Everything’s running off of self-secured https. Aside from setting up user authentication, what steps should I take to be sure we’re secured?
- Audit your OS patches, make sure you are running the latest security fixes
- Shutdown unneeded services, perform an external nmap scan to make sure you aren’t running anything you don’t need
- Secure your webserver! Here is one such article for apache http://blogs.techrepublic.com.com/10things/?p=477
- Use LDAP or another extenral authentication mechanism (over SSL)
- Enforce password strength and rotation policies
- (if appropriate) set-up path level access
Subversion as a daemon is rather trusting itself and hands most of the fine-grained user-permissions back into the realm of apache. Can you tell us more about your exact scenario, are you offering this subversion server to public use?
When you say “self-secured” https, you mean a self-signed certificate? If so look at how you are distributing either that certificate or the CA and ensure that that path is secure in itself.