How secure is Apache

Posted on 2006-04-25
Last Modified: 2010-04-11
I currently run Apache and keep a certain amount of files in my htdocs folder so I can access them from anywhere just by typing in my ip in any browser.  I have a c: that houses my OS and my d: is where loaded apache server.  Is this safe.  As I look through the logs, sometimes I see the following: - - [19/Apr/2006:01:50:28 -0400] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9

I just figure it's some automatic program coming in looking for holes?  Should I worry. Is there anything I can do to improve the security.  I heard since it was on my non OS drive I should be ok.  I run sygate personal firewall and keep most everything automatically updated.
Question by:americanmobile
    LVL 32

    Expert Comment

    Apache CAN be very secure.  It can also be very insecure.  It depends on whether or not it is properly installed and configured on a properly configured and secured host system.

    The above is almost certainly an automated script looking for vulnerable servers.  This particular attack is not even Apache related.  It's the Microsoft IIS "WebDAV" (or a variant of it) attack which today SHOULD NOT even be effective on a Windows server.  The key item to identify this is the "SEARCH" command which is a part of IIS/WebDAV and is not standard HTTP.

    Details here:

    The exploits you need to worry about are the ones that DO NOT return a 4XX error code to the remote.  Those are the ones that succeed.  Yes, there are vulnerabilities in Apache so be sure you have Apache and your host OS (Linux of some flavor I presume) up-to-date with patches.
    LVL 32

    Expert Comment

    BTW, another useful technoque that I use is to add the IP of such hosts (which are likely compromised desktop PCs) to an IP filter to block them rom your network or server entirely.

    In this case the ( is a Road Runner residential cable connection.  You can complain to but usually such complaints go unheeded.  I'd say just block that IP and any others you find probing your web server.
    LVL 4

    Expert Comment

    Surprising to know that this ancient dinosaur, Code Red, is still
    residing on some machines scanning for IIS vulnerabilities.

    Not much to add to what jhance has said, if it bothers you here's
    'solution' from LinuxQuestions -to  just prevent this scan from being logged (well, not the brightest idea because it'd disable logging all 414 errors, but..)
    LVL 51

    Expert Comment

    most likely the applications hosted by the web server are much more vulnerable than the server itself
    If you have any applications (CGI scripts or whatever) you first have to make these ones secure. Apache itself is just the second line of defence.
    LVL 38

    Accepted Solution

    Agreed with the above. Apache by default is more secure out of the box than IIS to be certain, but since Apache is also the most used webserver it is targeted just as much as IIS is. Keeping up2date with Apache patches and updates is a start, there are also best practices that can help mitigate further threats.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now