What security to use on web server
On Tue, Dec 09, 2008 at 11:52:58AM +0100, Emil wrote:
> > What security packages, configs, etc. do you install and use on your web > servers? I've messed around a bit in bastille (have found it a bit hard suhoshin for php, mod_security for Apache (though not part of Debian), and iptables just because. Next, remove all desktop type applications, including X, and any other application not necessary to what the server does. Keep the filesystem non-writable by Apache (with narrow exceptions where there MUST be an upload capability). Most web server intrusions occur via the apache user (www-data I think on Ubuntu). -- Hal -- ubuntu-users mailing list ubuntu-users@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users |
What security to use on web server
On 12/09/2008 02:52 AM, Emil wrote:
> Hi! > > What security packages, configs, etc. do you install and use on your web > servers? I've messed around a bit in bastille (have found it a bit hard > to know what I should answer on the questions and still have all my > software working as expected, but I guess you have to learn as you go.). > But what other stuff do you use? > > Regards Emil > Can't answer your question as I don't run a web server. But you might find these helpful: https://help.ubuntu.com/community/ServerFaq https://help.ubuntu.com/8.04/serverguide/C/index.html http://ubuntuforums.org/forumdisplay.php?f=7 I haven't seen an 8.04 server guide in PDF form, but the old 6.06 is pretty much the same and it's pdf is here: https://help.ubuntu.com/pdf/ubuntu/C/serverguide.pdf Also, here is the 'Draft' for the new 2008 version: http://doc.ubuntu.com/ubuntu/serverguide/C/index.html -- ubuntu-users mailing list ubuntu-users@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users |
What security to use on web server
On Wed, Dec 10, 2008 at 4:52 AM, Emil <listreaderguy@gmail.com> wrote:
> Hi! > > What security packages, configs, etc. do you install and use on your web > servers? I've messed around a bit in bastille (have found it a bit hard > to know what I should answer on the questions and still have all my > software working as expected, but I guess you have to learn as you go.). > But what other stuff do you use? The first thing I do is stop any processes that I don't need. Some years ago I accidentally left the SWAT service exposed to the outside world and it was exploited. It was just an old sandbox/test machine, but when it began blasting spam everyone on the network felt the pain ;) Second - configure a firewall. I prefer shorewall, but there are many options. Drop everything you don't need open - read the documentation carefully for your chosen firewall. If you are running apache, google around for advice on hardening apache - NoOp's links will be useful also. Basically, you should be familiar with the security features of *every* service you're exposing to the outside world. I like to move the SSHD server to listen on a non-standard port. This cuts down on the number of script-kiddies knocking on the door. You should also set up key-only access (no password login) - just be sure not to lose you key, esp if it's remote server! There are guides out there for SSH hardening also. These are just my personal opinions - I'm no expert by any means, and this is not a comprehensive list ;) Chris -- ubuntu-users mailing list ubuntu-users@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users |
What security to use on web server
On Tue, Dec 09, 2008 at 06:29:31AM -0500, Hal Burgiss wrote:
> On Tue, Dec 09, 2008 at 11:52:58AM +0100, Emil wrote: > > > > What security packages, configs, etc. do you install and use on your web > > servers? I've messed around a bit in bastille (have found it a bit hard There is a lot of ways to go with this depending on how the server will be used. So a few questions: - How many users other than you need access to the server? - Do any of the users (including you) need remote access? From more than one location? - What software will the server be serving, and who is supplying it? How reliable are the code authors? - What supplemental functionality will be required (eg do you need a sql server, mail server)? - Will you be handling sensitive data like bank account numbers or credit cards? - High profile or low profile sites? My experience is that a minimalist Ubunutu *server* installation is fairly secure out of the box. The defaults for Apache, mysql, sshd, postfix and php are pretty sane. The most immediate cause of intrusion type problems is things like weak passwords. And poorly written php code that is easily expoitable, either allowing direct system access or via sql injection techniques. Then if someone gets in, you are dependent on how secure the local system is, underneath the server layers. So it gets down to stuff that the user inadvertantly does that opens up most systems. If you can have just one user with strong passwords, that does not need any remote access (or narrowly firewalled ssh access), then all you need open is Apache, and that eliminates a bunch of potential weaknesses really easily. Your enemy for low profile sites is the unattended probing of scripted attacks that are looking for known weaknesses. The biggest thing I see aimed at Apache is attempts at spam injections into blogs or dynamic content. Often these are hidden html snippest placed specifically to effect google page rank. Nuisance stuff. They don't even want system level access. Higher profile sites surely attract more targeted type attacks. People like banks have more to worry about than just the blind, scripted stuff. -- Hal -- ubuntu-users mailing list ubuntu-users@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users |
| All times are GMT. The time now is 09:02 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.