ChrisP @
steldyn .
com wrote:
>While we are on the subject of secure programs for firewalls, Does
>anybody have any strong feelings for a well coded, secure web server
>software? I am looking for *nix variant to run on a Linux platform.
>This is intended to be a very tightly locked down machine with only
>http, smtp, and ftp ports open. Everything else will be shut down and
>blocked. I have worked with the Apache product and I was satisfied with
>it's performance, but I am wondering if there is anything else out there
>that is tighter and cleaner. At this point I am not using any CGI so I
>don't need support for that. > >Chris
Apache running as nobody without any CGI should be fairly secure.
I would also run it in a chroot()d environment (even on a locked down
machine).
Dr. Frederick B. Cohen ( fc @
all .
net ) wrote an http daemon last year
designed to be verifiably secure called thttpd. It only consists of
a small number of lines of source code. If you don't need a Web
server with lots of bells and whistles ( server side includes,
server side Java, etc.) which tend to make the server less secure
you may want to look for it. It should be under http://all.net/ or
http://all.net:8080/ though neither of these URLs is working for me
this morning.
- Morrow
|
|
