Going to break these down into parts for each of you to understand if you are new in this area… I know for a fact there are some gurus out there that may read this and say something along the lines… “What a waste of time…” Well this this isn’t for you ole Mighty Gurus

So lets start with…

Web and FTP Servers

Every network that has an internet connection is at risk of being compromised. While there are several steps that you can take to secure your LAN, the only real solution is to close your LAN to incoming traffic, and restrict outgoing traffic.

However some services such as web or FTP servers require incoming connections. If you require these services you will need to consider whether it is essential that these servers are part of the LAN, or whether they can be placed in a physically separate network known as a DMZ (demilitarized zone). Ideally all servers in the DMZ will be stand alone servers, with unique logons and passwords for each server. If you require a backup server for machines within the DMZ then you should acquire a dedicated machine and golden rule is to keep the backup solution separate from the LAN backup solution.

The DMZ will come directly off the firewall, which means that there are two routes in and out of the DMZ, traffic to and from the internet, and traffic to and from the LAN. Traffic between the DMZ and your LAN would be treated totally separately to traffic between your DMZ and the Internet. Incoming traffic from the internet would be routed directly to your DMZ.

Then if any hacker were to compromise a machine within the DMZ, then the only network they would have access to would be the DMZ. The hacker would have little or no access to the LAN. It would also be the case that any virus infection or other security compromise within the LAN would not be able to migrate to the DMZ.

In order for the DMZ to be effective, you will have to keep the traffic between the LAN and the DMZ to a minimum. In the majority of cases, the only traffic required between the LAN and the DMZ is FTP. If you do not have physical access to the servers, you will also need some sort of remote management protocol such as terminal services (SSH, RDC and etc..) or VNC.

Database servers

If your web servers require access to a database server, then you will need to consider where to place your database. The most secure place to locate a database server is to create yet another physically separate network called the “secure zone,” and to place the database server there!!! Not in the UNSECURED ZONE!

The “secure zone” is also a physically separate network connected directly to the firewall. The Secure zone is by definition the most secure place on the network. The only access to or from the secure zone would be the database connection from the DMZ (and LAN if required).

Exceptions to the rule

The dilemma faced by network engineers (monkeys) is where to put the email server. It requires SMTP connection to the internet, yet it also requires domain access from the LAN. If you where to place this server in the DMZ, the domain traffic would compromise the integrity of the DMZ, making it simply an extension of the LAN.  My opinion, the only place you can put an email server is on the LAN and allow SMTP traffic into this server. However I would recommend against allowing any form of HTTP access into this server. If your users require access to their mail from outside the network, it would be far more secure to look at some form of VPN solution. (a brief on why using the VPN solution, is to have the firewall handle the VPN connections. LAN based VPN servers allow the VPN traffic onto the network before it is authenticated, which is NEVER a good practice.)

I know this doesn’t cover EVERYTHING under the sun for security on web servers, however this is just a “brief” overview on why to secure and what to place where in my own experiences…  So get secured and if you have any questions, you know this blog is WIDE-OPEN for you to post up to seek help, and surely I don’t know EVERYTHING yet… I’ll damn sure try to find the answer for you regardless. =)

WTF get’r done!!!

As time grows on and sitting here reading all valuable clients comments, questions and
feedback about what is mod_rewrite? Well I am taking the time now to explain more in
detail of what this is all about throughout my time as the experience of the Apache
Server.  So I will try to keep this as simple as possible so here we g0…

The mod_rewrite module is a very complexed pattern type of URL rewriting engine that
lets you the user set up the complex rewriting rules, where you can specify conditions,
using the RewriteRule and RewriteCond directives. They allow you submatches, CGI
type of variables, and other information to be interpolated (meaning inserted in, or added
to, the original; introduced; foisted in; changed by the insertion of new or spurious
matter.) into replacement strings and condition strings. Here I can show you some of the
Apache ways in doing so as follows:

WTF Mod_Rewrite

RewriteRule

RewriteRule [!]pattern replacement[[flags]]

This here will compare two things the URL with the regular expression pattern and substitutes replacement, interpolating any marked constructs, now if the pattern matches, or does not match if preceded by the [!] an any preceding conditions are met fully. A comma separated list of flags specified in full or abbreviated may be enclosed in the square brackets as above in the RewriteRule Example. Flags are described a bit more in detail here in the next table.

The replacement may be specified as “—“ in this case no substitution is performed and any chained values are evaluated successfully.

RewriteCond

Now onto the RewriteCond

RewriteCond string[!]condition[[flags]]

Specifies a condition for the following RewriteRule to match. The only flags are nocase (or NC) to compare strings case-insensitively, and ornext (or OR) to combine the current condition with the next one using a logical OR (by default, conditions are ANDed together). string may contain interpolated sequences, condition may be a regular expression or one of the following:

-d string is a directory.
-f str 7 ng is a regular file.
-s string is a non-empty regular file.
-1 string is a symbolic link.
-F string is a valid and accessible file.
-U string is a valid and accessible URL.
=string2
string is identical to string2.
<string2
string is lexicographically lower than stringZ.
>string2
string is lexicographically greater than string2

RewriteMap

RewriteMap map-name map-type:map-source

Defines a map that can be used in mapping functions within rule substitution string(s). The following map types are supported in Apache known to date by me:

txt:file (file is a text file containing pairs of entries.)

rnd:file (file is a text file; each line contains a key and a sequence of values separated by a vertical bar (I), one of which will be chosen at random.)

dbm:file (file is a hashed DBM file)

prg:program (program is a program that is started at server startup. It is fed a key as a newline-terminated string on its standard input, and is expected to output a value as a newline-terminated string on its standard output.)

int:function (function is one of the following internal functions of Apache: toupper, tolower, escape, or unescape.)

RewriteBase

RewriteBase url

Default: the current directory pathname
Base URL for per-directory transformations.

RewriteEngine

Enables or disables the rewriting engine.

RewriteOptions

The only option is inherit, which means virtual hosts inherit the environment from the main server, and per-directory configuration files inherit from their parent directory.

RewriteLock

Lock file to be used for synchronizing access to prg type maps.

Moral

Now as you see I have compiled all my knowledge here within there is so much more that you the User of any Apache Server to understand is how to implement all of this. I would highly suggest going online and downloading the current Apache Server 2.0.54 that is up to this time of writing this. I feel you can benefit from this immensely. You will see that Apache is written for almost every platform out there that’s possible to mankind.

This was written in the intent to help others better understand how Apache can be handled in the respect of what each of the primary factors mean. As you will see the power of Apache greater later on I will keep writing these if others really love learn these. I have put together numerous hours online working on Apache, making it do what I want it to do when I want it done. So as a gift from me to you, feel free to use this PDF for your benefit when you are ready to get going on understanding how powerful Apache is. This is mainly written for others that understand the use of .htaccess and also the httpd.conf files. As there is greater lengths when using Apache to it’s fullest extent possible that you can take your webmastering.

I do NOT condone using Apache where it will harm others and feel that if you are using Apache. Now onto life get to work you have a lot to learn and accomplish here.

SO WTF!!! Good Luck on all your mod_rewrite adventures!

Alot of questions always keep coming too me, where do I “FIND” apache log files or where do I “locate” them? Well keywords find and locate can both help you find them within a *nix box. Literally they can, because both are commands. Anyhow normally on a blank box /var/log/httpd/error_log file is a good source for error information. Unlike the /var/log/httpd/access_log file, where this is no standard-type formatting within this file.

Typical errors, should I say will be found within this error_log file where HTTP queries and requests for files that don’t exist (40r), or are forbidden (404) for certain directory requests. You will also see startup errors, which will also help you troubleshoot any apache startup issues you may face. Also, as many know or don’t pretty much all CGI script errors will be found in there as well. Many times CGI breaks or fails with a blank screen on your browser, you can find it in here as well. Hope this helps some out and Google indexes this post rapidly to take down about 20 e-mails a week.

Remember if you were working on a page and wanted to watch for errors in real-time, feel free to use the ssh command “tail -f /var/log/httpd/error_log” (Less the quotes.)

Enjoy!