Finally Checking Apache
You can now check if your Apache packages have been tampered with or not:
[merc@merc merc]$ gpg --verify httpd-2.0.48.tar.gz.asc httpd-2.0.48.tar.gz
What would happen if there were problems? You would receive a warning message from GnuPG. For example:
[merc@localhost merc]$ cp httpd-2.0.48.tar.gz httpd-2.0.48.tar.gz.CORRUPTED
To generate the above warning, I created a spare copy of the Apache server and appended some garbage at the end of the file, making it slightly different. I then ran GnuPG to verify the package and found it faulty. If this error actually occurred, you would have to warn the webmaster immediately of the discrepancy.
At this point, you should have successfully downloaded Apache and ensured that the package is an authentic copy distributed by the Apache Software Foundation. You should also be familiar with GnuPG and have a glimpse of its potential.
Running such thorough checks might seem a bit meticulous, but for a professional system administrator, there is no room for being slack. The main web server or the local mirror may have been hacked, and the downloaded Apache package may have been modified. This scenario, that seemed to be science fiction a few months ago, became reality when the main Debian web server was cracked, and nobody was absolutely sure if any of the distribution’s packages had been modified. This episode has opened a lot of eyes to the value of signature checking.
Some system administrators consider the MD5 checksum a safe enough method for checking the validity of a package. MD5 is an algorithm that aims to return a truly unique integer number when given a list of bytes in input. This means that the MD5 checksum for two different files is guaranteed to be different. The md5sum command can be used to calculate the MD5 checksum of a file, and the result is printed on the standard output. Although MD5 checksums can be useful in checking that a file was downloaded correctly (you can easily run md5sum and compare your checksum to what it should be), it should not be used to check that an Apache package is genuine.Installing Apache
In this section I provide a short explanation on how I installed the Apache servers (both 1.3. x and 2. x versions) that I will use in the rest of the book.Apache and Dynamic Modules
Apache comes with a wide set of modules that are not part of the core server, and can be compiled as dynamic modules (they can be loaded into the main server if they are needed). An example of a module in Apache that may be compiled as loadable is autoindex, which is responsible for generating a directory index in HTML (and is therefore well formatted if seen through a browser). This may seem totally useless to your server, but it could be useful later on.
Apache can be built as a static server, or as a dynamic server; it depends on what options you set when you run configure. Apache can actually be built as a mix, with some of the modules built in the main server, and others available as loadable modules.
As far as security is concerned, I believe it is a good idea to compile most of the modules dynamically, and leave the main server stripped to the bones. There are several advantages to doing so:
The following are the commands I used to install Apache 1.3. x on my server. The options --enable-module=most --enable-shared=max compile most modules as shared objects (“most” excludes mod_auth_db, which is sometimes considered to be problematic to compile, and mod_log_agent and mod_log_referer, which are both deprecated). This Apache’s directory will be /usr/local/apache1.
[root@merc apache_source]# tar xvzf apache_1.3.29.tar.gz
Configuring for Apache, Version 1.3.29
Here is the transcript of the commands I used to install Apache 2. x on my server. The option --enable-mods-shared=most compiles all the standard modules, and leaves out the ones that are considered experimental:
All the modules are compiled dynamically. Also, Apache’s main directory will be /usr/local/apache2/.
[root@merc apache_source]# tar xvzf httpd-2.0.48.tar.gz
[root@merc httpd-2.0.48]# make install Making install in srclib make: Entering directory `/root/apache_source/httpd-2.0.48/srclib' Making install in apr [...] mkdir /usr/local/apache2/manual Installing build system files make: Leaving directory `/root/apache_source/httpd-2.0.48' [root@merc httpd-2.0.48]#
Apache is now installed.
blog comments powered by Disqus