[CentOS] Apache warns Web server admins of DoS attack tool

Thomas Harold thomas-lists at nybeta.com
Tue Aug 30 22:37:34 UTC 2011


On 8/25/2011 7:05 PM, Always Learning wrote:
>
> On Thu, 2011-08-25 at 14:36 -0700, John R Pierce wrote:
>
>> On 08/25/11 1:45 PM, Always Learning wrote:
>>> I have broken-up the very large conf file (/etc/httpd/conf/httpd.conf)
>>> into 3 main parts. Part 1 is left in situ. Parts 2 and 3 are located
>>> elsewhere.
>
>> the existing EL httpd.conf includes /etc/httpd/conf.d/*.conf  and any
>> changes are expected to be made there rather than editing the stock file.
>
> Hi John,
>
> No Centos updates are likely to interfere with my Apache server options
> and virtual hosts. The existing /etc/httpd/conf/httpd.conf is large and
> laborious to read and fully understand especially with so many useful
> comments.
>
> 'including' the parts that do change and are not operating system
> dependant, meaning putting them somewhere which has no connection to the
> operating system, for example
>
> 	/data/config/apache/server.conf
> 	/data/config/apache/domain.*
>
> means, I believe, that if a change to one small file goes wrong then
> there is absolutely no danger to 'damaging' any of the other files and
> the source of the problem is quick and easy to identify. Thus 'change
> damage' is strictly limited to one small self-contained file and can not
> affect any of the other files.
>
> I have too much experience of so-called collateral damage inadvertently
> caused to other parts of a file being changed. It costs time and money
> to trace and diagnose problems, so economically it is a good idea to
> eliminate as much as possible non-involved configuration parameters.
>
> As you will have noticed Apache actually offers the ability to fragment
> configuration parameters to other files by supplying - for the benefit
> of people like me - the 'include' facility.  If Apache never wanted
> folks to use this useful facility, it would never have offered the
> 'include' ability.
>
> Anyone who has ever worked on the nightmare called Windoze will know
> that one tiny fault in the Registry can cause the entire operating
> system to malfunction. Spreading the risk with Apache configuration
> files is my chosen method to minimise potential disruption and it works
> very successfully for me on Centos 5.3, 5.4, 5.5, 5.6 and hopefully on
> 5.7 and 6.1 et al.
>

Which is why all of my server's config files are version controlled (I 
use FSVS with a SVN back-end repository, but there are dozens of tools).

Being able to diff your config files when you mangle it to the breaking 
point is a wonderful thing.



More information about the CentOS mailing list