Agree. One can restrict users access http bastion host/apache server by
creating ftp access only, using wu-ftpd, or on solaris 2.6, configure the
anonymous ftp server (use solaris ftpd daemon) to accept ftp only access.
On Sun, 1 Feb 1998, Marc Slemko wrote:
->On Sun, 1 Feb 1998, Henry Hertz Hobbit wrote:
->> On Fri, 30 Jan 1998, Michael J. Maravillo wrote:
->> > On Thu, 29 Jan 1998, Henry Hollenberg wrote:
->> > >I saw that the CERN http server was reccomended in Chapman and
->> > > Zwicky so started checking it out, but the first thing I read
->> > > knocked it:
->> > [...]
->> > >Should I look for something else.....they made it sound pretty
->> > > good in the book, cacheing and all. Comments?
->> > Get Apache... http://www.apache.org
->> You get what you pay for. If you also subscribe to the Bugtraq
->> mailing list, you immediately realize that Apache has it's share
->> of security holes. The price is lower, but so is the security level.
->> If this isn't a concern, then by all means go ahead and get it.
->> Apache makes an excellent product, and despite what I just said
->> they have been very good at patching any holes as they find them.
->> If you want a higher level of security I would advise that you
->> get a Netscape server. CERN's product was the first, and as always
->> with the first, getting the darn thing to work is a higher priority
->> than security. Netscape site:
->Huh? Why exactly do you think Netscape's server is going to be magically
->secure and will have no security holes? Because they don't go through and
->do security reviews of it and announce any problems they find publicly?
->Because the source isn't available so it is harder for people to find
->those holes? I can give you a list of servers that have never had any
->security holes publicly announced. If I spent some time, I could also
->give you a list of holes in most or all of them.
->There have been no general exploits found in the past year for Apache that
->can be exploited remotely without pre-existing access, and I suggest that
->if someone already has access to your bastion then Apache isn't your
->Whatever server you run, you should run it chrooted.
-> Marc Slemko | Apache team member
-> marcs @
com | marc @
Ming Lu Email: mlu @
Network Tech Consulting Engineer Phone: 703-689-5290 (w)
Engineering Division 703-855-4194 (m)
Global One Telecommunications, LLT. 703-689-6575 (f)
"Do not pay attention to every word people say, or you may hear your
servant cursing you ---- for you know in your heart that many times you
yourself have cursed others."