Can Apache 2.4 be installed with a static linked binary?

[Ed_Flecko]

I've read that Apache is more secure (among other advantages) if installed as a statically linked binary as opposed to using dynamic modules.

Can Apache be installed by using the source code within the ports tree in this method? Can you also statically enable and/or disable modules of your choice?

Suggestions on how to do this?

Thank you,
Ed

 

[NewGuy]

I would think the opposite would be true, Apache24 is probably more secure (over a time line) if it is dynamically linked. With a statically linked library, any time any dependency of Apache has a security issue you need to rebuild the entire static copy of Apache. With dynamic linking, you can just update the small dependency without rebuilding Apache. With dynamic linking it requires less time and effort and you are less likely to miss a security update.

If you're set on trying to statically link Apache, you're probably going to get better advice from other Apache users who have tried the same thing.

 

[Ed_Flecko]

Thank you for your reply.

I am by NO means an expert, so I'm trying to follow Ivan Ristic from his book, "Apache Security" where he says, "A static server binary cannot have a precompiled dynamic module backdoor added to it. (If you are unfamiliar with the concept of backdoors, see the sidebar “Apache Backdoors.”) Adding a backdoor to a dynamically compiled server is as simple as including a module into the configuration file. To add a backdoor to a statically compiled server, the attacker has to recompile the whole server from scratch."

Ed

 

[NewGuy]

While Mr Ristic is technically correct, a dynamic module could be inserted into Apache through its configuration file, there is a problem with that approach. Specifically, if a user has gained the ability to insert new modules into Apache or change Apache's configuration file, then they have already compromised the system, they have full access to Apache. A user who can change Apache's configuration file could do just about anything else they want on the server, including serving up any web pages they wanted or possibly even replacing the Apache binary.

It would be like if I said "Hide your house key under a book so if a thief is in your house he can't find the key and unlock your front door." When, at that point, the thief is already inside your house, he doesn't need a key.

I'd also point out that since it only takes a few minutes to compile Apache, forcing an attacker to recompile "the whole server from scratch" is a very minor inconvenience. It certainly wouldn't stop anyone who has already taken over the system to that point.

If you're worried about locking down Apache, may I recommend the Apache's own Security Tips document? https://httpd.apache.org/docs/current/misc/security_tips.html
They go through some really good steps you can take to avoid having your system or Apache compromised. Their guide is pretty practical and doesn't take long to implement.

 

[Ed_Flecko]

Thank you very much! I appreciate your feedback and I'll look at the document you're referring to!



Ed