FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 12-09-2008, 10:29 AM
Hal Burgiss
 
Default What security to use on web server

On Tue, Dec 09, 2008 at 11:52:58AM +0100, Emil wrote:
>
> What security packages, configs, etc. do you install and use on your web
> servers? I've messed around a bit in bastille (have found it a bit hard

suhoshin for php, mod_security for Apache (though not part of Debian),
and iptables just because. Next, remove all desktop type applications,
including X, and any other application not necessary to what the
server does. Keep the filesystem non-writable by Apache (with narrow
exceptions where there MUST be an upload capability). Most web server
intrusions occur via the apache user (www-data I think on Ubuntu).

--
Hal


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-09-2008, 06:23 PM
NoOp
 
Default What security to use on web server

On 12/09/2008 02:52 AM, Emil wrote:
> Hi!
>
> What security packages, configs, etc. do you install and use on your web
> servers? I've messed around a bit in bastille (have found it a bit hard
> to know what I should answer on the questions and still have all my
> software working as expected, but I guess you have to learn as you go.).
> But what other stuff do you use?
>
> Regards Emil
>

Can't answer your question as I don't run a web server. But you might
find these helpful:

https://help.ubuntu.com/community/ServerFaq
https://help.ubuntu.com/8.04/serverguide/C/index.html
http://ubuntuforums.org/forumdisplay.php?f=7

I haven't seen an 8.04 server guide in PDF form, but the old 6.06 is
pretty much the same and it's pdf is here:
https://help.ubuntu.com/pdf/ubuntu/C/serverguide.pdf
Also, here is the 'Draft' for the new 2008 version:

http://doc.ubuntu.com/ubuntu/serverguide/C/index.html


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-09-2008, 08:10 PM
"Chris Mohler"
 
Default What security to use on web server

On Wed, Dec 10, 2008 at 4:52 AM, Emil <listreaderguy@gmail.com> wrote:
> Hi!
>
> What security packages, configs, etc. do you install and use on your web
> servers? I've messed around a bit in bastille (have found it a bit hard
> to know what I should answer on the questions and still have all my
> software working as expected, but I guess you have to learn as you go.).
> But what other stuff do you use?

The first thing I do is stop any processes that I don't need. Some
years ago I accidentally left the SWAT service exposed to the outside
world and it was exploited. It was just an old sandbox/test machine,
but when it began blasting spam everyone on the network felt the pain


Second - configure a firewall. I prefer shorewall, but there are many
options. Drop everything you don't need open - read the documentation
carefully for your chosen firewall.

If you are running apache, google around for advice on hardening
apache - NoOp's links will be useful also. Basically, you should be
familiar with the security features of *every* service you're exposing
to the outside world.

I like to move the SSHD server to listen on a non-standard port. This
cuts down on the number of script-kiddies knocking on the door. You
should also set up key-only access (no password login) - just be sure
not to lose you key, esp if it's remote server! There are guides out
there for SSH hardening also.

These are just my personal opinions - I'm no expert by any means, and
this is not a comprehensive list

Chris

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-09-2008, 08:13 PM
Hal Burgiss
 
Default What security to use on web server

On Tue, Dec 09, 2008 at 06:29:31AM -0500, Hal Burgiss wrote:
> On Tue, Dec 09, 2008 at 11:52:58AM +0100, Emil wrote:
> >
> > What security packages, configs, etc. do you install and use on your web
> > servers? I've messed around a bit in bastille (have found it a bit hard

There is a lot of ways to go with this depending on how the server
will be used. So a few questions:

- How many users other than you need access to the server?
- Do any of the users (including you) need remote access? From more
than one location?
- What software will the server be serving, and who is supplying it?
How reliable are the code authors?
- What supplemental functionality will be required (eg do you need a
sql server, mail server)?
- Will you be handling sensitive data like bank account numbers or
credit cards?
- High profile or low profile sites?

My experience is that a minimalist Ubunutu *server* installation is
fairly secure out of the box. The defaults for Apache, mysql, sshd,
postfix and php are pretty sane.

The most immediate cause of intrusion type problems is things like
weak passwords. And poorly written php code that is easily expoitable,
either allowing direct system access or via sql injection techniques.
Then if someone gets in, you are dependent on how secure the local
system is, underneath the server layers. So it gets down to stuff that
the user inadvertantly does that opens up most systems. If you can have
just one user with strong passwords, that does not need any remote
access (or narrowly firewalled ssh access), then all you need open
is Apache, and that eliminates a bunch of potential weaknesses really
easily.

Your enemy for low profile sites is the unattended probing of scripted
attacks that are looking for known weaknesses. The biggest thing I see
aimed at Apache is attempts at spam injections into blogs or dynamic
content. Often these are hidden html snippest placed specifically to
effect google page rank. Nuisance stuff. They don't even want system
level access.

Higher profile sites surely attract more targeted type attacks. People
like banks have more to worry about than just the blind, scripted
stuff.

--
Hal


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 04:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org