mod_ssl newbie

Hello,
I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web
server. I downloaded the mod_ssl package from the website. I changed the
port on my apache web server to 443. On a high level what do i need to do to
create a secure web server? I guess my real problem is i don't know what ssl
does for me. What i am looking for is something that can password protect
the files on my server. I want to let specific people to access my site and
that is it. They must have a password to use it. Is mod_ssl what i want or
should i be looking else where?
thanks for any input,
brian
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: mod_ssl newbie

For that you do not want SSL. Checkout:
http://httpd.apache.org/docs-2.0/howto/auth.html

For an introduction to SSL and Apache, you can check
out a chapter I have online :
http://apacheworld.org/ty24/site.chapter17.html

Cheers

Daniel

On Tue, Jul 30, 2002 at 02:37:14PM -0500, Henning, Brian wrote:
> Hello,
> I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web
> server. I downloaded the mod_ssl package from the website. I changed the
> port on my apache web server to 443. On a high level what do i need to do to
> create a secure web server? I guess my real problem is i don't know what ssl
> does for me. What i am looking for is something that can password protect
> the files on my server. I want to let specific people to access my site and
> that is it. They must have a password to use it. Is mod_ssl what i want or
> should i be looking else where?
> thanks for any input,
> brian
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: mod_ssl newbie

you probably want to look at .htaccess which would prompt people for userid
and password to access certain parts of your webserver.

ssl provides encryption so that data being sent back and forth between your
server and the client can't be easily read.

At 03:37 PM 7/30/2002, you wrote:
>Hello,
>I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web
>server. I downloaded the mod_ssl package from the website. I changed the
>port on my apache web server to 443. On a high level what do i need to do to
>create a secure web server? I guess my real problem is i don't know what ssl
>does for me. What i am looking for is something that can password protect
>the files on my server. I want to let specific people to access my site and
>that is it. They must have a password to use it. Is mod_ssl what i want or
>should i be looking else where?
>thanks for any input,
>brian
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org

Peter Choe

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: mod_ssl newbie

Many people seem to have the impression that security=ssl enabled, and in
some ways it does enhance security, but, it's certainly by no means the
end of the game, nor the beginning. security begins with the OS install.
Not adding packages known to be exploitable workld these days, a kitchen sink of exploitable packages in the defaults
available>, closing out un-needed services not using NFS, then trun it
off, disable it via the kernel rebuild process, etc, replacing telnet, ftp
and the R* commands with ssh/scp, setting proper permissions throughout
the directory structure to limit local exposures and abilities. Of course
the game gets tougher once you allow others onto the system, once a person
has a shell on the box, they have many more routes to compromise the
system, so, trust begins to play a larger and larger role. so, to more
directly answer your question, no mod-ssl is not going to fit your needs
completely here. It begins at the administration level. Think of ssl
enabled transactions as more of a secure tunnel for the protection of the
exchange of information information> in an encryted tunnel over the pulic network. For those with
actual login capqabilites on your system, you have a whole other set of
worms to fish up and out. Even a ssl "secured" web server with open
exploitable service runnning on other tcp/ip or udp ports will leave you
0w3d in short order. The system you are attempting to secure should not
even touch the internet until *after* it has been properly configured and
secured.

Here's a reading list to get you started:

http://rr.sans.org/
http://www.interhack.net/pubs/fwfaq/
http://geodsoft.com/howto/harden/
http://www.nfr.com/forum/publications.html
http://www.ticm.com/info/insider/members/fwsecfaq/index.html
http://www.avolio.com/columns/15.html
http://www.wilyhacker.com/
http://www.jmu.edu/computing/runsafe/
http://csrc.nist.gov/itsec/guidance_W2Kpro.html
http://www.networkcomputing.com/1120/1120ws1.html
http://www.Linux-Sec.net/Policy/

http://www.pc-help.org/obscure.htm
http://www.monkeys.com/security/proxies/
http://nms-cgi.sourceforge.net/
http://www.cgisecurity.com/articles/
http://www.apacheweek.com/features/security-13
http://www.cgisecurity.net/papers/


Thanks,

Ron DuFresne

On Tue, 30 Jul 2002, Henning, Brian wrote:

> Hello,
> I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web
> server. I downloaded the mod_ssl package from the website. I changed the
> port on my apache web server to 443. On a high level what do i need to do to
> create a secure web server? I guess my real problem is i don't know what ssl
> does for me. What i am looking for is something that can password protect
> the files on my server. I want to let specific people to access my site and
> that is it. They must have a password to use it. Is mod_ssl what i want or
> should i be looking else where?
> thanks for any input,
> brian
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org