After all the reading I've been doing recently, I've come to the conclusion that the best way to ensure a secure webserver would be to roll my own , based on Centos.
I would like to build this distro, based on community help and support , so this is a call to arms
The aim: Create a .iso using the latest CentOS that has JEOS to provide a chrooted apache webserver running ssl and webspeed messenger , with full lockdown on all directories and permissions and a firewall and an IDS . No other services to be present by default.
This .iso could then be used to boot either virtual appliances or to install on hardware with ease. The configuration parameters (certificates / httpd.conf etc) would be baked into the distro, as it takes just a couple of minutes to re-install the entire platform from scratch in case of any intrusion detection or config change.
I've created several distros now, using fully-patched CentOS bases, so I am familiar with what is required in this regard, but would like help in identifiing the minimum requirements for a chrooted Apache with webspeed messenger.
The advantage of this would be a single source for best practice for an apache web server, freely available to anyone wanting to set up a secure apache linux webserver.
Anyone interested ?
while you're there it might worth considering to use a java application server (tomcat, jboss) with a simple 'rest' adapter against the progress appserver running in state-free mode instead of standard webspeed server... you'll get connection pooling and no need to fork cgi-bin messenger on each request.
I would agree with you. If I had any idea on what you were talking about
It sounds good - can you elaborate ? I was trying not to have any
progress executables on the distro with the exception of the messenger
- does this allow this to happen ? Does it remove the need for the
webspeed messenger ?
Thanks.
yes, the messenger is not going to be needed but instead the connection to the appserver is going to be made through a simple 'webapp' running in a java server (tomcat, jboss or whatever you like most). The 'rest adapter' needs to pass all HTTP variables and data (GET/POST/CGI/HEADER) to the application server using Java open client, in there (appsrv) you have to have some webspeed alike API library for get-value, get/set...
nothing too difficult to implement, still... each will take some time to get it done
Right. That looks like a v2.0 option
For v1.0 I''m going to go for the simple cgi messenger version.
Julian
Did V1.0 ever get built?
Tim
not as such. I got as far as building a customised distro with most stuff stripped out, with a firewall and IDS but got sidetracked after that.
more than willing to start it up again with some help from the rest of you guys
Marian ?
The other thing I've done recently is moved to Scientfic Linux (http://www.scientificlinux.org/) which is doing a much better job at tracking redhat then CentOS is right now.
we all get sidetracked everytime... how can I be of any help here?