←back to thread

The story of Max, a real programmer

(incoherency.co.uk)
129 points surprisetalk | 5 comments | 30 Jun 25 12:57 UTC | HN request time: 0.001s | source
Show context
et1337 ◴[03 Jul 25 13:36 UTC] No.44454926[source]
To make it a fair comparison, you also need to consider all the old-school Apache and PHP config files required to get that beautiful little script working. :) I still have battle scars.
replies(2): >>44454961 #>>44456062 #
1. reactordev ◴[03 Jul 25 13:39 UTC] No.44454961[source]
Ahh lamp stacks… I remember there was a distro that had everything preconfigured for /var/www/ and hardened but for the life of me I can’t remember its name.
replies(1): >>44455324 #
2. EvanAnderson ◴[03 Jul 25 14:17 UTC] No.44455324[source]
A lot of distros did and still do that. Getting an Apache instance up and running with PHP running as a CGI process was just a matter of installing the right packages on RedHat-derived distros going back to the early 2000s, for example.
replies(1): >>44455382 #
3. reactordev ◴[03 Jul 25 14:24 UTC] No.44455382[source]
They weren’t hardened at all. Installing lamp is one thing, ensuring it’s secure is another. Even RedHat would send a SA to your place to do that for you.
replies(1): >>44456024 #
4. EvanAnderson ◴[03 Jul 25 15:25 UTC] No.44456024{3}[source]
Fair enough. I wasn't getting the emphasis on hardening in your comment since the parent was just talking about the "battle scars" of configuration.

Re: hardening - I guess I deployed a lot of "insecure" LAMP-style boxes. My experience, mainly w/ Fedora Core and then CentOS, was to turn off all unnecessary services, apply security updates, limit inbound and outbound connectivity to only the bare minimum necessary w/ iptables, make sure only public key auth was configured for SSH, and make sure no default passwords or accounts were enabled. Depending on the application grubbing thru SELinux logs and adjusting labels might be necessary. I don't recall what tweaks there were on the default Apache or PHP configs, but I'm sure there were some (not allowing overrides thru .htaccess files in user-writeable directories, making sure PHP error messages weren't returned to clients, not allowing directory listings in directories without a default document, etc).

Everything else was in the application and whatever stupidity it had (world-writeable directories in shitty PHP apps, etc). That was always case-by-case.

It didn't strike me as a horribly difficult thing to be better-than-average in security posture. I'm sure I was missing a lot of obvious stuff, in retrospect, but I think I had the basics covered.

replies(1): >>44456225 #
5. reactordev ◴[03 Jul 25 15:45 UTC] No.44456225{4}[source]
My point was there was a distro circa 1997-2003 or so that had all of that pre-baked. No having to mess with SELinux (or disabling it!), iptables, php.ini, apache's httpd.conf, or any of that other than putting your project into /var/www/ and doing a chown -R www on it.