2

I have installed apache on ubuntu server 14.04 using apt-get. I set up a simple site, uploaded a few pictures etc, the website is working. I've decided to take a look at security of the thing using one of the security checking services online. The security audit says I have 2 medium severity issues:

Apache Running Version Prior to 2.4.8
Apache Running Version Prior to 2.4.10

The repository does not hold any updates so I'd assume I have highest available version... The only things I knew how to check were openproxy with curl (I tried to fetch a wikipedia page and got my own homepage which seems correct)

  1. Should I be concerned by the version of Apache I have available or the security patches are backported and the version is irrelevant here?
  2. How can I test for vulnerabilities of the server, what should I look at in particular?

In the logs I saw plenty of ssh brutalforce attempts thwarted by fail2ban and in apache log some strange GET requests (many indicating shellshock attempts) but also the GET requests to other sites, which - as I mentioned - return my homepage.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
user3002166
  • 144
  • 5

1 Answers1

2

  1. No, don't worry about the old version number. The Ubuntu packagers backport security patches to older versions. As of right now, if you run apt-cache policy apache2, you should see version 2.4.7-1ubuntu4.1 that's sourced from security.ubuntu.com as well as us.archive.ubuntu.com.

  2. That's too big a question to answer here. But see Tips for Securing a LAMP Server.

Community
  • 1
Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
  • Almost as you said: 2.4.7-1ubuntu4 0 instead of 4.1 but it's probably minor thing Thanks a lot. Regarding question 2 - ok, I'll try to look around the web for some resoures, Thank you. – user3002166 Jan 14 '15 at 10:39
  • I added a link to a FAQ here that may help, although it's about hardening, not testing. – Andrew Schulman Jan 14 '15 at 10:56