> which I'll probably be using and pray that there's nothing wrong with
> whichever mail server I finally decide on using?

{scratches head}  What?  I'm sorry, but I don't get why you should be
asking that.  I'm especially mystified at that list of bloated 
codebases.  ;->

What I was saying is:  Complexity tends to stand in the way of security
over time.  Please read the Ranum essay, as he says it better than I do.
(Also, his "The Six Dumbest Ideas in Computer Security" is a very
worthwhile place to start:
http://www.ranum.com/security/computer_security/editorials/dumb/)

> PHP4 still has OO features, right?

{sigh}  Some.

PHP is a useful language.  It just had a bunch of really bad design
and implementation decisions.  One of the reasons why SVLUG's Web 
server hasn't been cracked despite having had effectively no maintenance
since Marc Merlin ceased running it is that risky software was just not 
present -- or not exposed to public attack.

If you need PHP5-specific features, then you need PHP5.  I try not to
need them.  (People who end up being prisoners of feature wishlists
ultimately get ordered to run Plone.  Poor bastards.)

> I'm not certain why I'd pick Apache2 over Apache1.3...  All I know is 
> that it's better than IIS.  If 1.3 is better, then I'll use that.

Neither is unambiguously "better" than the other.  I take great care not
to even appear to claim that, lest partisans start some dumb, colossal
flamewar.  

However, it isn't going much out on a limb to accuse the Apache2 people
of Second System Effect.  (We had that conversation, you and I,
remember?)  I mean, for heaven's sake, it has several different
threading models -- mostly for the benefit of the Java people.  It may
prove to be Insanely Great<tm>.  I just don't want to be among the early
adopters, or even the somewhat-late-but-not-the-last adopters,
especially when Apache 1.3 is still maintained, is a whole heck of a lot
simpler, and still works great for my no-thousand-thread Web apps.

More information about the Svlug mailing list